Forum Discussion
CirrocumulusIgnore domain cookie for some services in the same domain?
Hi,
We have setup up sso configuration for domain.com and it´s working as expected for the most part. All sites in domain.com use sso configuration to enable serverside sso towards the AD.
This has presented a problem for us. Site1.domain.com uses SSO towards the client, but site2.domain.com should not. But as site1.domain.com provides the client with the domain cookie domain.com the user automatically gets authenticated in APM for site2.domain.com ... is there a way to go around this?
Either to ignore the cookie for site2.domain.com using a irule or something other?
6 Replies
Michael_JenkinsCirrostratus
Do you need to have the domain level cookie setup on the access policy, or could you just have it use the sites instead of the domain?
If you don't want to use the APM to authenticate users on site2.domain.com at all, you can use the ACCESS::disable command in an iRule along with HTTP::cookie remove to remove the
andMRHSession
cookies. That should ignore the APM for that site.LastMRH_Session
kimhenriksenWe need APM to authenticate users for site2.domain.com for the AD part, but we don´t want to include in the SSO part.
If there was like a http::cookie ignore that would be nice, because we don´t want to remove the cookie from the client.
- Michael_Jenkins
if you use
in an iRule in theHTTP::cookie remove
event, it'll only remove the cookie from that particular request. It won't remove it from the client; just for that specific request coming down the wire.HTTP_REQUESTWhen you say SSO, are you talking about APM SSO on the backend? You could also try using WEBSSO::disable instead, which would disable SSO for the current request.
- kimhenriksen
Ok, thanks for clarifying that :) I was a little uncertain about what it really removed and from where.
We´re using APM SSO on the backend for all sites, but only some of them should be using it on the clientside (site1.domain.com and site2.domain.com should be using SSO for the client but site3.domain.com should not, but all three are using SSO on the backend).
Does WEBSSO::disable disable SSO on the backend as well or just on the clientside?
- kimhenriksen
Discovered a problem when removing the cookie.
the client has a cookie for domain.com and also site2.domain.com, when we use http::cookie remove both are removed.. is there a way to identify these cookies? For example of we could add a marker to the multi-site SSO that distinguishes if from the normal session cookie?
- Walter_Kacynski
The HTTP spec does not allow you to know which cookie is for which domain when it is arriving into the server. The browser will present a cookie with the same name twice. Once for domain.com AND site2.domain.com
Your alternative is to use an HTTP_RESPONSE event and check if a Set-Cookie header is present when the cookie is being created and then CHANGE the cookie to a different name. Then you would have code an HTTP_REQUEST event to reverse this logic so as to pass the original name to the backend server.
