Web Policy Agents Use Case — Protocol Exchange

The following are actual protocol exchanges in two use cases. In both use cases, the configuration are as follows:

• The primary domain (where Access Manager resides) is .iplanet.com. The non-primary domain is .sun.com.

• In the primary domain, there are two Access Manager instances are ide-14.red.iplanet.com:443 and ide-15.red.iplanet.com:443. Both are behind a load balancer am-pool0.red.iplanet.com:8443.

• In the primary domain, Agent #2 resides in am-v210-01.red.iplanet.com:7001with CDSSO disabled because it's in the same DNS domain as the Access Manager instances.

• In the non-primary domain, Agent #1 resides in comal-b.central.sun.com:80 with CDSSO enabled.

• A protected resource /app1/test1.html is deployed on the servers of both agents.

In the use cases, we will demonstrate a CDSSO sequence from the primary domain to the non-primary domain, and the reverse.

Web Policy Agent Use Case 1: Accessing a Protected Resource in the Primary Domain First

1. An unauthenticated user attempts to access http://am-v210-01.red.iplanet.com:7001/app1/test1.html. The agent intercepts the request and receives no SSO token. The agent responds with a redirection to the Access Manager login page.

   REQUEST:

   GET /app1/test1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-v210-01.red.iplanet.com:7001

   RESPONSE:

   HTTP/1.1 302 Moved Temporarily Date: Thu, 10 Aug 2006 14:44:55 GMT Location: https://am-pool0.red.iplanet.com:8443/amserver/UI/ Login?goto=http%3A%2F%2Fam-v210-01.red.iplanet.com%3A7001 %2Fapp1%2Ftest1.html Content-Type: text/html Connection: Close <html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://am-pool0.red.iplanet.com:8443/amserver/UI/ Login?goto=http%3A%2F%2Fam-v210-01.red.iplanet.com%3A7001%2Fapp1%2Ftest1.html"> https://am-pool0.red.iplanet.com:8443/amserver/UI/Login?goto= http%3A%2F%2Fam-v210-01.red.iplanet.com %3A7001%2Fapp1%2Ftest1.html</a>.</p> </body></html>

2. The browser follows the redirection to access the Access Manager login page.

   REQUEST:

   GET /amserver/UI/Login?goto=http%3A%2F%2Fam-v210-01.red.iplanet.com %3A7001%2Fapp1%2Ftest1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Host: am-pool0.red.iplanet.com:8443 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Connection: Keep-Alive

   RESPONSE:

   HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:44:09 GMT Content-type: text/html;charset=UTF-8 Cache-control: private Pragma: no-cache Expires: 0 X-dsameversion: 7 2005Q4 Am_client_type: genericHTML Set-cookie: JSESSIONID=D74987DB66D0F603043D1032FF92780D;Path=/;Secure Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcyUVIxDMmieXosNGE7jBEZdye Jb0CIYBuc%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23; Domain=.iplanet.com;Path=/ Set-cookie: amservercookie=02;Domain=.iplanet.com;Path=/ <... login page content omitted by authro ...>

3. The user types in his credential on the login page and clicks Submit. A login form is posted to Access Manager. If the user authenticates successfully, the Access Manager responds by setting an SSO token (iPlanetDirectoryPro) in the domain .iplanet.com. The response also redirects the browser to the original requested resource http://am-v210-01.red.iplanet.com:7001/app1/test1.html.

   REQUEST:

   POST /amserver/UI/Login HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: https://am-pool0.red.iplanet.com:8443/amserver/UI/ Login?goto=http%3A%2F%2Fam-v210-01.red.iplanet.com%3A7001 %2Fapp1%2Ftest1.html Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-pool0.red.iplanet.com:8443 Content-Length: 144 Cache-Control: no-cache Cookie: JSESSIONID=D74987DB66D0F603043D1032FF92780D; AMAuthCookie=AQIC5wM2LY4SfcyUVIxDMmieXosNGE7jBEZdyeJb0CI YBuc%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23; amservercookie=02

   RESPONSE:

   HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:44:16 GMT Content-length: 0 Content-type: text/html Cache-control: private Pragma: no-cache X-dsameversion: 7 2005Q4 Am_client_type: genericHTML Location: http://am-v210-01.red.iplanet.com:7001/app1/test1.html Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcyUVIxDMmieXosNGE7j BEZdyeJb0CIYBuc%3D%40AAJTSQACMTE AAlMxAAIwMg%3D%3D%23;Domain=.iplanet.com;Path=/ Set-cookie: AMAuthCookie=LOGOUT;Domain=.iplanet.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/ Connection: close

4. The browser follows the redirection to access http://am-v210-01.red.iplanet.com:7001/app1/test.html. Note the SSO token cookie iPlanetDirectoryPro is sent in the HTTP request to the server. The agent validates the SSO token and evaluates policies by interacting with the Access Manager in the background. If the access is allowed, the server responds with the content of the protected resource.

