Issue:
We're running IdP and SP on different machines but with the same
Domain Name. We segregate the cookies using SSOZoneName ACO
parameter. Once the SP session terminates, both IDP SMSESSION and SP
MY_SESSION cookies gets the value of LOGGEDOFF. The SP MY_SESSION
cookie gets removed from the browser. But the SMSESSION cookie
doesn't.
As the SMSESSION cookie reaches the IDP Web Agent Option Pack, the
transaction fails and the IDP Web Agent Option Pack reports not to be
able to decode the SMSESSION cookie.
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][(request
cookie array) cookie value: LOGGEDOFF]
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][evaluate
trusted zone: SM]
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
3e7b55c0-64f7c1f9-b6b][FWSBase.java][getSessionData][found:
SMSESSION]
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Trying
to validate using SMSESSION cookie.]
[04/05/2019][14:30:09][246584][126532][ff2b8c68-4af83a86-98aa3999-
3e7b55c0-64f7c1f9-b6b][FWSBase.java][isValidSession][Could
not decryptSMSESSION cookie. Error message: Tried out all the decrypt
keys, decryption failed..]
How can we fix that ?
Cause:
The problem is that the SMSESSION=LOGGEDOFF cookie reaches the Web
Agent Option Pack at IDP side and that there's no Web Agent to handle
this SMSESSION=LOGGEDOFF and to remove it from the browser. The Web
Agent only handle the MY_ cookie. It's configured with
SSOZoneName=MY_. More, out of the box, the Web Agent Option Pack
doesn't remove any cookies from the browser. The aftermath is that the
SMSESSION=LOGGEDOFF arrives to the IDP Web Agent Option Pack and this
one cannot handle the value LOGGEDOFF.
The IDP Web Agent Option Pack is configured to trust SM and MY_
cookies :
affwebserv.log
[246584/148340][Thu Apr 04 2019
16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00190] SSOZoneName
not specified. Using default: SM
[246584/148340][Thu Apr 04 2019
16:53:35][FWSAgentConfig.java][INFO][sm-FedClient-00200]
SSOTrustedZone specified as: [SM, MY_]
but its Web Agent is configured to handle only MY_ cookie :
siteminder_ltintra302.log.1
[47970/3387586304][Thu Apr 04 2019 17:34:23] ssozonename='MY_'.
The Web Agent on the SP Side is configured to handle the same cookie
as per IDP :
The SP :
siteminder_ltintra305.log.1
[111815/4064990976][Thu Apr 04 2019 18:56:28] ssozonename='MY_'.
The MY_SESSION is expired, get logged out, and removed from the
browser by the Web Agent :
smtrace_ltintra302.log.1
[04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:6768]
[CSmHttpPlugin::ProcessSessionCookie][00000000000000000000000046
ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
[/affwebservices/public/saml2sso?SPID=mysp][][MY_SESSION
cookie has expired and will not be used to authenticate.]
[04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:2228]
[CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2e
a0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
[/affwebservices/public/saml2sso?SPID=mysp][Unable to process
MY_SESSION cookie.]
[04/05/2019][14:30:03][28807][578766592][CSmHttpPlugin.cpp:2322]
[CSmHttpPlugin::EstablishSession][00000000000000000000000046ad2e
a0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
[/affwebservices/public/saml2sso?SPID=mysp
[Executing expired cookie redirect.]
[04/05/2019][14:30:03][28807][578766592][CSmSessionManager.cpp:1
26][CSmSessionManager::EstablishSession][00000000000000000000000
046ad2ea0-7087-5ca74a4b-227f4700-3f6f311c7a27][*10.0.0.1]
[myagent][/affwebservices/public/saml2sso?SPID=mysp]
[SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]
[04/05/2019][14:30:03][28807][578766592][CSmLowLevelAgent.cpp:34
02][LogoutSession][00000000000000000000000046ad2ea0-7087-5ca74a4
b-227f4700-3f6f311c7a27][*10.0.0.1][][myagent]
[/affwebservices/public/saml2sso?SPID=mysp]
[Calling LogoutSession for session '+9HDjvKRwdasdasdC4hsC4+4d4='.]
[04/05/2019][14:30:03][28807][578766592][CSmLowLevelAgent.cpp:44
95][LogoutSession][][][][][][][Session logged out.]
[04/05/2019][14:30:03][28807][578766592][SmPluginUtilities.cpp:1
66][DeleteCookie][00000000000000000000000046ad2ea0-7087-5ca74a4b
-227f4700-600a7e0a2f8c][*10.0.0.1][][myagent]
[/auth/?SPID=mysp&SMPORTALURL=https%3A%2F%2Fmyotherwebagent.domai
n.com%2Faffwebservices%2Fpublic%2Fsaml2sso%3FSPID%3Dmysp%2Faffweb
services%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=12fa375e-12fcb6cd-
59b4b47b-9020fbcf-3630f2e0-eec][][Deleted cookie 'MY_SESSION'.]
but as the Web Agent is configured to handle the MY_ session cookie,
then the SMSESSION cookie never gets removed from the browser. The IDP
Web Agent Option Pack then is unable to decode the SMSESSION value and
the transaction fails. User doesn't get redirected to the login page.
If you replay the issue, and at time you get the problem, you go in
the memory of the browser and you remove the SMSESSION=LOGGEDOFF
cookie, then you will be in the flow again.
Resolution:
Use 2 different Web Agents having different ACO's and different
SSOZoneName values to solve the issue.
You might also customize the Apache Server to remove the SMSESSION=LOGGEDOFF
cookie from the browser.
KB : KB000131888