All - It seems that in openstack environments that the hostname provided ends up looking like a domain since it only has a single "." in it.
For instance, the following is an altered hostname in such an environment: vp-os-rh6-my-sim-amb220l-ljm2-3-8-151119-2018-1.novalocal Current knoxsso logic treats a name like this as a domain and prepends a dot to the front to make the domain cookie. This behavior is inaccurate and ends up meaning that it is only ever sent to the machine where the knoxsso token has been acquired. What we really need is to create a domain cookie for .novallocal - this will ensure that the cookie is sent to all hosts in the same domain. While the existing logic makes sense for accessing resources at the domain level - say https://example.com:8443/gateway/sandbox/WEBDHS - it does not when a single dotted name represents a single host. knoxsso.cookie.domain.suffix Parameter What I propose is that we add a service parameter to the WebSSO service. This parameter would indicate a set of strings that would match domains within a given hostname. For instance, if we get a hostname for the URL that looks like vp-os-rh6-my-sim-amb220l-ljm2-3-8-151119-2018-1.novalocal and we have configured a domain.suffix of ".novalocal" that we would match that first and accept that as the domain for the knoxsso cookie. Best Match Semantics This check should also take the approach wherein the most specific domain be accepted over least specific. Such that, "ljm.localnova" is accepted rather than ".localnova" when they both match. I will likely file a JIRA for this and POC the approach in the next couple days. Thoughts? thanks, --larry
