Federation Authentication with Internet Explorer failing

Document ID : KB000009961
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Occasionally, Partnership Federation could be working perfectly when a user attempts to access the resource with Google Chrome or Firefox, but they will notice an authorization failure with Internet Explorer.

This is typically caused by the lack of a P3P Compact Policy configuration on one or both sides of the Partnership.

Background:

Per the Documentation: 

Configure your Web Agent to Accommodate P3P Compact Policies

You can determine whether the custom responses from your Web Agent comply with P3P response headers with the following parameter:

P3PCompactPolicy

Determines whether custom responses comply with the Platform for Privacy Preferences Project (P3P) response headers. P3P compact policies use tokens representing the specific elements from the P3P terminology. If you set the P3PCompactPolicy parameter to the appropriate policy syntax, it ensures that custom responses are set with the correct P3P response header when a P3P compact policy is specified for the Web Agent.

Default: No default

Example: NON DSP COR CURa TAI (these represent: none, disputes, correct, current/always, and tailoring, respectively)

 

To accommodate P3P compact policies, add an appropriate policy syntax to the P3PCompactPolicy parameter.

Instructions:

To ensure that all browsers will work with your partnership, you should be sure to test with each browser traffic would be expected from.  If the authentication fails, as in this case with Internet Explorer, you should check whether or not both sides of the Partnership require the following ACO Parameter to be configured (if using CA Single Sign-On)

P3PCompactPolicy

The above will ensure that the P3P headers are used to work around the IE browser security settings that are preventing the cookie from being used by the assertion during the Auth/Az phase in the Federation.