Forum Discussion
Hi,
You are pointing on the right direction.
when you are working with APM, make sure all access profiles domain cookie are working together.
with your configuration:
-
if the user first hit VS1 it will authenticate with SAML and receive a cookie for the whole test.com domain, then he browse VS2 --> The user is already authenticated because sharepoint.test.com is inside test.com domain. it will use test.com cookie, so will be accepted according to VS1 access policy
-
if the user first hit VS2 it will authenticate with SAML and receive a cookie for the whole sharepoint.test.com domain, then he browse VS2 --> must reauthenticate on VS1 (transparent auth because of SAML)
So if you want to authenticate users on SAML, never use a domain cookie (except if you want to save access sessions in license count), leave it blank which means the cookie is sent for the requested host.
For the sharepoint VS, it is recommended to use one of following Sharepoint irules
These irules add persistent cookie with smaller timeout than SSO domains does and check that only non browser can recover an existing session when browser was closed.