Symantec Access Management

Expand all | Collapse all

Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

  • 1.  Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

    Posted 02-23-2016 04:13 PM

    If you are using SAML with the Single Sign-On Federation component then you need to have DisableSessionVars = no (default value).

     

    Explanation:

    If your federation agent has disablesessionvars set to yes (no by default) then it will not set the SessionID and SessionSpec headers. If those headers are not found (or too many found), then the federation agent has to ignore the session leading to the following type of errors in FWS trace log:

    [Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.]

     

    Sample use case:

    When you call the /public/saml2sso you are redirected to the login page correctly and manage to authenticate okay, but on redirect back with the SMSESSION, it continues to redirect to and from the /redirect/redirect.jsp.

    In the FWS Trace we see this error where it seems to have a problem validating the session cookie:

    ...[FWSBase.java][isSessionIdle][Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.]



  • 2.  Re: Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

    Posted 08-30-2016 06:40 AM

    Adding to above Tech Tip.

     

    Even though DisableSessionVars = no (default value), When the user goes to /public/saml2sso with SMSESSION, he was getting redirected to the Authentication URL and it continues to redirect to and from the /redirect/redirect.jsp.
    In the FWS Trace we see this error where it seems to have a problem validating the session cookie:
    ...[FWSBase.java][isSessionIdle][Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.]

     

    Cause:
    ignoreurl=/affwebservices/public was set in Agent Configuration Object which caused this issue.

    Because of ignoreurl=/affwebservices/public ACO parameter, the url that contains /affwebservices/public will not get authorized, hence the required headers will not set. So when affwebservices decoded the SMSESSION it was fine, but later when it relied on headers set from normal SPS/webagent it would not find them, Due to this FWS was failing to validate the session and redirecting back to Authentication URL.

     

    Resolution:
    Please remove /affwebservices/public from ignoreurl ACO parameter.

     

    Thanks,

    Sharan



  • 3.  Re: Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML



  • 4.  Re: Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

    Posted 05-30-2018 12:50 PM

    Hey Sharana,

     

    we are using siteminder web agent option 12.52 SP1 CR05 and policy server 12.52 SP1 CR06 and both running on RHEL 6.x operating system. As recommended we made the change DisableSessionVars = no and ignoreurl is completely commented out. But we are still getting the following error.

     

    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isSessionIdle][Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.]

     

