Hi all,
I implemented SAML 2 Federation (HTTP-POST binding) between two SiteMinder instances; one acting as IdP and the other acting as SP.
At the IdP side FWS services are implemented using CA SPS, while at the SP side they are implemented using IIS web server, Apache Tomcat, CA Web Agent and CA Web Agent Option Pack.
When the client is redirected to the Assertion Consumer Service URL with a valid assertion, the Service Provider "validates" the asserion and generates the SMSESSION cookie.
Now the problem is that the Tomcat (the saml2assertionconsumer at the SP side) double-quote the SMSESSION cookie value and when the client try to GET a protected resource at the SP side the agent is not able to decode the SMSESSION. Indeed I found the following error in the web agent log file:
Unable to decode SWSESSION cookie.
I look around on the web in order to find the cause of this behaviour and finally I found that the couse is Apache Tomcat application server.
Here some details about
Source: https://tomcat.apache.org/migration-7.html#Cookies
If a cookie value or path contain characters that have to be quoted (per RFC2109 specification), the cookie will be automatically converted from "version 0" cookie into "version 1" cookie before sending it to the client and those values will be surrounded by double quotes. What characters need quoting is controlled by several System properties such as org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR. It is known that Internet Explorer has problem processing "version 1" cookies. (Bug 57872).
Source: https://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html#Specification
org.apache.catalina. STRICT_SERVLET_COMPLIANCE system property
If not specified, the default value of false will be used.
[...]
cookies will be parsed strictly, by default v0 cookies will not work with any invalid characters.
If set to false, any v0 cookie with invalid character will be switched to a v1 cookie and the value will be quoted.
[...]
Does any web agent or siteminder configuration exist in order to change this behaviour (do not quote SMSESSION cookie value)?
Thanks in advance,
Daniele