Symantec Access Management

Hi all, I have a strange question.

I have three federated domains, A, B and C. 

The realms in domain A are authenticated through an IWA authentication schema

the other two are authenticated through a custom schema.

Because of the federation, If I authenticate to a resource in domain A, I can access to resources in domains B, C too, and this is fine BUT:

The applications in domains B and C need a user cookie that is normally generated by their  authentication schema and is not present if I am authenticated on an application belonging to domain A.

Is there any way to test if a cookie exists at authorization level?

I mean: I authenticate on a resource in domain A, so I have a SM_SESSION cookie but I do not have the user cookie. I call a resource from domain B, I am already authenticated but I do not have the user cookie so  I cannot access to the target resource, so when I pass from a resource in domain A to one in domain B or C I need to test the presence of the user cookie and in some way create it if not present.

The solution I think about are:

1. generate the user cookie also in the authentication schema  for the resources in domain A (the client is not happy with it).
2. use an higher protection level on resources in domain B and C (I think it is the best but it gives some problems)
3. test the presence of the user cookie through a response. My question is: is there a way to write a response expression to test if the cookie is present?

Thanks and have a nice day

------------------------------
Flavio
------------------------------

Hi Flavio,

Does the 3 apps are with the same ACO? Because if isn't you may need to configure the trust between each app ACO, as far I remember. Otherwise you may use response rules into each realm to trust each other (create the app coolie).

Regards,

Daniel

Hi all, I have a strange question.

I have three federated domains, A, B and C. 

The realms in domain A are authenticated through an IWA authentication schema

the other two are authenticated through a custom schema.

Because of the federation, If I authenticate to a resource in domain A, I can access to resources in domains B, C too, and this is fine BUT:

The applications in domains B and C need a user cookie that is normally generated by their  authentication schema and is not present if I am authenticated on an application belonging to domain A.

Is there any way to test if a cookie exists at authorization level?

I mean: I authenticate on a resource in domain A, so I have a SM_SESSION cookie but I do not have the user cookie. I call a resource from domain B, I am already authenticated but I do not have the user cookie so  I cannot access to the target resource, so when I pass from a resource in domain A to one in domain B or C I need to test the presence of the user cookie and in some way create it if not present.

The solution I think about are:

1. generate the user cookie also in the authentication schema  for the resources in domain A (the client is not happy with it).
2. use an higher protection level on resources in domain B and C (I think it is the best but it gives some problems)
3. test the presence of the user cookie through a response. My question is: is there a way to write a response expression to test if the cookie is present?

Thanks and have a nice day

------------------------------
Flavio
------------------------------

Hi all, I have a strange question.

I have three federated domains, A, B and C. 

The realms in domain A are authenticated through an IWA authentication schema

the other two are authenticated through a custom schema.

Because of the federation, If I authenticate to a resource in domain A, I can access to resources in domains B, C too, and this is fine BUT:

The applications in domains B and C need a user cookie that is normally generated by their  authentication schema and is not present if I am authenticated on an application belonging to domain A.

Is there any way to test if a cookie exists at authorization level?

I mean: I authenticate on a resource in domain A, so I have a SM_SESSION cookie but I do not have the user cookie. I call a resource from domain B, I am already authenticated but I do not have the user cookie so  I cannot access to the target resource, so when I pass from a resource in domain A to one in domain B or C I need to test the presence of the user cookie and in some way create it if not present.

The solution I think about are:

1. generate the user cookie also in the authentication schema  for the resources in domain A (the client is not happy with it).
2. use an higher protection level on resources in domain B and C (I think it is the best but it gives some problems)
3. test the presence of the user cookie through a response. My question is: is there a way to write a response expression to test if the cookie is present?

Thanks and have a nice day

------------------------------
Flavio
------------------------------