Thanks for the reply Lakshmikanth.
I understand the flow mentioned by you.
- Siteminder(Shim) asks to create the token to State Manager.
- State Manager creates token and gives to Shim.
- Shim sends this token to AFM for multi factor authentication.
- AFM checks the status of token with State Manager.
- Here AFM gets reply from State Manager about the token data. AFM reads the token and I can see the below log which is fine:
2018-05-07 22:18:12,428 [[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO integrations.frontend.LifeCycleStateData(681) -> 707098077: Log message from Shim: Authentication successful|nikunj.padhiyar@xyz.com |20180507211811.765.d0c50077
Now my concern is, here AFM makes a call to State Manager to create a new token which has information of the State as shown in the logs(again mentioned below):
2018-05-04 16:13:16,692 [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG toksvr.client.SimpleTSClientImpl(403) -> Sending creation request to https://<state-manager-domain-and-port>/arcotsm/servlet/creation/eacf12468d05378d
2018-05-04 16:13:16,692 [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG toksvr.client.SimpleTSClientImpl(406) -> Token data sending for creation is : {"TsToken":{"StateData":"rO0ABXN......cHEAfgBEcHBw"}}
Here the value of StateData is encoded. So, I need to understand, if AFM is going to State Manager to create a "NEW" token(as token id is different than the one which Siteminder sends to AFM initially) with the State data, how AFM knows to which user this "New" token is associated as there are no associations found? And when will AFM calls to delete the token? I understand there is always an expiry of token, but here AFM makes call to delete it explicitly.
I guess it might be something with the encoded state data. However just want to be sure, as not able to find this behavior in documentation.
Hope this clears my question.