This discussion is archived
2 Replies Latest reply: Jul 10, 2013 7:54 AM by Luis RSS

SAML2 SSO and JSESSIONID

user2695214 Newbie
Currently Being Moderated
In the weblogic documentation it states the following:

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/saml.html

Use of Non-default Cookie Name
When the Assertion Consumer Service logs in the Subject contained in an assertion, an HTTP servlet session is created using the default cookie name JSESSIONID. After successfully processing the assertion, the ACS redirects the user’s request to the target web application. If the target web application uses a cookie name other than JSESSIONID, the Subject’s identity is not propagated to the target web application. As a result, the servlet container treats the user as if unauthenticated, and consequently issues an authentication request.
To avoid this situation, do not change the default cookie name when deploying web applications in a domain that are intended to be accessed by SAML 2.0 based single sign-on.


Question:
It is possible to tell the weblogic saml module to use a different cookie name?

Our problem is that we are getting all kinds of JSESSIONID conflicts for multiple applications on the different servers with the same domain name, for example app1.host.com and app2.host.com. The browser seems to overwrite the JSESSIONID of app1 with the JSESSIONID of app2. So when I go back to app1, I am asked to login.

If we can change the JSESSIONID cookie name of the SAML module and the web application, then we could avoid all conflict. The documentation says do not change the cookie name for the web application, but could we instead change the cookie name for the SAML module?

Anyone have ideas on how we could workaround this issue?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points