Customer upgraded Web Agent Option Pack from r12.0 to r12.52 SP1CR5.
User logon to centralized web agent resource first and then initiate Unsolicited(IDP Initiated) federation.
After that, when navigating back to the normal web agent resources, the user session is being rejected with following error at the webagent trace log.
Client IP and SMSESSION IP do not match
In r12.0 version of Web Agent Option Pack, it did NOT generate SMSESSION cookie on successful validation of existing SMSESSION cookie.
However, r12.51 onwards, Web Agent Option Pack does generate SMSESSION cookie.
But unlike normal web agent it doesn't support the CustomIPHeader ACO parameter.
So, when it creates the SMSESSION cookie it resolves client IP as follows :
Now, the normal Web Agent sets this SM_CLIENT_IP header to the actual browser IP address only if either TransientIPCheck or PersistentIPCheck is enabled.
As, in this case neither TransientIPCheck nor PersistentIPCheck was enabled on the IDP Web agent, it wasn't setting this SM_CLIENT_IP header as a result the WAOP was using the Proxy IP while creating SMSESSION cookie.
Now, when this SMSESSION cookie created by WAOP is submitted to normal agent the IP validation fails as the resolved client IP (resolved from CustomIPHeader) and the one in the SMSESSION cookie does not match.
Enable either Transient IP check or Persistent IP check on the IDP Web Agent as well.
CA might support CustomIPHeader for Web Agent Option Pack in the future release. At this time of writing it doesn't support it.