Administration Guide › Using the SPS with Federation Security Services › Cookieless Federation
Cookieless Federation
Certain devices or environments cannot use cookies to establish user session and provide single sign-on.
One type of session scheme you can use in a federated environment is a cookieless scheme. The cookieless federation scheme is used to establish single sign-on. Verify that FWS-generated cookies (session and attribute) are not sent back to clients using mobile devices that do not support cookies.
Cookieless Federation at the Producing Site
At the site producing assertions, the process for a cookieless transaction is as follows:
- The SPS verifies if cookieless federation is enabled for the virtual host requesting the redirect.
- The SPS verifies if the session scheme is a rewritable scheme, such as the simple_url scheme.
- If the scheme is rewritable, SPS determines whether a session key has been created for the session and if this key is available to use.
- SPS checks to see if the Location header in the HTTP response meets one of the following conditions:
- It is being rewritten.
- It is the same as the host of the request.
- SPS rewrites the redirect response to include the session key information in the redirected URL.
Cookieless Federation at the Consuming Site
At the site consuming assertions, if cookieless federation is enabled, the SPS replacing the Web Agent processes redirects using SAML authentication at the backend server.
In a cookieless federation, the SPS processes the request as follows:
- The SPS receives a request from cookieless device, such as a mobile phone.
- The SPS verifies if the cookieless federation is enabled for the virtual host requesting the redirect.
- SPS then checks to see if the following conditions have been met:
- The response from the backend server is a redirect.
- The response contains an SMSESSION cookie.
If these two conditions are met at the same time, it indicates that a SAML authentication has occurred at the backend server from the FWS application.
- The SPS retrieves the session scheme being used.
- The SPS creates an associated cookieless session and adds the session information to its session store.
- If the session scheme is rewritable, such as a simple URL session scheme, the SPS rewrites the location header with the session key.
- If the SPS determines that a cookieless federated session conversion has occurred, the SPS deletes the SMSESSION cookie from the response going to the browser.
- The SPS then checks to see if attribute cookies should also be deleted. It does this by checking the deleteallcookiesforfed parameter. If this parameter is set to yes, SPS deletes all the other cookies from the response going to the browser.