   REQUEST:

   GET /app1/test1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Pragma: no-cache Accept-Language: en-us Cookie: amservercookie=02; iPlanetDirectoryPro=AQIC5wM2LY4Sfc yUVIxDMmieXosNGE7jBEZdyeJb0CIYBuc %3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-v210-01.red.iplanet.com:7001 Cache-Control: no-cache

   RESPONSE:

   HTTP/1.1 200 OK Date: Thu, 10 Aug 2006 14:45:06 GMT Content-Length: 88 Content-Type: text/html Last-Modified: Tue, 20 Jun 2006 11:03:04 GMT Accept-Ranges: bytes Connection: Close <html> <head> <title>Test1 HTML</title> </head> <body> Test1 HTML </body> </html>

5. The user now attempts to access another resource http://comal-b.central.sun.com:80/app1/test1.html. Note the SSO token iPlanetDirectoryPro is not sent in the HTTP request because the server comal-b.central.sun.com does not match the cookie domain .iplanet.com. The agent, receiving no SSO token, responds by redirecting the browser to the CDC servlet URL https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet.

   REQUEST:

   GET /app1/test1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Cookie: SUN_ID=69.196.39.237:227251153914164 If-Modified-Since: Thu, 10 Aug 2006 14:40:34 GMT If-None-Match: "23-44db4562" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: comal-b.central.sun.com

   RESPONSE:

   HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:45:15 GMT Content-length: 0 Content-type: text/html Location: https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet?goto= http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html% 3FsunwMethod%3DGET&RequestID; =8382&MajorVersion=1&MinorVersion=0 &ProviderID;=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Famagent&IssueInstant; =2006-08-10T09%3A45%3A16Z Connection: close

   The redirection URL contains some parameters to be carried to the CDC servlet. Some of these parameters are:

   goto

   The URL to which CDC servlet will forward AuthNResponse, which is the original requested URL with a parameter sunwMethod=GET appended.

   MajorVersion

   Major version is set 1. It is Liberty Federation Protocol major version.

   MinorVersion

   The minor version is set to 1. It is Liberty Federation Protocol minor version.

   RequestID

   Is the Authn Request ID. It is a randomly generated unique id. This is sent to CDC Servlet so that the its AuthnResponse later can contain this unique identifier. The RequestID is used to tie the response coming back. It is verified when the response comes back from the CDC servlet

   ProviderID

   It is Service Provider ID - which is the agent. The value will be of the form: http(s)://<agent-host>:<port>/amagent?Realm=<RealmName> or http(s)://<agent-host>:<port>/amagent, where RealmName is what is configured for property com.sun.identity.agents.config.organization.name in AMAgent.properties.

   IssueInstant

   It is the time at which the AuthnRequest was created, in UTC format.

6. The browser follows the redirection to access the CDC servlet. Note the SSO token iPlanetDirectoryPro is sent in the HTTP request because the server DNS domain matches the cookie domain. The CDC servlet validates the SSO token and responds with a HTML page. The page contains a HTML FORM which will be automatically posted to the agent (http://comal-b.central.sun.com:80/app1/test1.html?sunwMethod=GET, based on the "goto" parameter earlier). The form's hidden field LARES is encoded Liberty-like AuthnResponse that contains the existing SSO Token in the domain .iplanet.com.

