Symantec Access Management

  • Private Community

  • 1.  Persistent Cookies in Federation

    Posted Feb 15, 2018 07:39 AM

    Hi,

     

    How to enable Persistent Cookies in Federation? Siteminder is IDP and we have third-party as SP.

    Can we implement that for session persistence?



  • 2.  Re: Persistent Cookies in Federation
    Best Answer

    Posted Feb 15, 2018 10:45 AM

    DebSarkar

     

    Just to be clear Persistent Cookies OR Persistent Session (in Session Store) ? They both are different and controlled by different settings. Hence using the correct terminology is vital.

    User Sessions - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    Persistent Cookies refer to ACO Parameter PersistentCookies.

     

    Persistent Session we start of by making the Realm (Policy Domain) protecting AuthenticationURL (in Partnership) e.g. /affwebservices/redirectjsp/* ; as persistent.

     

    For your reading and review.

    Federation Features Requiring the Session Store - CA Single Sign-On - 12.7 - CA Technologies Documentation [Also review the comments section on this page].

    Storing User Session, Assertion, and Expiry Data - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

     

    Lastly, could you elaborate more on the term "Session Persistence". It'd help us direct you better, if you provide the use case that we are trying to achieve.

     

    Regards

    Hubert



  • 3.  Re: Persistent Cookies in Federation

    Posted Feb 16, 2018 08:29 AM

    HubertDennis....Thanks for the explanation..

    To further explain, I have 2 federations setup...in one of them I need to enable persistent cookie for that particular federation..

    So in this case, If I set persistent cookies at ACO level, would not it impact the other federation also?

    Is there any way to enable persistent cookie for a particular federation?



  • 4.  Re: Persistent Cookies in Federation

    Posted Feb 16, 2018 09:24 AM

    From a browser perspective, it is going to send all cookies to the server which match the domain (Persistent and non Persistent). Thus I believe when you SSO across the federation partnerships, those partnership should be able to see the SMSession.

     

    I don't know the use case which is prompting you to set SMSession as Persistent Cookie for a federation partnership. I have never seen anyone needing to make SMSession Persistent Cookie. I hope you understand the risks of making SMSession Persistent Cookie.

     

    What I'm not sure is would there be a conflict between a Persistent SMSession Cookie and nonPersistent SMSession Cookie, when either CA SSO component (where PersistentCookie=YES VS NO) issues a SET Cookie to browser.

     

    Since you have the setup test it and investigate the following.

    • fiddler traces.
    • webagent trace logs.

    This would give a better picture of what is transpiring in the entire flow.



  • 5.  Re: Persistent Cookies in Federation

    Posted Feb 19, 2018 11:57 AM

    Hubert, Is there not a possibility of setting persistent cookie for a selected Federation only?

    If I make changes at ACO level...then it would impact my other Federations which are available in that agent...right?



  • 6.  Re: Persistent Cookies in Federation

    Posted Feb 19, 2018 07:35 PM

    Correct and yes there is no option to make persistent cookie for only selected federation. As the setting is at ACO level it is system wide for that particular federation end point.



  • 7.  Re: Persistent Cookies in Federation

    Posted Feb 20, 2018 06:55 AM

    Yes Ujwol...We can not make persistent cookie for selected federation.

    But my real concern is if I enable persistent cookie at ACO Level, will it impact other federations that are configured as part of same agent?

     

    Thank you.



  • 8.  Re: Persistent Cookies in Federation

    Posted Feb 20, 2018 06:57 AM

    Yes, it will.