We have a federation setup and webagentoption pack is configured on JBoss and webagent is configured on Apache 2.4.User logs in successfully.
When the user clicks on logout, webagent marks the SMSESSION as LOGGEDOFF also the IDP cookie is deleted.
Now in the same browser when user tries to login again, IDP challenges the user and after successful authentication, SAML token is sent to SP (JBoss). WebagentOption Pack on JBoss receives the SAML and creates the SESSION cookie. it creates another SMSESSION cookie and does not delete the existing SMSESSION cookie which is marked LOGGEDOFF.
When the user is redirected to target there are 2 SMSESSION cookies. We are having issues because of these 2 cookies.
Is there a way to configure webagent option pack to delete the SMSESSION cookie which is marked LOGGEDOFF when it creates a new SMSESSION cookie?
The only reason you are seeing two SMSESSION Cookies is because of the Cookie Domain and / OR CookieDomainScope mismatches between the WebAgent ACO and WAOP ACO. We should align the Cookie Domain and / OR CookieDomainScope in both ACO.
How is the resolved Cookie Domain determined for a - CA Knowledge
ADDITIONAL DEBUG :
Use a tool like fiddler to see what Cookies are getting set, with what values and most importantly in which DOMAIN. It is completely valid to have multiple SMSESSION Cookies for different domains on the same browser. But at the same time it could cause issues, if one is unware of the implications such configurations could have, especially with Parent Domains & Sub Domains (E.g. ".company.com" SMSession Cookie and ".abc.company.com" SMSession Cookie).
I do have some confusion on one statement here "SAML token is sent to SP (JBoss)". This is confusing.
srrajesh, If the above suggestions don't help, please share a Fiddler HTTP trace of your use case, so readers can comment.'
Check fiddler and see if the cookie is being set by the WebAgent option pack for the same cookie domain.
For example, you may have the agent setting the cookie SMSESSION=LOGGEDOFF for domain=.ca.com (notice the .) and the WebAgentOption pack is setting for SMSESSION=waqwdasxsa.... domain=ca.com (without the .)
The WAOP does not delete any cookies, it is the browser Job to replace the cookie for the same cookie domain based on the response with the set-cookie