Multiple Web Agents leverage the client IP address to do TransientIPCheck or requiring the client IP but this is failing with API Gateway 9.3 CR3. The logs seem to indicate there is no IP when the token is generated by the API Gateway. Note: This works fine when we have another CA SSO 12.52 Web Agent (NOT the GW) generate the tokens, when that is done then TransientIP check works fine.
CA SSO 12.7 OR 12.8 (our DEV only has 12.8)
Web Agents 12.52 SP1
SSO Zones are used by environment.
CA APIM Gateway 9.3 CR3
APIM uses SSO SDK to create SSO Token (SMSESSION) because the cookie is created by SDK it is a third-party cookie. Third party cookies do not contain Client IP “Attribute 208”
This will only effect clients that authenticate from APIM Gateway then navigate to CA SSO environment. Also, the CA SSO environment implemented either TransientIPCheck=yes or PersistentIPCheck=yes