|Applies To||RSA Federated Identity Manager (FIM) 4.1|
Access Manager 6.1.3
Aventail Corporation Aventail VPN
|Issue||RSA FIM 4.1: CTSESSION cookie not being set when redirection through Aventail VPN|
The user is issued a CTSESSION logon cookie after authentication, but the cookies is not replayed to the SAML service provider.
An examination of the header trace shows the CTSESSION cookie being accepted by the browser, but it is not presented for SSO later on in the session:
Set-Cookie: CTSESSION=AAAAAgABAEBFe6ucmRO6cK98Qt0qq57YubqT5EnwUEp4mBK3LCXjyc29nQzozZ7YtlqCR9IVpAViMqOyLLOSGJiXBoDrIhAS; path=/
|Cause||The CTSESSION cookie should always be issued with a valid domain. If the cookie is issued without a domain, then it is only replayed for the exact same server it is issued to. When using a proxy, the name of the server where the cookie is generated may not be the same name as the server where it is consumed. The CTSESSION set cookie statement in the http header trace should show the domain: |
Set-Cookie: CTSESSION=AAAAAgABAEBFe6ucmRO6cK98Qt0qq57YubqT5EnwUEp4mBK3LCXjyc29nQzozZ7YtlqCR9IVpAViMqOyLLOSGJiXBoDrIhAS; domain=domain.com; path=/
|Resolution||The Aventail VPN has an option to modify the domain path of the http cookie and is called "Translate cookie path". The default value is true. Set "Translate cookie path" to false to ensure the domain path set in the webagent.conf file parameter cleartrust.agent.cookie_domain is used, not the Aventail VPN value.|
Alternately if "Translate cookie path" cannot be disabled, create specific VPN rewrite rules for each cookie name that preserves the domain.
|Legacy Article ID||a58813|