Symantec Access Management

 View Only
  • 1.  Test cookie before authorization.

    Posted Jun 16, 2023 08:30 AM

    Hi all, I have a strange question.

    I have three federated domains, A, B and C. 

    The realms in domain A are authenticated through an IWA authentication schema

    the other two are authenticated through a custom schema.

    Because of the federation, If I authenticate to a resource in domain A, I can access to resources in domains B, C too, and this is fine BUT:

    The applications in domains B and C need a user cookie that is normally generated by their  authentication schema and is not present if I am authenticated on an application belonging to domain A.

    Is there any way to test if a cookie exists at authorization level?

    I mean: I authenticate on a resource in domain A, so I have a SM_SESSION cookie but I do not have the user cookie. I call a resource from domain B, I am already authenticated but I do not have the user cookie so  I cannot access to the target resource, so when I pass from a resource in domain A to one in domain B or C I need to test the presence of the user cookie and in some way create it if not present.

    The solution I think about are:

    1. generate the user cookie also in the authentication schema  for the resources in domain A (the client is not happy with it).
    2. use an higher protection level on resources in domain B and C (I think it is the best but it gives some problems)
    3. test the presence of the user cookie through a response. My question is: is there a way to write a response expression to test if the cookie is present?

    Thanks and have a nice day


  • 2.  RE: Test cookie before authorization.

    Posted Jun 17, 2023 12:42 AM

    Hi Flavio,

    Does the 3 apps are with the same ACO? Because if isn't you may need to configure the trust between each app ACO, as far I remember. Otherwise you may use response rules into each realm to trust each other (create the app coolie).



  • 3.  RE: Test cookie before authorization.

    Posted Jun 19, 2023 03:55 AM

    Hi daniel. thanks for the reply. Yes, the 3 apps are in the same ACO. I was wondering if there is the chance to write a response in which I test the present of the cookie and, if not, present create it. I went through some searches but I did not find a solution.



  • 4.  RE: Test cookie before authorization.

    Posted Sep 20, 2023 09:28 AM

    Testing for the presence of a user cookie at the authorization level can be complex. Consider discussing the client's concerns about generating the user cookie in Domain A or implementing a higher protection level for resources in Domains B and C. Testing via response expressions is possible, but the exact implementation depends on your access management system. Ultimately, the choice should align with security and user experience needs.