0 Replies Latest reply: Jul 10, 2013 9:41 AM by Luis RSS

    Mixing application data sessions in Weblogic Service Providers (SAML2)


      Hello there,


      This issue is related with the next ones:



      My scenario is this, I have several applications, deployed in managed servers configured as Service Providers see http://docs.oracle.com/cd/E24329_01/web.1211/e24422/saml.htm This applications are sharing the same domain name. e.g.:


      • my.domain.com/app1
      • my.domain.com/app2

      The problem is that as we can not either change the default cookiename for them (Configuring Single Sign-On with Web Browsers and HTTP Clients - 12c Release 1 (12.1.1)) or add the cookie-path (http://docs.oracle.com/cd/E24329_01/web.1211/e24422/saml.htm#autoId25), the data session of both applications is being mixed.


      One possible solution that I have tried is to declare a different persistent-store-type: cookie, file, jdbc... (weblogic.xml Deployment Descriptor Elements - 12c Release 1 (12.1.1))


      We have tried also a different approach: change the JSESSIONID cookie path set by the Weblogic saml2 module. This can be done in two ways:


      1. Modifying the Set-Cookie header response sent by the saml2 module using Apache mod_headers module: Modify JSESSIONID cookie path with apache and mod_headers » Official dAm2K Blog
      2. Adding a cookie-path to the session-descriptor of the saml2.war  ($WEBLOGIC_HOME/wlserver_12.1/server/lib/saml2.war)


      Any thoughts on this?


      Thanks in advance,




      ps: WebLogic Server Version:, but it applies also to any 10.3...