Hi IS Team, Currently in App Manager, we are handling SSO between web applications as follows.
Once user get authenticated from IDP, it set a cookie called samlTokenId in the browser. In the first authentication response that comes to the AppM gateway, we keep this samlTokenId cookie with saml response in the gateway cache. From next web application access onwards we check whether, incoming request contains the samlTokenId cookie in the transport headers, if it exist we validate that cookie whether it's a authenticated cookie by checking the existence in cache. If not redirect browser to IDP login page. Issue with the above approach is, 'samlTokenId' cookie is set by the IDP into its domain. If the App Manager and Identity Server runs on two different domains, AppM gateway cannot see the 'samlTokenId' cookie. As a solution, we created a new cookie at the AppM gateway when it received SAML response and keep checking this new cookie for the user authentication instead of 'samlTokenId' cookie set by the IDP. With this approach there will be three cookies available in browser relate to a saml user authentication. i.e one set by the AppM (appmSamlTokenId) and two cookies set by the IDP (samlTokenId , commonAuthId (this cookie has added with recent IS changes)). If someone deleted 'appmSamlTokenId' cookie while other two cookies are available in the browser, then once the gateway request comes, it will call to the redirectToLogin(). But once IDP received this request, since valid samlTokenId , commonAuthId cookies are available, IDP will send the available SAML response instead of browser redirecting to the login page. AFAIU, this behavior is fine. If someone needs to redirect to login page again, then all three cookies need to be removed from the browser. (i.e in scenarios like single logout). Can you confirm whether this approach/behavior is correct ? Regards, Dinusha. -- Dinusha Dilrukshi Senior Software Engineer WSO2 Inc.: http://wso2.com/ Mobile: +94725255071 Blog: http://dinushasblog.blogspot.com/
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
