search cancel

Cookie Provider credentials required for the second domain again login

book

Article ID: 8769

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running 2 Web Agents, when the browser tries to access a URL in
the domain ".myhost.mydomain.myservice" after having been
authenticated in domain ".myhost.myspecialdomain.com", then the user
needs to provide credentials again, and it would be expected it to be
automatically logged in and perform SSO.

The SMSESSION cookie for the Cookie Provider domain
.myhost.mydomain.myservice is not getting created before going to the
protected resource on ".myhost.myspecialdomain.com".

 

Environment

 

Policy Server 12.8SP4 on RedHat 7;
CA Access Gateway (SPS) 12.8SP4 on RedHat 7;
Web Agent 12.52SP1CR11 on Apache 2.4.46 on RedHat 7;

 

Resolution

 

The Cookie Provider had the ACO Parameter limitcookieprovider set to
YES. This means that the Cookie Provider won't create any cookie for
the cookie provider domain.

To solve the issue, set the limitcookieprovider to NO on
the Cookie Provider.

Sample of the configuration :

Cookie Provider 

http://host-U203313.myhost.mydomain.myservice/protected/index.html 

  [18648/2428991232][Mon Sep 11 2017 16:18:34] cookiedomain=''. 
  [18648/2428991232][Mon Sep 11 2017 16:18:34] cookiedomainscope='0'. 
  [18648/2428991232][Mon Sep 11 2017 16:18:34] enablecookieprovider='yes'. 
  [18648/2428991232][Mon Sep 11 2017 16:18:34] limitcookieprovider='no'. 
  [18648/2428991232][Mon Sep 11 2017 16:18:34] trackcpsessiondomain='yes'. 
  [18648/2428991232][Mon Sep 11 2017 16:18:34] tracksessiondomain='yes'. 

Web Agent 

http://host-U203312.myhost.myspecialdomain.com/protected/index.html 

  [14869/738195200][Mon Sep 11 2017 16:18:34] cookiedomain='.myhost.myspecialdomain.com'. 
  [14869/738195200][Mon Sep 11 2017 16:18:34] cookiedomainscope='0'. 
  [14869/738195200][Mon Sep 11 2017 16:18:34] cookieprovider='https://host-u203313.myhost.mydomain.myservice/SmMakeCookie.ccc'. 
  [14869/738195200][Mon Sep 11 2017 16:18:34] enablecookieprovider='no'. 
  [14869/738195200][Mon Sep 11 2017 16:18:34] limitcookieprovider='no'. 
  [14869/738195200][Mon Sep 11 2017 16:18:34] tracksessiondomain='yes'.