IBM Security Verify

Hello,

Does anyone know how to give SSO between WebSEAL instances. One instance is non-SSL and the other is SSL. I tried using SAML Federation, but it didn't work with non-SSL instances. Now I'm working on DSC but unable to find any documentation on configuring SSO between WebSEAL instances.

ISVA 10.0.3

------------------------------
afras khan
------------------------------

To handle SSO between http and https (sharing sessions accros different transports), you'll need something like use-same-session.
This would ensure that your PD-S-SESSION-ID and PD-H-SESSION-ID cookies can be used for both transport methods.

Indeed, to use that over multiple WebSEAL instances, you'll need the concept of session sharing, like the DSC or Redis.
You'll need to configure your WebSEAL instances to be part of the same replica set.

If you're testing this in a load balanced environment (some front end load balancer in front of WebSEALs), I would expect it to work OK.
If you're testing this in a Dev environment, and are using /etc/hosts file or other methods where you don't control DNS, it might give different results.

All your participating WebSEALs should respond to the same FQDN (e.g. vip.webseal.ibm.com), or alternatively you can ensure that your Session Cookies are Domain Cookies (so they'll be sent by the browser to all URLs that match the domain instead of the more specific FQDN hostname)

------------------------------
HANS VANDEWEGHE
------------------------------

Original Message:
Sent: Tue August 23, 2022 05:08 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hello,

Does anyone know how to give SSO between WebSEAL instances. One instance is non-SSL and the other is SSL. I tried using SAML Federation, but it didn't work with non-SSL instances. Now I'm working on DSC but unable to find any documentation on configuring SSO between WebSEAL instances.

ISVA 10.0.3

------------------------------
afras khan
------------------------------

Hi Hens,
Thanks for your suggestion.

I have done all the configurations for DSC but still it's not working even with SSL instances. Both instances belong to the same domain.

------------------------------
afras khan
------------------------------

Original Message:
Sent: Tue August 23, 2022 05:29 AM
From: HANS VANDEWEGHE
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

To handle SSO between http and https (sharing sessions accros different transports), you'll need something like use-same-session.
This would ensure that your PD-S-SESSION-ID and PD-H-SESSION-ID cookies can be used for both transport methods.

Indeed, to use that over multiple WebSEAL instances, you'll need the concept of session sharing, like the DSC or Redis.
You'll need to configure your WebSEAL instances to be part of the same replica set.

If you're testing this in a load balanced environment (some front end load balancer in front of WebSEALs), I would expect it to work OK.
If you're testing this in a Dev environment, and are using /etc/hosts file or other methods where you don't control DNS, it might give different results.

All your participating WebSEALs should respond to the same FQDN (e.g. vip.webseal.ibm.com), or alternatively you can ensure that your Session Cookies are Domain Cookies (so they'll be sent by the browser to all URLs that match the domain instead of the more specific FQDN hostname)

------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Tue August 23, 2022 05:08 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hello,

Does anyone know how to give SSO between WebSEAL instances. One instance is non-SSL and the other is SSL. I tried using SAML Federation, but it didn't work with non-SSL instances. Now I'm working on DSC but unable to find any documentation on configuring SSO between WebSEAL instances.

ISVA 10.0.3

------------------------------
afras khan
------------------------------

Hi Afras,

Have you enabled DSC at policy server or at webseal instance?
And also check port is open for dsc server from webseal servers.


------------------------------
Urvi B
------------------------------

Original Message:
Sent: Wed August 24, 2022 08:57 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Hens,
Thanks for your suggestion.

I have done all the configurations for DSC but still it's not working even with SSL instances. Both instances belong to the same domain.

------------------------------
afras khan

Original Message:
Sent: Tue August 23, 2022 05:29 AM
From: HANS VANDEWEGHE
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

To handle SSO between http and https (sharing sessions accros different transports), you'll need something like use-same-session.
This would ensure that your PD-S-SESSION-ID and PD-H-SESSION-ID cookies can be used for both transport methods.

Indeed, to use that over multiple WebSEAL instances, you'll need the concept of session sharing, like the DSC or Redis.
You'll need to configure your WebSEAL instances to be part of the same replica set.

