Symantec Access Management

Expand all | Collapse all

CA Gateway (aco, cookie-provider) Federation

Jump to Best Answer
  • 1.  CA Gateway (aco, cookie-provider) Federation

    Posted 10-19-2019 12:01 PM
    Edited by goutham reddy A 10-19-2019 12:05 PM
    Hi All,

    May be i did configuration wrongly, would like to understand better on CA gateway acting as Service Provider (multiple ACO)
    Trying to separate configuration based on applications.

    My configuration: (hard to write down, but will try to make it scene).

    2 AGENT NAME (,
    2 ACO (,
    2 Virtual hosts (, -------------> server.conf
    proxyrules.xml ----------(configured to back end apps on IIS)    ------------------> is giving same output to use with proxy UI only (actual application)

    Now the ISSUE time.

    1. In above mentioned ACO, i did set cookie provider as (,  respectively in both ACO
    2. The is not honored that is set in, when i access application IDP initiated, at SP side again login page is prompted (because cookie is set to
      wrong domain set
    3. Application is working once cookie domain is set as in (
      cookie domain


    1. cookie domain set in, is not honored?
    2. Apart form separate logging, is there no use of having separate ACO for each VHOST.
    3. Is some configuration done wrong.
    4. Is it possible to disable Federation service on default site and enable Federation service only on


  • 2.  RE: CA Gateway (aco, cookie-provider) Federation
    Best Answer

    Posted 10-21-2019 10:58 PM
    Hi Gowtham,

    I am not quite understanding your use case.
    You have 2 domains but one is used for proxyui only, which means you only have 1 cookiedomain for federation which is
    And in your federation use case, why would you need the
    Are you federating between and

    When both IDP and SP are SiteMinder you must ensure the sessions are not overwritten by each other.

    Best to share fiddler trace demonstrating the problem
    Just ensure you mask the username/password or replace them manually after capture if you are concerned about it.

    Support Engineer 5

  • 3.  RE: CA Gateway (aco, cookie-provider) Federation

    Posted 11-01-2019 02:18 AM
    Hi Kim,

    Sorry for delay in response.
    Sure, will share the fiddler trace.

    Both IDP and SP are siteminder only, one server acting as IDP and other server acting as SP.