   REQUEST:

   GET /amserver/cdcservlet?goto=http%3A%2F% 2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html%3F sunwMethod%3DGET&RequestID;=8382&MajorVersion=1&MinorVersion= 0&ProviderID;=http%3A%2F%2Fcomal-b.central.sun.com%3A80% 2Famagent&IssueInstant;=2006-08-10T09%3A45%3A16Z HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Cookie: JSESSIONID=D74987DB66D0F603043D1032FF92780D; amservercookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcyUVIxDMmieXosNGE7jBEZdyeJb0CIYBuc%3D% 40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23 If-Modified-Since: Thu, 10 Aug 2006 14:40:34 GMT If-None-Match: "23-44db4562" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-pool0.red.iplanet.com:8443 Connection: Keep-Alive

   RESPONSE:

   HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:44:27 GMT Content-type: text/html Pragma: no-cache Content-length: 3681 Connection: keep-alive <HTML> <BODY Onload="document.Response.submit()"> <FORM NAME="Response" METHOD="POST" ACTION="http://comal-b.central.sun.com:80/app1 /test1.html?sunwMethod=GET"> <INPUT TYPE="HIDDEN" NAME="LARES" VALUE="PGxpYjpBdXRoblJlc3BvbnNlIHhtbG5zOmxpYj0ia HR0cDovL3Byb2plY3RsaWJlcnR5Lm9yZy9zY2hlbWFzL2NvcmUvMjAwMi8xMiIgeG1sbnM6c2FtbD0idXJ uOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuY W1lczp0YzpTQU1MOjEuMDpwcm90b2NvbCIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDk veG1sZHNpZyMiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY 2UiIFJlc3BvbnNlSUQ9InNmOTgzZjU0NWZlNGQzOWFjMzcyYTZhOWMwNTFhMThiNmZlNjJlMGI0IiAgSW5 ... Nwb25zZVRvPSI4MzgyIiAgTWFqb3JWZXJzaW9uPSIxIiAgTWlub3JWZXJzaW9uPSIwIiAgSXNzdWVJbnN0 YW50PSIyMDA2LTA4LTEwVDE0OjQ0OjI3WiI+PHNhbWxwOlN0YXR1cz4KPHNhbWxwOlN0YXR1c0NvZGUgVm FsdWU9InNhbWxwOlN1Y2Nlc3MiPgo8L3NhbWxwOlN0YXR1c0NvZGU+Cjwvc2FtbHA6U3RhdHVzPgo8c2Ft bDpBc3NlcnRpb24gIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb2 4iIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiICB4bWxu czpsaWI9Imh0dHA6Ly9wcm9qZWN0bGliZXJ0eS5vcmcvc2NoZW1hcy9jb3JlLzIwMDIvMTIiICBpZD0icz cmVkLmlwbGFuZXQuY29tOjQ0My9hbXNlcnZlci9jZGNzZXJ2bGVL2xpYjpBdXRoblJlc3BvbnNlPgo="/> </FORM> </BODY></HTML>

7. The browser automatically posts the form with LARES to the goto URL http://comal-b.central.sun.com:80/app1/test1.html?sunwMethod=GET, without any user interaction. The agent validates the AuthNResponse, and responds by setting a new SSO token iPlanetDirectoryPro with an empty cookie domain. A cookie with no domain will be restricted to the originating server only in the future. Also note the cookie value is exactly the same as the one set in Step 3 response by Access Manager.

   The agent also perform necessary session validation and policy evaluation. If all well, the user is allowed for the access. The protected page is served in the response.

   REQUEST:

   POST /app1/test1.html?sunwMethod=GET HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: comal-b.central.sun.com Content-Length: 3490 Cookie: SUN_ID=69.196.39.237:227251153914164

   RESPONSE:

   HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:45:17 GMT Content-length: 35 Content-type: text/html Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcyUVIxDMmieXosNGE7j BEZdyeJb0CIYBuc%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23;Path=/ Last-modified: Thu, 10 Aug 2006 14:40:34 GMT Accept-ranges: bytes Connection: close Success! This is test1.html page.

   In responding to this request, the agent goes through the following steps to validate the received AuthnResponse:

   1. The status code of the AuthnResponse is verified to see if it is successful.

   2. The assertions are extracted from the AuthnResponse. There should be only 1.

   3. The conditions that are in the assertion are also validated. The main one is the date validity condition. The date validity attributes, not before and notOnorAfter, are verified to verify the assertion has not expired. Hence time synchronization between Access Manager and Agent is crucial.

Web Policy Agent Use Case 2: Accessing a Protected Resource in the Non-Primary Domain First

In this use case, an unauthenticated user first accesses a protected resource in the non-primary domain (.sun.com). He then accesses a protected resource in the primary domain (.iplanet.com).