If you're testing this in a load balanced environment (some front end load balancer in front of WebSEALs), I would expect it to work OK.
If you're testing this in a Dev environment, and are using /etc/hosts file or other methods where you don't control DNS, it might give different results.

All your participating WebSEALs should respond to the same FQDN (e.g. vip.webseal.ibm.com), or alternatively you can ensure that your Session Cookies are Domain Cookies (so they'll be sent by the browser to all URLs that match the domain instead of the more specific FQDN hostname)

------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Tue August 23, 2022 05:08 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hello,

Does anyone know how to give SSO between WebSEAL instances. One instance is non-SSL and the other is SSL. I tried using SAML Federation, but it didn't work with non-SSL instances. Now I'm working on DSC but unable to find any documentation on configuring SSO between WebSEAL instances.

ISVA 10.0.3

------------------------------
afras khan
------------------------------

Hi Urvi,

DSC is enabled in WebSEAL instances.

------------------------------
afras khan
------------------------------

Original Message:
Sent: Fri August 26, 2022 03:42 AM
From: Urvi B
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Afras,

Have you enabled DSC at policy server or at webseal instance?
And also check port is open for dsc server from webseal servers.


------------------------------
Urvi B

Original Message:
Sent: Wed August 24, 2022 08:57 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Hens,
Thanks for your suggestion.

I have done all the configurations for DSC but still it's not working even with SSL instances. Both instances belong to the same domain.

------------------------------
afras khan

Original Message:
Sent: Tue August 23, 2022 05:29 AM
From: HANS VANDEWEGHE
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

To handle SSO between http and https (sharing sessions accros different transports), you'll need something like use-same-session.
This would ensure that your PD-S-SESSION-ID and PD-H-SESSION-ID cookies can be used for both transport methods.

Indeed, to use that over multiple WebSEAL instances, you'll need the concept of session sharing, like the DSC or Redis.
You'll need to configure your WebSEAL instances to be part of the same replica set.

If you're testing this in a load balanced environment (some front end load balancer in front of WebSEALs), I would expect it to work OK.
If you're testing this in a Dev environment, and are using /etc/hosts file or other methods where you don't control DNS, it might give different results.

All your participating WebSEALs should respond to the same FQDN (e.g. vip.webseal.ibm.com), or alternatively you can ensure that your Session Cookies are Domain Cookies (so they'll be sent by the browser to all URLs that match the domain instead of the more specific FQDN hostname)

------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Tue August 23, 2022 05:08 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hello,

Does anyone know how to give SSO between WebSEAL instances. One instance is non-SSL and the other is SSL. I tried using SAML Federation, but it didn't work with non-SSL instances. Now I'm working on DSC but unable to find any documentation on configuring SSO between WebSEAL instances.

ISVA 10.0.3

------------------------------
afras khan
------------------------------

Anyone available to assist?

------------------------------
afras khan
------------------------------

Original Message:
Sent: Mon August 29, 2022 01:38 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Urvi,

DSC is enabled in WebSEAL instances.

------------------------------
afras khan

Original Message:
Sent: Fri August 26, 2022 03:42 AM
From: Urvi B
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Afras,

Have you enabled DSC at policy server or at webseal instance?
And also check port is open for dsc server from webseal servers.


------------------------------
Urvi B

Original Message:
Sent: Wed August 24, 2022 08:57 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Hens,
Thanks for your suggestion.

I have done all the configurations for DSC but still it's not working even with SSL instances. Both instances belong to the same domain.

------------------------------
afras khan

Original Message:
Sent: Tue August 23, 2022 05:29 AM
From: HANS VANDEWEGHE
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

To handle SSO between http and https (sharing sessions accros different transports), you'll need something like use-same-session.
This would ensure that your PD-S-SESSION-ID and PD-H-SESSION-ID cookies can be used for both transport methods.

Indeed, to use that over multiple WebSEAL instances, you'll need the concept of session sharing, like the DSC or Redis.
You'll need to configure your WebSEAL instances to be part of the same replica set.

