Tagged: cookie, CookieFilter, domain, JSESSIONID, multiple service provider, saml, session, Sub-domain
This topic has 1 reply, 2 voices, and was last updated 6 years, 3 months ago by Guillaume Sauthier.
-
AuthorPosts
-
May 7, 2016 at 2:59 am #10326
sundar_ssp
ParticipantHello,
I’m protecting multiple service provider applications (Java & .NET) with OpenIG using
SAMLFederationHandler
. All these applications are currently hosted separately without OpenIG. But we would like to host using same domain likewww.example.com/app1
,www.example.com/app2
etc.Some service providers are Java and some are .NET applications. All java applications use the default
JSESSIONID
as the session cookie and .NET uses.ASPXAUTH
as session cookie.OpenIG setup works fine except for one issue. Per my configuration, all the cookies are propagated to the browser without any changes. When I log into second java application the
JSESSIONID
cookie overwrites the first java application’sJSESSIONID
cookie. So when I go back and browse the first java application, it throws me out because of invalid session.I believe that if we have different sub-domain names for each application this problem won’t happen. But I’m trying to figure out whether I can have single domain name. I thought the CookieFilter will help and configured it to suppress sending it to the browser cookie, but unfortunately the session maintained by OpenIG in the backend also overwrites the cookie. Seems the cookie manager is also common. It doesn’t maintain separate session based on
sessionIndexMapping
.My
CookieFilter
is like this.{ "name": "CookieFilter", "type": "CookieFilter", "config": { "managed": [ "JSESSIONID" ], "suppressed": [ "JSESSIONID" ], "defaultAction": "MANAGE" } }
My question is – Is there a way to handle same session cookie name, apart from renaming the cookie on the application server side or having separate sub-domain names?
I couldn’t fine any related posts in the forum. Please help.
May 9, 2016 at 4:31 pm #10357Guillaume Sauthier
ModeratorSo, you would like to have your OpenIG acting a a single SP for all the protected application ?
I mean, you authenticate only once and then you have SSO working for the apps.BTW, do you have to authenticate against each of the applications ?
-
AuthorPosts
You must be logged in to reply to this topic.