0 Replies Latest reply: Jul 10, 2013 9:41 AM by Luis RSS

    Mixing application data sessions in Weblogic Service Providers (SAML2)

    Luis

      Hello there,

       

      This issue is related with the next ones:

       

       

      My scenario is this, I have several applications, deployed in managed servers configured as Service Providers see http://docs.oracle.com/cd/E24329_01/web.1211/e24422/saml.htm This applications are sharing the same domain name. e.g.:

       

      • my.domain.com/app1
      • my.domain.com/app2


      The problem is that as we can not either change the default cookiename for them (Configuring Single Sign-On with Web Browsers and HTTP Clients - 12c Release 1 (12.1.1)) or add the cookie-path (http://docs.oracle.com/cd/E24329_01/web.1211/e24422/saml.htm#autoId25), the data session of both applications is being mixed.

       

      One possible solution that I have tried is to declare a different persistent-store-type: cookie, file, jdbc... (weblogic.xml Deployment Descriptor Elements - 12c Release 1 (12.1.1))

       

      We have tried also a different approach: change the JSESSIONID cookie path set by the Weblogic saml2 module. This can be done in two ways:

       

      1. Modifying the Set-Cookie header response sent by the saml2 module using Apache mod_headers module: Modify JSESSIONID cookie path with apache and mod_headers » Official dAm2K Blog
      2. Adding a cookie-path to the session-descriptor of the saml2.war  ($WEBLOGIC_HOME/wlserver_12.1/server/lib/saml2.war)

       

      Any thoughts on this?

       

      Thanks in advance,

       

      Luis

       

      ps: WebLogic Server Version: 12.1.1.0, but it applies also to any 10.3...