Hi Senthil,
Have a read this through this first to understand how the flow of SMSESSION cookie creation/validation :
Tech Tip - CA Single Sign-On: Web Agent :: SMSESSION Cookie
For your reference,
How is SMSESSION cookie created?
To understand how and who creates the SMSESSION cookie, we need to understand the user login flow. It goes something like below in the simplistic scenario:
- The Agent collects the user’s credentials.
- The Agent sends the Login() request to the Policy Server passing the received credentials. The Policy Server verifies the credentials and creates a Session Spec that represents the newly created user session. Policy server encrypts the Session Spec using Session Ticket Key (Persistent Key). The encrypted Session Spec is then sent back to the Agent together with the Session ID and other session related parameters (idle timeout, expiration timeout, etc.).
- The Agent embeds the Session ID and the Session Spec in an encrypted SMSESSION cookie that is sent back to the user’s browser. This encryption is done using Agent Keys.
- The Agents also saves the Session ID and the Session Spec in its User Session Cache.
- Any time when an authenticated user accesses the Web site, the browser submits the SMSESSION cookie together with a HTTP request.
- When the Agent receives the SMSESSION cookie, it decrypts the SMSESSION cookie using Agent Keys, extracts the Session ID and the Session Spec it checks them against the values stored in the User Session Cache. If the Agent cache doesn’t contain corresponding entry, the Agent uses the Validate() call to pass the Session ID and the Session Spec to the Policy Server for validation.
- Once Policy server receives the validation request from Web Agent, it decrypts the Session Spec using Session Ticket Key (Persistent Key) and then performs validation.
- If the validation succeeds, the Policy Server returns the updated Session Spec to the Agent. The Session ID is not modified in the course of validation.
Now, for your use case, when the user is authenticated in app1 (agent 1) and then SMSESSION cookie submitted to app2(agent 2) , the agent 2 doesn't have the SM_SERVERSESSIONISPEC in its local User Session Cache, so it does need to send the request to Policy server for validation as per step 6 above.
All the interaction between web agent and Policy server happens via SM_SERVERSESSIONISPEC.
The HTTP header SM_USERSESSIONSPEC is not always available, so I would suggest not to have any logic based on this header.
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/responses-and-response-groups/ca-siteminder-generated-user-attributes
Cheers,
Ujwol Shrestha
Ujwol's Single Sign-On Blog