Federation Manager Guide › Delegated Authentication for Federation Users › How the Third Party WAM Passes the User Identity › Cookie Method for Passing User Identity

Cookie Method for Passing User Identity

Federation Manager can use a legacy or open format cookie to pass a user identity. The cookie contains a user login ID as one of its values.

Note: If you configure delegated authentication for use with the Federation Manager Agent for Windows Authentication, the Agent requires the use of the open format cookie. However, if the SiteMinder Connector is also configured, the open format cookie option for delegated authentication is not available. The Federation Manager Windows Agent and the SiteMinder Connector cannot coexist in a deployment.

Authentication can begin at the WAM system or at Federation Manager. If authentication begins at Federation Manager, it redirects the user to the WAM system, where the authentication process is the same as if it began at the WAM system.

The delegated authentication process is as follows:

1. An authentication request comes into to the third-party WAM system.
2. The user is authenticated.
3. The third-party WAM system obtains a cookie in one of two ways:
   • The WAM system uses the Federation Manager SDK to create a legacy cookie or an open format cookie. The SDK creates the cookie and sends it back in a request to the WAM system.

     Note: To create an open format cookie that is FIPS-encrypted, use a Federation Manager SDK.

     The third-party WAM application must use the same language as the SDK that it is using to create a cookie. If you are using the Federation Manager Java SDK, the third-party WAM application must be in Java. If you are using the .NET SDK, the third-party WAM application must support .NET.

   • The WAM system uses a manually created open format cookie.

     You can create an open format cookie without using a Federation Manager SDK. To create the open format cookie cookie manually, use any programming language that supports UTF-8 encoding and any of the following PBE encryption algorithms that Federation Manager uses for password-based encryption:

     • PBE/SHA1/AES/CBC/PKCS12PBE-1000-128
     • PBE/SHA1/AES/CBC/PKCS12PBE-1000-192
     • PBE/SHA1/AES/CBC/PKCS12PBE-1000-256
     • PBE/SHA256/AES/CBC/PKCS12PBE-1000-128
     • PBE/SHA256/AES/CBC/PKCS12PBE-1000-192
     • PBE/SHA256/AES/CBC/PKCS12PBE-1000-256
     • PBE/SHA1/3DES_EDE/CBC/PKCS12PBE-1000-3
     • PBE/SHA256/3DES_EDE/CBC/PKCS12PBE-1000-3

     You must also be sure that the open format cookie gets set in the user's browser.

     To write a complete cookie, review the details about the contents of the open format cookie.

   Note: The WAM system and Federation Manager must be in the same cookie domain.

4. The WAM system redirects the browser to Federation Manager.
5. Federation Manager extracts the login ID from the cookie then locates the user in its user directory.
6. Federation Manager creates a Federation Manager session.
7. After the session is created, federated communication with the relying party proceeds.

The following picture shows the cookie method when authentication is initiated at the third-party WAM.

Important! To use the legacy cookie or an SDK-created open format cookie, the third party must install a Federation Manager SDK. The SDK is a separately installed component from Federation Manager. The installation kit contains the documentation that describes how to use the SDK for delegated authentication.