In r12.0 version of Web Agent Option Pack, it did NOT generate SMSESSION cookie on successful validation of existing SMSESSION cookie.
However, r12.51 onwards, Web Agent Option Pack does generate SMSESSION cookie.
But unlike normal web agent it doesn't support the CustomIPHeader ACO parameter.
So, when it creates the SMSESSION cookie it resolves client IP as follows :
- It first reads the SM_CLIENT_IP header, if it has the value, it uses this.
- If SM_CLIENT_IP header is empty it uses the Proxy IP as the client IP. The Proxy IP is usually the Load Balancer IP.
Now, the normal Web Agent sets this SM_CLIENT_IP header to the actual browser IP address only if either TransientIPCheck or PersistentIPCheck is enabled.
As, in this case neither TransientIPCheck nor PersistentIPCheck was enabled on the IDP Web agent, it wasn't setting this SM_CLIENT_IP header as a result the WAOP was using the Proxy IP while creating SMSESSION cookie.
Now, when this SMSESSION cookie created by WAOP is submitted to normal agent the IP validation fails as the resolved client IP (resolved from CustomIPHeader) and the one in the SMSESSION cookie does not match.