If you're testing this in a load balanced environment (some front end load balancer in front of WebSEALs), I would expect it to work OK.
If you're testing this in a Dev environment, and are using /etc/hosts file or other methods where you don't control DNS, it might give different results.

All your participating WebSEALs should respond to the same FQDN (e.g. vip.webseal.ibm.com), or alternatively you can ensure that your Session Cookies are Domain Cookies (so they'll be sent by the browser to all URLs that match the domain instead of the more specific FQDN hostname)

------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Tue August 23, 2022 05:08 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hello,

Does anyone know how to give SSO between WebSEAL instances. One instance is non-SSL and the other is SSL. I tried using SAML Federation, but it didn't work with non-SSL instances. Now I'm working on DSC but unable to find any documentation on configuring SSO between WebSEAL instances.

ISVA 10.0.3

------------------------------
afras khan
------------------------------

Hi Afras, 
If this continues to cause problems for you, I'd recommend opening a Support Case with IBM Support. 
The team will be able to guide you in your troubleshooting process.

Ideally you'll take a mix of tracing and logging, to draw conclusions where things are failing. (if from first glance your config appears in order).

• pdweb.debug tracing (to inspect session cookies being sent back and forth)
• request.log (can also capture session cookies being sent back and forth)
• pdweb.dsess tracing (to see if WebSEAL reaches out to the DSC component at all, when it receives session cookies)
• msg__webseald-logging for any hints on what's going wrong.
• pdweb.wns tracing might also be useful here.

One more thing, following technote can also give a few pointers how you can start diagnosing Session Cookies and possible issues with it.
https://www.ibm.com/support/pages/understanding-dpwwa1122w-dpwns1054e-messages-related-session-cookies

(the technote needs an update, as that information is also relevant for Redis as Session Cache)

If you find any suspicious log / trace entries, feel free to paste here (if it does not contain private information like IPs, usernames, passwords).
However keep the option of a Support Case in mind, if you need some swift progress.

Good luck! 
Hans

------------------------------
HANS VANDEWEGHE
------------------------------

Original Message:
Sent: Thu September 15, 2022 01:18 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Anyone available to assist?

------------------------------
afras khan

Original Message:
Sent: Mon August 29, 2022 01:38 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Urvi,

DSC is enabled in WebSEAL instances.

------------------------------
afras khan

Original Message:
Sent: Fri August 26, 2022 03:42 AM
From: Urvi B
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Afras,

Have you enabled DSC at policy server or at webseal instance?
And also check port is open for dsc server from webseal servers.


------------------------------
Urvi B

Original Message:
Sent: Wed August 24, 2022 08:57 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hi Hens,
Thanks for your suggestion.

I have done all the configurations for DSC but still it's not working even with SSL instances. Both instances belong to the same domain.

------------------------------
afras khan

Original Message:
Sent: Tue August 23, 2022 05:29 AM
From: HANS VANDEWEGHE
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

To handle SSO between http and https (sharing sessions accros different transports), you'll need something like use-same-session.
This would ensure that your PD-S-SESSION-ID and PD-H-SESSION-ID cookies can be used for both transport methods.

Indeed, to use that over multiple WebSEAL instances, you'll need the concept of session sharing, like the DSC or Redis.
You'll need to configure your WebSEAL instances to be part of the same replica set.

If you're testing this in a load balanced environment (some front end load balancer in front of WebSEALs), I would expect it to work OK.
If you're testing this in a Dev environment, and are using /etc/hosts file or other methods where you don't control DNS, it might give different results.

All your participating WebSEALs should respond to the same FQDN (e.g. vip.webseal.ibm.com), or alternatively you can ensure that your Session Cookies are Domain Cookies (so they'll be sent by the browser to all URLs that match the domain instead of the more specific FQDN hostname)

------------------------------
HANS VANDEWEGHE

Original Message:
Sent: Tue August 23, 2022 05:08 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC

Hello,

Does anyone know how to give SSO between WebSEAL instances. One instance is non-SSL and the other is SSL. I tried using SAML Federation, but it didn't work with non-SSL instances. Now I'm working on DSC but unable to find any documentation on configuring SSO between WebSEAL instances.

ISVA 10.0.3

------------------------------
afras khan
------------------------------