I have a query related to anonymous authentication scheme.
We have an environment where two application are siteminder protected. App1 and App2 are in different domain space.
App1 URL : it is protected with form based authentication.
App2 URL : it is protected anonymous authentication scheme. It has cookie provider configured.
CP cookie domain is same as of App1 cookie domain.
Now there is a situation where user is logged in App1 and access an anonymously protected URL in App2. Since user is already logged in, so siteminder should pass headers for USER DN who is already logged in rather than considering it as anonymous user.
Once logged in App1 and moving to anonymously protected URL, it is considering it as anonymous user i.e. App2 agent is not contacting cookie provider and creating local SMSESSION and then extracting User DN and generating headers for this user. Rather it is taking it as anonymous user.
Is this an exptected behavious where moving in cross domain, smsession can't be utilized to evaluate headers for user already logged in for anonymous login?
When we login in App1 and access a form based protected page of App2 and then accessing anonymously protected URL, it detects correct user DN and generated proper headers. Is it how siteminder should work ?
Let me know if anyone has any views on it.
Hello Neeraj NeerajChase
Welcome to communities and good to see you here.
These are some of the question that I asked when using AnonAuth + CookieProvider and here are the replies....
Hope all these points help you find your way. Bottemline, do not expect the WebAgent to function in the same way for Anonymous Authentication.
Hello Hubert. Hope you are having a good time.
Thanks for sharing your views on this. I just have one concern on the response you received when you asked questions.
I see that you also agree that redirect to cookie provider for settting up Master Identity Cookie is a waste of time. To me, it doesn't serve any purpose because it will not have logged in USER DN in SMIDENTITY cookie as no validation is happening for MCP SMSESSION. Whey they say in a basic way yes, I am struggling to understand which use-case of cookie provider, it full fills.
Based on the responses, I consider, AnonAuth+cookie provider combination is not supported.
Let me know if you can think of any use-case.
I would not state explicitly "AnonAuth + CookieProvider" is not supported - it is not my decision to make. However based on findings and the way it works; it would be prudent to not use CP with AnonAuth as I do not see the benefit nor I can think of an usecase for AnonAuth with CookieProvider.
Thanks for the help on this