Web Agent rejects Third Party Token

Document ID : KB000009909
Last Modified Date : 14/02/2018
Show Technical Document Details

Validation of SMSESSION cookie by normal web agent when you are getting SMSESSION cookie from browser which was generated by custom agent. 


We have an issue related to validation of SMSESSION token created by a R12 custom agent in a Federation server. 

Here is the use case.

ABC is the service provider in this SAML federation flow. When ABC gets SAML request from Partner web site, Ping Federate validates SAML token and then connects to Siteminder using SM Adapter (Custom Agent) and gets SMSESSION token. Once SMSESSION is successfully created, then the user is redirected to a specific instance of application (say APP-1) whose R12 Web Agent has been configured to accept Third Party SMSESSION token. The AcceptTPCookie property of the Agent is set to “YES”. The user is able to access APP-1.

We see the issue when the user hits APP-2 from APP-1. SSO fails because the APP-2 web agent does not have AcceptTPCookie property set to YES and it rejects SMSESSION token as the token is still marked as “Third Party Token”.

Applicable for all web agents

1.What happens to the token created by a Custom agent after a Standard web agent validates it and issues a new token? 

Yes, Standard web agent validates and creates new token. 

2. Will the token always remain a Third Party Token? 

Correct. If the cookie presented is Third Party cookie, it will maintain that. 

3. Is there a setting (ACO Parameter) for R12 web agent that can make the agent convert a Third Party Token to a standard token after validation? 

No such configuration available even in the latest version of Web Agent. 

4. Kindly update AcceptTPCookie=yes in App2  (In this use case) as well to resolve the issue.

5. In a multi agent environment, AcceptTPCookie must be set to YES in all agents that needs to validate the cookie that was originally generated by SDK.

Additional Information:

- Session spec in the session cookie will have some information to identify how this session was created (either by SDK or web agent).

- The agent uses this information along with AcceptTPCookie setting to validate a cookie that was generated by custom SDK.