When performing an IdP initiated SAML SSO flow, the first request to the SP (Consumer endpoint) results in the setting of two identical amlbcookie cookies in the response.
Prior to changes for
OPENAM-15724 this was only reproducible in a site, where there were at least 2 servers in the SP's site.
- Setup two servers, e.g. idp.amtest2.com:9080/access and sp.amtest2.com:7080/access, using embedded config and user store, and cookie domains of idp.amtest2.com, and sp.amtest2.com
- On IdP, Configured Hosted IdP on idp, attr of mail -> mail.
- On SP, created hosted SP.
- Using metadata url of http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp created remote SP on IdP, set mail -> mail.
- Using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp on SP created remote IdP.
- On Idp, added email address of email@example.com for demo user.
- Opened browser and developer tools so that network requests are visible. Cleared browser cookies.
- Performed IdP init SSO: http://idp.amtest2.com:9080/access/idpssoinit?metaAlias=/idp&spEntityID=http://sp.amtest2.com:7080/access
- After authenticating, (if first time for this user then at both IdP and then SP) see successfully signed in text in browser.
With the changes included for
OPENAM-15724, spAssertionConsumer.jsp adds the cookie to the response if this is not already present in the request. Without the changes for OPENAM-15724, the cookie is only set if the server is in a site and there is at least one other server included in the site.
SPACSUtils.processResponse subsequently calls applyCookies, which also adds the load balancer cookie (irrespective of whether included in the request or already present in the response).