1. An unauthenticated user attempts to access http://comal-b.central.sun.com:80/app1/test1.html. The agent intercepts the request and receives no SSO token. Because the SSO is enabled, the agent responds with a redirection to the Access Manager CDC servlet URL https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet.

   REQUEST:

   GET /app1/test1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel,application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Cookie: SUN_ID=69.196.39.237:227251153914164 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: comal-b.central.sun.com

   RESPONSE:

   HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:47:15 GMT Content-length: 0 Content-type: text/html Location: https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet?goto= http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html%3FsunwMethod% 3DGET&RequestID;=13293&MajorVersion=1&MinorVersion=0&ProviderID;=http%3A%2F% 2Fcomal-b.central.sun.com%3A80%2Famagent&IssueInstant;=2006-08-10T09%3A47%3A15Z Connection: close

2. The browser follows the redirection to access the CDC servlet without any SSO token. The CDC servlet responds with a login page.

   REQUEST:

   GET /amserver/cdcservlet?goto=http%3A%2F%2Fcomal-b.central.sun.com%3A80% 2Fapp1%2Ftest1.html%3FsunwMethod%3DGET&RequestID;=13293&MajorVersion= 1&MinorVersion=0&ProviderID;=http%3A%2F%2Fcomal-b.central.sun.com%3A80% 2Famagent&IssueInstant;=2006-08-10T09%3A47%3A15Z HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-pool0.red.iplanet.com:8443 Connection: Keep-Alive

   RESPONSE:

   HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:46:27 GMT Content-type: text/html;charset=UTF-8 Cache-control: private Pragma: no-cache Expires: 0 X-dsameversion: 7 2005Q4 Am_client_type: genericHTML Set-cookie: JSESSIONID=FCD5ED4FC043E1E2C2789D228413DB87;Path=/;Secure Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwS5LT8TIP9%2Bs3ZqdIV0aEtBDSLrHxr %2Fcs%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23 ;Domain=.iplanet.com;Path=/ Set-cookie: amservercookie=02;Domain=.iplanet.com;Path=/ <... login page content omitted by the author ...>

3. The user types in his credential on the login page and clicks Submit. A login form is posted to Access Manager. If the user authenticates successfully, the Access Manager responds by setting an SSO token (iPlanetDirectoryPro) in the domain .iplanet.com. The response also redirects the browser back to the CDC servlet https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet.

   REQUEST:

   POST /amserver/UI/Login HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: https://am-pool0.red.iplanet.com:8443/amserver/ cdcservlet?goto=http%3A%2F%2Fcomal-b.central.sun.com% 3A80%2Fapp1%2Ftest1.html%3FsunwMethod%3DGET&RequestID; =13293&MajorVersion=1&MinorVersion=0&ProviderID;=http%3A%2F% 2Fcomal-b.central.sun.com%3A80%2Famagent&IssueInstant;=2006-08-10T09%3A47%3A15Z Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-pool0.red.iplanet.com:8443 Content-Length: 391 Cache-Control: no-cache Cookie: JSESSIONID=FCD5ED4FC043E1E2C2789D228413DB87; AMAuthCookie=AQIC5wM2LY4SfcwS5LT8TIP9%2Bs3ZqdIV0aEtBDSL rHxr%2Fcs%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23; amservercookie=02

   RESPONSE:

   HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:47:53 GMT Content-length: 0 Content-type: text/html Cache-control: private Pragma: no-cache Connection: close X-dsameversion: 7 2005Q4 Am_client_type: genericHTML Location: https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet? TARGET=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html %3FsunwMethod%3DGET&RequestID;=13293&MajorVersion=1&MinorVersion= 0&ProviderID;=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Famagent &IssueInstant;=2006-08-10T09%3A47%3A15Z Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwlpUfPmb1dtNENXWxnAoZSuWvmQ5pg UB0%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23; Domain=.iplanet.com;Path=/ Set-cookie: amservercookie=02;Domain=.iplanet.com;Path=/ Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwlpUfPmb1dtNENXWxnAoZSu WvmQ5pgUB0%3D%40AAJTSQACMTEAAlMxAAIwMg%; Domain=.iplanet.com;Path=/ Set-cookie: AMAuthCookie=LOGOUT;Domain=.iplanet.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/

4. The browser follows the redirection to access the CDC servlet again. This time the SSO token iPlanetDirectoryPro is sent in the HTTP request because the server DNS domain matches the cookie domain. The CDC servlet validates the SSO token and responds with a HTML page. The page contains a HTML FORM which will be automatically posted to the URL on the agent (http://comal-b.central.sun.com:80/app1/test1.html?sunwMethod=GET, derived from the goto and target parameters). The form's hidden field LARES is an encoded Liberty-like AuthnResponse that contains the existing SSO Tokein in the domain .iplanet.com.

