Interaction with SSO differs depending on action in CPM
When eworkflow (which is sso enabled) and another sso application share the same browser session we are seeing errors in eworkflow when the other application either times out from the sso perspective or the user logs out of that sso application. Within Ameriprise the sso applications in the same browser share the SMSession. So, when you log out of one and try to accesss functionality in another (eworkflow in this case) you should be challenged for your sso id and password. That does happen when some options are clicked on in eworkflow, but when the "phone" option is selected, errors result.
I have included the pega logs (rules, alert, cti), webserver logs, including a trace file, from the webservers and httpwatch traces from a working situation (clipboard) and the non-working (phone). What I need to understand is why I get differrent results when I click on clipboard than when I click on phone.
There are two files for both "clipboard", which is the working scenario and "Phone", which is the error sitaution. The ones with "relogin" in the names contain all of the information of the other, plus tracing for when I logged in after closing the session.
Steps to Reproduce
1. log into eworkflow as a phones user.
2. in the same browser (new tab), log into another SSO protected application.
3. log out of that second sso application
4. Click on "phone" within eworkflow. You will get a message box. WHen you click ok, you will get a failure message. When you log out and back in you will get the red X.
If you do the same steps above, but select "clipboard" (or anything other than phone) you will get the sso challenge correctly
The root cause of this problem is in a third-party product integrated with PRPC.
A user is logging out of Siteminder on one application and that is clearing their authentication to all applications. So, if the next request from the other PRPC session open in another browser tab is an AJAX request the response will be the Siteminder login screen, after some redirection etc. We can't process those type of responses in our AJAX layer at this time.
We usually use the pxSessionTimer for handling of idle timeouts with SSO based 3rd party security software. The pxSessionTimer puts the SSO authentication screen into a popup window so that the full PRPC portal keeps the current user location in the UI the same. This also avoids any PRPC AJAX requests from getting an idle timeout response, containing the login screen for example, from a third part SSO application like Siteminder.