Web Agents 2024.9

Cookies

By default, the agent’s single sign-on (SSO) token cookie name is iPlanetDirectoryPro.

Unless you use Accept SSO Token mode or have enabled Custom Login Mode, you should remove the default cookie name value from the agent. A blank value ensures the agent gets the correct cookie name from AM for authentication.

You only need to set the agent’s cookie name to a specific value if you use custom login mode or accept SSO token mode and want to use a cookie different from the one defined in the realm.

If you’re using Advanced Identity Cloud, you don’t need to change the agent cookie name because the agent automatically uses the Advanced Identity Cloud session cookie name for authentication.

You can change the name of the cookie for a specific agent or for an agent group in AM.

  1. In the AM admin UI, go to Realms > Realm Name > Applications > Agents > Web > Agent Name.

  2. On the SSO tab, remove the default value from the Cookie Name field or enter the SSO token cookie name, if applicable.

  3. Click Save Changes.

  1. In the AM admin UI, go to Realms > Realm Name > Applications > Agents > Web, and select the Groups tab followed by the Group ID.

  2. On the SSO tab, remove the default value from the Cookie Name field or enter the SSO token cookie name, if applicable.

  3. Click Save Changes.

Web Agent can reset cookies before redirecting the client to a login page, by issuing a Set-Cookie header to the client to reset the cookie values.

Cookie reset is typically used when multiple parallel authentication mechanisms are in play with the web agent and another authentication system. The agent can reset the cookies set by the other mechanism before redirecting the client to a login page.

To set and reset secure or HTTP Only cookies, in addition to the cookie reset properties, set the relevant cookie option, as follows:

If you have enabled attribute fetching by using cookies to retrieve user data, it is good practice to use cookie reset, which will reset the cookies when accessing an enforced URL without a valid session.