   REQUEST:

   GET /amserver/cdcservlet?TARGET=http%3A%2F% 2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html%3F sunwMethod%3DGET&RequestID;=13293&MajorVersion=1&MinorVersion= 0&ProviderID;=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Famagent&IssueInstant; =2006-08-10T09%3A47%3A15Z HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet? goto=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html% 3FsunwMethod%3DGET&RequestID;=13293&MajorVersion=1&MinorVersion=0&ProviderID; =http%3A%2F%2Fcomal-b.central.sun.com%3A80%2 Famagent&IssueInstant;=2006-08-10T09%3A47%3A15Z Accept-Language: en-us Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-pool0.red.iplanet.com:8443 Cache-Control: no-cache Cookie: JSESSIONID=FCD5ED4FC043E1E2C2789D228413DB87; amservercookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwlpUfPm b1dtNENXWxnAoZSuWvmQ5pgUB0%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23

   RESPONSE:

   HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:47:54 GMT Content-type: text/html Pragma: no-cache Content-length: 3685 Connection: keep-alive <HTML> <BODY Onload="document.Response.submit()"> <FORM NAME="Response" METHOD="POST" ACTION= "http://comal-b.central.sun.com:80/app1/test1.html?sunwMethod=GET"> <INPUT TYPE="HIDDEN" NAME="LARES" VALUE="PGxpYjpBdXRoblJlc3BvbnNlIH htbG5zOmxpYj0iaHR0cDovL3Byb2plY3RsaWJlcnR5Lm9yZy9zY2hlbWFzL2NvcmUvM jAwMi8xMiIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFz c2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDp wcm90b2NvbCIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZH ... NpZyMiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEta W5zdGFuY2UiIFJlc3BvbnNlSUQ9InM4N2IzNTkzOGRhZjk1YzQ4MTBmYzJlODJkMTFl MGMyZDI2Y2I4ZDA0IiAgSW5SZXNwb25zZVRvPSIxMzI5MyIgIE1ham9yVmVyc2lvbj0 iMSIgIE1pbm9yVmVyc2lvbj0iMCIgIElzc3VlSW5zdGFudD0iMjAwNi0wOC0xMFQxND 0Nzo1NFoiPjxzYW1scDpTdGF0dXM+CjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJzYW 2FtbDpBc3NlcnRpb24+CjxsaWI6UHJvdmlkZXJJRD5odHRwczovL2lkZS0xNS5yZWQu Y3NlcnZsZXQ8L2xpYjpQcm92aWRlcklEPjwvbGliOkF1dGhuUmVzcG9uc2U+Cg=="/> </FORM> </BODY></HTML>

5. The browser automatically posts the form with LARES to the goto URL 'http://comal-b.central.sun.com:80/app1/test1.html?sunwMethod=GET, without any user interaction. The agent validates the AuthNResponse, and responds by setting a new SSO token iPlanetDirectoryPro with an empty cookie domain. A cookie with no domain will be restricted to be sent to the originating server only in the future. Also note the cookie value is exactly the same as the one set in Step 3 response by Access Manager.

   The policy agent also performs necessary session validation and policy evaluation. If all well, the user is allowed for the access. The protected page is served in the response.

   REQUEST:

   POST /app1/test1.html?sunwMethod=GET HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: comal-b.central.sun.com Content-Length: 3482 Cookie: SUN_ID=69.196.39.237:227251153914164 <... posted form omitted by the author ...>

   RESPONSE:

   HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 10 Aug 2006 14:48:44 GMT Content-length: 35 Content-type: text/html Set-cookie:iPlanetDirectoryPro=AQIC5wM2LY4SfcwlpUfPmb1dtNENXWx nAoZSuWvmQ5pgUB0%3D%40AAJTSQACMTEAAlMxAAIwM=g%3D%3D%23;Path=/ Last-modified: Thu, 10 Aug 2006 14:40:34 GMT Accept-ranges: bytes Connection: close Success! This is test1.html page.