000011927 - RSA FIM 4.1: CTSESSION cookie not being set when redirection through Aventail VPN

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011927
Applies ToRSA Federated Identity Manager (FIM) 4.1
Access Manager 6.1.3
Aventail Corporation Aventail VPN
IssueRSA FIM 4.1: CTSESSION cookie not being set when redirection through Aventail VPN
The user is issued a CTSESSION logon cookie after authentication, but the cookies is not replayed to the SAML service provider.
An examination of the header trace shows the CTSESSION cookie being accepted by the browser, but it is not presented for SSO later on in the session:
Set-Cookie: CTSESSION=AAAAAgABAEBFe6ucmRO6cK98Qt0qq57YubqT5EnwUEp4mBK3LCXjyc29nQzozZ7YtlqCR9IVpAViMqOyLLOSGJiXBoDrIhAS; path=/
CauseThe CTSESSION cookie should always be issued with a valid domain.  If the cookie is issued without a domain, then it is only replayed for the exact same server it is issued to.  When using a proxy, the name of the server where the cookie is generated may not be the same name as the server where it is consumed.  The CTSESSION set cookie statement in the http header trace should show the domain:
Set-Cookie: CTSESSION=AAAAAgABAEBFe6ucmRO6cK98Qt0qq57YubqT5EnwUEp4mBK3LCXjyc29nQzozZ7YtlqCR9IVpAViMqOyLLOSGJiXBoDrIhAS; domain=domain.com; path=/
ResolutionThe Aventail VPN has an option to modify the domain path of the http cookie and is called "Translate cookie path".  The default value is true.  Set "Translate cookie path" to false to ensure the domain path set in the webagent.conf file parameter cleartrust.agent.cookie_domain is used, not the Aventail VPN value.
Alternately if "Translate cookie path" cannot be disabled, create specific VPN rewrite rules for each cookie name that preserves the domain.
Legacy Article IDa58813