Access Manager 7.1 patch 3 (CR 6496155) includes the new com.iplanet.dpro.session.dnRestrictionOnly property to enforce the DN as the SSO token restriction rather then the IP address in cross-domain single sign-on (CDSSO) deployments and cookie-hijacking prevention mode. Values for this property can be:
true: Access Manager 7.1 server enforces that an agent send the DN as the SSO token restriction.
false (default): Access Manager 7.1 server uses whatever SSO token restriction is sent by the agent. The token restriction can be the IP address (for older agents that have amclientsdk.jar from Access Manager 7 2005Q4 patch 5 and earlier) or the DN (for newer agents that have amclientsdk.jar from Access Manager 7 2005Q4 patch 6 and later).
Note: Older agents that use amclientsdk.jar from Access Manager 7 2005Q4 patch 5 and earlier should not set this property to true.
To require Access Manager 7.1 server to enforce that an agent send the DN as the SSO token restriction:
Add this new property with a value of true in the AMConfig.properties file. For example:
com.iplanet.dpro.session.dnRestrictionOnly=true
Restart Access Manager 7.1 server.