    FWSTrace.log

    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processRequest][RealmOID: 06-0004ef14-af78-17f2-83d8-11180a5640d7]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processRequest][Request to validate the session [CHECKPOINT = SSOSAML2_SESSIONCOOKIEVALIDATE_REQ]]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isValidSession][Checking for valid SESSION cookies.]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: dtPC]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: 1$97702640_273h-vJDJMBSOOEFEBWINIOPBPFMBHGKCNENHM]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: dtSa]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: -]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: dtLatC]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: 2]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: SMSESSION]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: uKFpRlJ/u1kg+ynTJNSqIrPsLf3xg0gXgY41oEAUkRz04AX9aCKAYlP6AGZh86YB1YAjX5nYp6neH3QqQsaKI0o4IYNdByTG9RFGL+MkisvbbKgERHgM5HXHBmrLmjBfXI131CFmX9QdyIAHgYwDuZv2To0GScdr0RKCLbS6/drwM+zY0BTL5qdb7PkZTuD1gzrnrHSWjD11JTcGA//U2Vk/HqmWpmYDh6npAvH5H+m3dhqCjp3EHoUwM6mgp+5+VttbeuviBRpEz6pZjnTXgWz70pEzVeSHG7z24NH2x8vAguLhPN0LWKyFstQPz/ZRdhao8n9bu4QpUfZfROF53ZxIeTT2g77rXiPsx8a2j+DPJJZv14B2QZMQln6lF40GPq9wuR/L+06adS7/JvCIfr9ykCY+vxTzA5PwxhsJFb9iixJcx5MPv7aC91I4gPd0/LTj4YNEiCFM3pmzVoUSuB258M8AFHvceysetD189gfMNXXqmpIpdVWWWCT+2MowucDMIiZlZhTwfZB3Vw77ANpppkCV2vA0qNV8QGopTr/GTKKJdcNL39wTQyEvWcMp+G2+LnZmj+Bn2xjeGvkDOkb1lLDIsmN/c3JCHJhLbMwk5f6Mu3ZnJV1i7id5gcxR1HtOHh91gl2k4vLRI7WqbggsvRzVb5DUSujB8Yhux1T4kVvC0p9E9rnaiNqQjcuMssMEB+4wWx/XhNT0smn2MHN1Oua0VORnZOIBSr7I8GNTwdKjspXH0wE5aRkwICwcU1syPeR+zgX/MyeN0cfYEbuedt5f0l9O/gwm8nQd1JJrmjYF8M3SvP+R99qJHf6QKOYsdt4qLAMuXcpE7BbTJ23yHvNqyzZMK/0AWx8alQnG5Cgm6MsEjHUVVANeH1AYQqxh+YNr6tbcCvKQudcZVS35fy7TWOuCqFBcKDJC48+hRwN6KFCDrT/4i6mMUdznKhGaRSyHszbWRrq04Caeo6ID0bNkszTFrveEDh0o9VP6TGicVwTD6WUcRkmQTZnEzuX+9uoC5m+KfkgxVsKVZqd3FCC46YYV+p11gHOhHdwQ6mPiXwErhos+q92wiYvo9r3eaykUa3DQhU4avyWgQ0ffsGt03WLDRZuZAaHCFEAHqNwLqvxI9kjuSWoI/P8NaZgRRg8LeNwpOCHRY+Ufsl+ZhIQAvrKAswmHs8Kz/+5OjOWpvGlRFQDm99jyBxoIAnw3so+5/7EowY0FMKB6qjFHVotxr8m2]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: rxvt]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: 1527699510087|1527697702671]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: dtCookie]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: 1$86CC7C994727F98B99882D3102386B15|mycompass.amfam.com|1|intaq80g.amfam.com|1]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: AMCV_5DBA123F5245B1E00A490D45%40AdobeOrg]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: 1406116232%7CMCIDTS%7C17666%7CMCMID%7C89057443310551560063826497744159277080%7CMCAAMLH-1526936312%7C7%7CMCAAMB-1526936312%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1526338711s%7CNONE%7CMCSYNCSOP%7C411-17673%7CMCAID%7C2D7CFC3B851D2E9B-60000136A0003817%7CvVersion%7C2.5.0]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: mbox]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: session#c0b0bbec662641e48ede8acc04076044#1526333374|PC#775642ed57bc447586ba5d8a64077fde.17_45#1589576314]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: s_nr]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: 1526331513278-New]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: __CT_Data]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: gpv]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: _CT_RS_]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: Recording]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: WRUIDAWS]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: 1740982087352601]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: rxVisitor]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: 1527697702660C51NCCA9EL950R8PDKUO1S2UNOD1QG6F]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie name: NSC_jouea25o-wjq-iuuq-80]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][(request cookie array) cookie value: ffffffff095e4f6045525d5f4f58455e445a4a423660]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][getSessionData][session cookie name: SMSESSION]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isValidSession][Session ID is: LLWE21CQV8+ERQEbsKw163uo/so=]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isValidSession][Session Spec is: QDqb+82nr7qi6WA8C7VgKsjuaRXmxtrUSBQqw608Cr6A5YOJOMD1Nj5bkttRMKPglZ4nY6en2/jKkL4+TFABNKF3Eet8qVLpwjskmO3w6DULTxfLeDzDIAPC/CEsGzRAcLugWIcE8+NZ8bCC1SxrpBZGmVnxbak4g2OhOh9dF3B159Ih9JAMIvSK+74kd2FS/0LLkTyN3vHkQ0pGSWfEjjF9EoUsZfU1FHEPaokGXBPNkKRnxvy0dgVrZXqT2Kk5nkfX2xvKv58bjB7B+sLZLtj9GjBdS9LKvscjbLfNfaa7z2attz+OmtNUOMItqOaPG0TJotHdt1Gm3b57tiF4SXEply0NmqwmPBRZQ7jpsTK6urBvnZo2gYAy0CpLjeE2mGlv7ELDgwXXMMUCt3V7VU/avpQPExoHNqZv1z09vbvttILVATO+7AyA6eo9LaC5DjRIfOf1a/4LwQqHxi+xhSsMFYUAfp7UagqoDzpEMuh8YJ5onxU0uKOkGgtr0kLO]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isSessionIdle][Verifying validity of session cookie [SMSESSION] retrieved]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isSessionIdle][Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isSessionIdle][returning true]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][FWSBase.java][isValidSession][Session is Idle]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processRequest][Force Authn is disabled.]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processRequest][Current session state is: false]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processRequest][Current session is not a valid session.]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processRequest][Session cookie does not exists. redirecting to authentication url [CHECKPOINT = SSOSAML2_AUTHENTICATIONURL_REDIRECT]]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][getLocalServiceURL][Enter getLocalServiceURL]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][getLocalServiceURL][Using Proxy URL for local SSO service: http://example.com/affwebservices/public/saml2sso]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processAuthentication][Not using secure authentication URL.]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processAuthentication][SAMLTransactionID 1a8bfc18-e0b94a74-1e59e128-77e609d9-797b24aa-e9c maps to TransactionID: 1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2.]
    [05/30/2018][11:28:30][72242][2577520384][1634bae6-f3610516-4de00ce8-5c290c12-7a4eeb43-2][SSO.java][processAuthentication][SAML2 Single Sign-On Service redirecting to authentication URL: https://example-iwa.com/samlredirect/redirect.asp?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SPID=https://sp.com/DP/SSO/SAML/DPAssertionConsumerService.aspx&SAMLTRANSACTIONID=30cd6da6-f5e5880c-a35318a9-56b36fca-0ea3c4e4-ea&SAMLTRANSACTIONID=80466740-523734cf-6bfab3ab-8b3b0cfe-ae1b791d-92&SAMLTRANSACTIONID=1388d44e-a3ef8a7e-ee0345d6-3ebcdc8d-70417b8f-6a0&SAMLTRANSACTIONID=1fb51037-a5fa92a9-1ae27da4-734c7cdf-b49f7d63-2bf&SAMLTRANSACTIONID=155e5fb3-4c58a8a5-5a51b729-0e630e07-396c5676-e8d&SAMLTRANSACTIONID=163b58f3-b6056124-b32b9544-e2abc0c0-6bc6268b-52&SAMLTRANSACTIONID=79ecf353-3ceb39a1-f2677cba-2267f5e7-51e0941f-f&SAMLTRANSACTIONID=12a0219b-8554908a-bc8ad10d-97716e32-7d42aa22-43&SAMLTRANSACTIONID=23b00c75-1e2dc169-af2adb59-bcd6d6ac-9f1ddadd-843&SAMLTRANSACTIONID=c65f79de-80e760c3-acfb63ff-89c0aea4-35a882c9-7&SAMLTRANSACTIONID=38581f1d-9649c9a0-bf23f8e4-04e498a8-b48a117f-92&SAMLTRANSACTIONID=3239e4f0-fa037e06-49e0eab3-28d758e4-62298001-4&SAMLTRANSACTIONID=85bbf758-29d72704-23e61b38-0f488663-c6033fd8-d2&SAMLTRANSACTIONID=d23955af-c42f236d-de343b74-986840ed-0dd1f8a6-2&SAMLTRANSACTIONID=54df9f9e-73b00814-fbb35dca-3e35c0e4-84d427a3-c8&SAMLTRANSACTIONID=20a16b10-dd210a01-b4f05717-420f5c94-ef9eecb0-52&SAMLTRANSACTIONID=104a9604-84afa3cf-4070c82b-90475239-cabe56ef-75&SAMLTRANSACTIONID=419b35c2-50cc24fd-374c4b7c-929c2006-23268416-53&SAMLTRANSACTIONID=15369c19-2f8b61cd-529acae6-f9e86a1d-0e0e46b7-a5&SAMLTRANSACTIONID=4c85c9df-7ad96335-a3f13015-892f8bc4-f2fd388b-2&SMPORTALURL=http%3A%2F%2Fexample.com%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=1a8bfc18-e0b94a74-1e59e128-77e609d9-797b24aa-e9c.]

