Hello Everyone,
We have CP4BA 21.0.3 IFIX36 in OCP. Our partner application has a functionality to display the multiple documents associated with a Medical Claim in which there could be 4 to 5 images have to be requested to display in multiple browser windows.
We have enabled the external SAML SSO integration with CP4BA. The SAML provider is enabled on SiteMinder configured with Kerberos and all these providers along with CP4BA connects to the same LDAP user store.
The partner application send a browser ICN bookmark viewer URL request to open the document from FileNet P8 CM. The partner application is a desktop application built with .Net technologies and it uses the WebView2 browser controls to mimic the web browser behavior to launch and display the FileNet documents in ICN viewer.
In the event of single image request from partner application, the authentication flow working fine and image is displayed in the ICN viewer, however when concurrent Viewer URL requests are sent, we are seeing hit or miss error in a way that sometimes one or few images will open fine, but the other image displays "400 Bad Request - Cookies Too Large" error and simply "Bad request - Nginx" or it renders the Zen landing page with user logged in or the browser window may display the corporate intranet home page.
I know the fact that all requests hit Zen front door that redirects to IAM where the OIDC auth flow happens that in turn will redirect to external SAML provider with a SAMLRequest, and once all the authentication flows on SAML provider completes, the SAMLResponse will be sent back to CP4BA IAM which produces two cookies (ibm-private-cloud-session and ibm-private-cloud-session-id) and finally return the control back to user to load the ICN bookmark viewer URL to load the image.
The issue where it seems to be that, when concurrent browser requests to ICN web app is submitted, while any ICN request whichever started the authentication flow with Zen/IAM/SAML, before it completes all the authentication handshake, the other remaining ICN web requests were submitted to the CP4BA, and at this time, sometime due to few cookies were obtained by any of the previous requests will eventually gets submitted to the ongoing web requests, and that causes the error "Cookies Too Large" or other abnormal authentication behaviors as mentioned above.
I also received a suggestion that, the partner application should launch the first viewer request, and wait until the authentication flow is completed (obtaining ibm-private-cloud-session and ibm-private-cloud-session-id cookies), and then start initiate the subsequent viewer requests. However while I agree and trust on this suggestion that it will work, but it is not a feasible for business requirement for few reasons:
- How long should we tell the partner application wait? How do they know the auth flow is completed to wait until that time?
- How long is the tokens/cookies (ibm-private-cloud-session and ibm-private-cloud-session-id) are valid?
- Asuming the 1st point above is implemented, and then if the tokens get expired after a while, then wouldn't the authentication flow repeat to reauthenticate the user when CP4BA sees that the ibm cookies are expired and fall into the same error situation back to square?
How do we solve this situation with solid permanent solution that does not depend on some arbitrary or trail and error type of work arounds? Are there any alternative authentication flow/solution available to have the ability to support launch the concurrent ICN web requests to perform the authentication without getting into the Cookies too large or Bad Request issue?
@Jens Engelke I read few of your auth related tech notes in CP4BA, and still need to read few other related with some focus, but I hope you throw some light on this request.
All, any suggestion is greatly appreciated.
------------------------------
Anup.
Anup Mereddy
Application Architect
IBM Consulting
Atlanta, GA - USA
------------------------------