Ok, so the way the SiteMinder SSO Zones are implemented seems really weird.
From what it looks like the only time a zone is set by the API GW is during the "authenticate" call and otherwise it overwrites to SM. But if a user already has a session cookie and you perform a cookie update to maintain the idle timeout values...it overwrites the zone to default SM.
How exactly can I maintain session state of a user session cookie if I can only define a SSO zone on the Authenticate and while passing in a credential like username+pass or certificate...???
Example:
- Require HTTP Cookie (name=MYZONESESSION)
- Request: Authenticate Against CA Single Sign-on
- Use Last Credentials selected
- Use SSO Token from Context Variable: cookie.MYZONESESSION
- Request: Authorize via CA Single Sign-on
- Request: Update Cookie(s) if name equals MYZONESESSION
- Name=MYZONESESSION
- Value=${siteminder.smcontext.ssotoken}
Behavior:
- User accesses a Web Agent in MYZONE and logs in
- User is happy and goes to API GW Application
- API GW verifies session
- API GW rewrites cookie with updated value in SM zone now
- User goes over to MYZONE Web Agent
- User is requested to log in again because of zone mismatch
- MYZONESESSION cookie - mismatched SSOZone 'SM'.]
Am I missing something really simple/obvious here??