Hello Di1ip,
Please find below my response as per my knowledge:
1) How does it come to know that particular SESSIONID is valid as only Policy Server A will have corresponding SESSIONID in its cache? Will it just validate the timeout details (and add in its cache if session is not timeout)?
- Web Agent Places the Session Ticket inside the SMSESSION under ATTR_SESSIONSPEC, and then web agent is responsible for validating the user, manage timeout etc from cache and if value not present in cache will go the Policy server for authentication/authorization. It can go to any Policy server based on what load balancing mechanism you have out in HCO i.e. failover, roundrobin or cluster.
All Policy server in an enterprise environment share the same Key store to encrypt and decrypt and hence it enable then to validate the user even if the first request went to different policy server.
2) Will SMSESSION has password detail of user as I could see below line in the document?
<<
Session tickets contain credentials and other information relating to a session (including user credentials). Agents embed session tickets in CA Single Sign-On cookies.
>>
- Password will not be stored in the SMSESSION as highlighted by Patrick above.
3) If yes,
a) May I know which parameter of SESSIONSPEC will be used to store user credentials?
- Password will not be stored
b) Will Policy server B validate the username and password by making a call to user store?
- No, if the user has an active SMSESSION as the user context is already present in it. Yes, if SMSESSION has timed-out.
4) In case, if the authentication will be happening only once(i.e while creating a new SMSESSION), then what is the user of Authentication Cache of policy server? When will it be used?
It actually depends, generally all sessions are Transient i.e. Non-persistent which are generated and are browser session specific. Once browser is closed the session is invalidated. As mentioned by Patrick you can enable Session Store for Persistent Sessions.
Thank you
Ankur Taneja