     Any help is greatly appreciated.

     

    Thank you,

    Naveen



  • 5.  RE: Re: Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

    Broadcom Employee
    Posted 12-27-2019 09:28 AM
    Hi Naveen
    Did you get this issue resolved? I am getting the same error and behavior. It seems I am getting a kind of loop of redirects.
    I am getting the same messages on FWSTrace.log file and my configurations (DisableSessionVars = no and ignoreurl is completely commented out) are the same as yours.
    I hope you can still remember what you did in the past.

    Regards
    Hugo





  • 6.  RE: Re: Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

    Broadcom Employee
    Posted 12-30-2019 02:34 AM
    Hi Hugo and Naveen,

    This looping might occur if the Authentication URL for your Federation
    journey is not protected.

    Request Looping Between Authentication URL and Federation URL
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=75133

    Federation IdP initiated transaction entering in a redirection loop
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=6225

    I hope this helps,

    I wish you an Happy New Year 2020, for you all and your families !

    Best Regards,
    Patrick


  • 7.  RE: Re: Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

    Posted 06-19-2020 08:59 PM
    Hi,

    Are you guys able to fix this issue? I am getting the same error.

    FWSTrace.log

    [06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][Verifying validity of session cookie [DEVSMSESSION] retrieved]
    [06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][returning true]
    [06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isValidSession][Session is Idle]
    [06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Force Authn is disabled.]
    [06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session state is: false]
    [06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session is not a valid session.]

    affwebserv.log

    [44138/140318359791360][Sat Jun 20 2020 00:34:42][isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers. Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.

    ------------------------------
    Solutions Architect
    1Worldsync
    ------------------------------



  • 8.  RE: Re: Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

    Broadcom Employee
    Posted 06-22-2020 02:25 AM
    Hi matheensyed,

    It looks like that if you have several Agent with different values for
    DisableSessionVars, this error will show up :

    SAML2 Request Contains Too Many SERVERSESSIONID Headers
    https://knowledge.broadcom.com/external/article?articleId=142862

    I hope this helps,
    Best Regards,
    Patrick


  • 9.  RE: Re: Tech Tip: CA Single Sign-On :: Set 'DisableSessionVars = NO' for Single Sign-On SAML

    Broadcom Employee
    Posted 06-23-2020 02:31 AM
    Hi matheensyed,

    Another thing : it seems you use zones :

    Verifying validity of session cookie [DEVSMSESSION] retrieved

    How have you set the following ACO ?

    SSOZoneName
    SSOTrustedZone

    ref.:

    Web Agent Option Pack :: ACO : Full List
    https://knowledge.broadcom.com/external/article?articleId=49319

    Best Regards,
    Patrick