So – we get this all working (I’m remote at Sun’s offices in Santa Clara, the PoC is at – uh – a secret location) and everyone there breaks for lunch. After lunch I get a slightly panicky call from the SE onsite (Hi, Bob!) saying that, inexplicably, it’s no longer working. The browser isn’t being forwarded to ADFS via AM’s WS-Fed servlet – it’s just going to the regular AM login page instead. Weird. I
tail -f the logs, have them try again, and sure enough, the WS-Fed servlet is unmolested by traffic. I turn on the debug flag on the agent,
tail -f the logs again and have them click the link. Whah!? The agent on the protected web server is redirecting to the CDSSO servlet? Why? A glance in the agent config shows that, somehow, magically, CDSSO has been enabled.
As Bob and I try to figure out just what has happened, I hear a voice in the background saying something like “Uh – Oh – Um”. One of MM’s senior technical staff is ex-Sun. He’s had a little tinker over lunch, applying his AM knowledge and trying one or two things out. And left CDSSO enabled. Which tells the agent to redirect to the CDSSO servlet instead of my nifty new WS-Federation servlet.
s/true/false/ on the ‘enable CDSSO’ property and all is working again. Phew!
Moral of the story. Never leave the customer alone in the PoC room with a logged in machine. Especially if they know enough to be dangerous!