When running 2 Policy Servers (A and B) and when the user login into a persistent realm in environment A, when it tries to reach a non-persistent realm in environment B, he's challenged again.

The Policy Server in environment B reports:

[CSm_Auth_Message::SendReply][** Status: Not Validated. Failed to update persistent session in Session Services] User session should be accepted without having to challenge again.

Note that if both environments realms are non-persistent, then the user doesn't get challenged again.

  Policy Server 12.8SP3 on RedHat 6;
  Policy Server 12.52SP1 on RedHat 6;

At first glance, the flow works as designed, as the SMSESSION cookie has SessionSpec data which includes if the Session is persistent or not (1).

In this specific use case, the SessionSpec SessionPersistent data is set, then, when validating the session, the Policy Server from environment B tries to find the data in a Session Store, and as it cannot find the data in a Session Store, it reports the error.

To get SSO, realms should be the same type and not a mixture of persistent and not persistent (2).

When realms are persistent, Session Store should be shared between the environments, for each of them to find the Session that brings the SMSESSION and to be able to validate it without having to ask for credentials. Both environments should share the same Session Store.

(1)

    What information is stored in the SMSESSION Cookie
    

(2)

    Realm Dialog-Session Section