This discussion is archived
0 Replies Latest reply: Jul 10, 2013 7:41 AM by Luis RSS

Mixing application data sessions in Weblogic Service Providers (SAML2)

Luis Newbie
Currently Being Moderated

Hello there,

 

This issue is related with the next ones:

 

 

My scenario is this, I have several applications, deployed in managed servers configured as Service Providers see http://docs.oracle.com/cd/E24329_01/web.1211/e24422/saml.htm This applications are sharing the same domain name. e.g.:

 

  • my.domain.com/app1
  • my.domain.com/app2


The problem is that as we can not either change the default cookiename for them (Configuring Single Sign-On with Web Browsers and HTTP Clients - 12c Release 1 (12.1.1)) or add the cookie-path (http://docs.oracle.com/cd/E24329_01/web.1211/e24422/saml.htm#autoId25), the data session of both applications is being mixed.

 

One possible solution that I have tried is to declare a different persistent-store-type: cookie, file, jdbc... (weblogic.xml Deployment Descriptor Elements - 12c Release 1 (12.1.1))

 

We have tried also a different approach: change the JSESSIONID cookie path set by the Weblogic saml2 module. This can be done in two ways:

 

  1. Modifying the Set-Cookie header response sent by the saml2 module using Apache mod_headers module: Modify JSESSIONID cookie path with apache and mod_headers » Official dAm2K Blog
  2. Adding a cookie-path to the session-descriptor of the saml2.war  ($WEBLOGIC_HOME/wlserver_12.1/server/lib/saml2.war)

 

Any thoughts on this?

 

Thanks in advance,

 

Luis

 

ps: WebLogic Server Version: 12.1.1.0, but it applies also to any 10.3...