0

I am planning to implement SSO w/OIDC between several identical Websphere Liberty profile (wlp) instances with the standard LtpaToken2 cookie, but I don't see it being generated under that name. Instead, I see a random WAS_* cookie.

Even when I set it manually in 1 single wlp's server.xml like:

<webAppSecurity ssoCookieName="LtpaToken2" />

I see that wlp intentionally ignores it, as seen in the logs:

[AUDIT] CWWKS9112A: The web application security settings have changed.The following properties were modified: ssoCookieName=WAS_p1887216770

so it doesn't seem to be an app-related issue, or even oidc-related issue. Why is wlp behaving like this? All the existing documentation doesn't mention any restriction/reservation of the LtpaToken2 name, in fact it should be the default.

Although I can set it to any other custom name, I am interested in understanding this impediment in using the default LtpaToken2 name, and the reason why it doesn't align with the documentation. Any explanation is deeply appreciated

Kuper
  • 23
  • 4

1 Answers1

1

Enabling either the openidConnectClient-1.0 or openidConnectServer-1.0 will cause the cookie name to be automatically generated with a server specific identifier for either one of those features. In some situations, this allows configuring multiple Relying Parties and Providers in the same host without collisions when processing their respective cookies.

For the openidConnectProvider, you have the option to use LtpaToken2 when setting the allowDefaultSsoCookieName attribute to "true" as documented in https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-openidconnectprovider. The openidConnectClient does not provide this option. We have an issue open to allow using the default cookie name for the OIDC client at https://github.com/OpenLiberty/open-liberty/issues/18803.

On the other hand, you might benefit from using jwtSso-1.0 to do SSO between identical servers after the initial authentication with the OIDC Provider. For example, please see the documentation for the allowCustomCacheKey attribute in https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-openidconnectclient.

Another alternative is to specify a value other than LtpaToken2 for the ssoCookieName attribute. This will override the auto generation of the cookie name when those features are enabled.

Regards,

Teddy

Teddy J. Torres
  • 51
  • 4
  • 1
    Thanks for the explanation Teddy! I only wish this level of detail could be found in the documentation. – Kuper Jun 29 '22 at 01:25
  • I was interested in your jwtsso suggestion, but got stuck when trying to add oidc claims into jwtsso. I raised this other [question](https://stackoverflow.com/questions/73627192/unable-to-get-claims-added-to-my-jwt-when-using-jwtssooidc-in-openliberty) . Any help would be appreciated! – Kuper Sep 07 '22 at 00:43