I was wondering how the amlbcookie and sticky sessions works with the policy agents, specifically in a CDSSO environment.
I understand that in a regular SSO implementation, where the protected application, and therefore the web agent is in the same domain as the OpenAM deployment, the web agent would have access to the amlbcookie and can read the value or just pass on the cookie to OpenAM during session validation.
However, how does this work in a CDSSO situation? In this case, the policy agent does not have access to the amlbcookie since it is in a different domain (the OpenAM domain). I understand that the policy agent will read the session id from the LARES POST.
Is the amlbcookie value passed as well in the LARES POST? Is this what the com.sun.identity.agents.config.postdata.preserve.lbcookie property is for?
After doing some research, and working with the vendor, I learned that right now, policy agents do not pass on the amlbcookie in the CDSSO workflow. There is a bug open for this at the following link: https://bugster.forgerock.org/jira/browse/OPENAM-2396
However, the authoritative server that issued the token will store its server id as part of the session value. http://blogs.forgerock.org/petermajor/2015/08/sessions/
The Policy Agent will extract the server id from the token, and can create the amlbcookie, or the OpenAM server can read the authoritative server id from the token.
So, there is no need for the LARES post to also pass the amlbcookie, since all the information required to derive it is in the session token.