Affects Version/s: 4.0.1
Environment:WPA4.0.1 Apache 2.4, OpenAM 13.0.0
When CDSSO is enabled
1. In a environment with OpenAM13 setup (openam.example.com)
and with 3 Apache 2.4 with WPA4.0.1 setup.
- 2 of these Apache 2.4 WPA is web1.example.com and web2.example.com
- Another Apache 2.4 to web3.example.net. We do not need this web server to see the issue but just configure to ensure CDSSO works.
2. A policy is defined to grant access to the URL
"://:/public/" for POST/GET and another to deny access to a protected URL "://:/protected/" or all HTTP methods.
3. The OpenAM 13 is set with the platform cookie .example.com
The All the web agent are set with CDSSO enabled and
the CDSSO cookie domain list ".example.com and .example.net"
4. Now, initially one can login to any of the above web and navigate to all the "/public/index.html" without issues.
5. When one access /protected/index.html on the WPA hosting domain .example.com, this causes a Forbidden access and the URL is redirected to OpenAM for authentication.
6. Without going forward on (5), access the other web server for /public/index.html. This causes a OpenAM login request. (ie: SSO session seems to be lost)
5. On 4.0.0-8, the /protected/index.html pages returns the 403 FORBIDDEN error. but Accessing later /public/index.html on this web server and other web server seems to be fine. (IE: Issues not seen on 4.0.0-8)
When CDSSO is enabled and if a forbidden URL is accessed on a web server with the same cookie domain as the SSO session, a full re-authentication is needed.