I was involved in troubleshooting a very weird behavior recently and thought it would be good to share.
Use case is :
Customer is IDP
CA OnDemand is SP
The browser flow is as below. Some URLs are not the actual ones.
redirects to login at IDP.
user authenticated and assertion generated, posted to SP(OnDemand site).
user authenticated(federated) at SP thus SMSESSION cookie is set.
user redirects to TARGET
browser submits SMSESSION cookie and get updated cookie.
user redirects to clarity site.
Browser submits SMSESSION cookie and get access to application.
Above is the normal use case.
The Orange colour highlighted is where IE11 was showing weird behavior.
Logs show that the user has successfully federated and redirected to clarity site.
But when using fiddler, it was found that the IE11 is not sending any SMSESSION cookie at all.
In fact, there were NO cookies at all.
Even the referral header was not there in the request.
That led me to look at the "Process" field in fiddler.
Below is Fiddler showing the client software's Process ID.
From tracking the odd behavior, I find that IE11 spawns a new IE process when it was redirecting to clarity site.
When new process was spawned, no cookies were copied/shared with that process so there was no SMSESSION cookie to submit.
As a result, clarity site rejects this request and redirects to the login page.
Why is this IE11 behaving differently only when accessing clarity site?
It does not seem to have been identified yet.
From googling, I have found this article from Microsoft site.
IE11 Vendor has marked the issue as closed but there were users reporting that the issue still persist.
There were coulple of suggestions though.
1. HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Main/TabProcGrowth and set it to 0
2. Use Persistent Cookie
Real solution to this is actually to add https://clarity.ondemand.ca.com to the IE's trusted sites.
Based on Microsoft support engineer, when IE navigates to sites that are at different level of trust, IE has to spawn a new process so that the cookies do not get shared. It was a way to isolate the zones.