oam and p3p
Hello Everyone,
We're using Oracel Access Manager 10g (10.1.4 to be specific) with OHS in reverse proxy mode as webgates (policy enforcement points). Due to some special requirements we had to use iframes for user authentication, but we're encountering an issue which we couldn't solve completely so far.
Let me tell you about our configuration first:
The protected resource is served within an iframe, so if there is no valid SSO session for the requesting user, a login form will be shown to the user first. The user enters their credentials and (if the credentials are valid) is redirected to the protected resource. Since we have a multi-domain environment, the login form within the iframe and the 'frame page' are from different domains.
The problem:
Some browsers (IE) don't accept ObFormLoginCookie for security reasons (depending on security settings), since the domain trying to set the cookie is different from the original domain. As a result of this, the end user won't be redirected to it's initial requested resource, but will get to the action defined in the login form instead. The concern is most certainly understandable, when researching this situation, using P3P headers seemed to be a reasonable solution for the situation, but the case is, we can't (or couldn't so far) send P3P headers during the step setting ObFormLoginCookie (which is set by maindomain.com/obrareq.cgi?...). We have a workaround for the situation, but our workaround is for specific cases, we don't think that it will be enough if other resources are to be added in the near future.
My question would be: Is there anyone who has done something like this? If yes, could you be kind enough to show us a way? Any comments would be appreciated.
I can provide further information if required, including http headers etc.
Best Regards