MyTechReference - Technical Notes


by IDAMGroup

CA Siteminder Single Sign-On

How to configure Single Sign-On Across Multiple Cookie Domains

When user logs into Website A and while switching to website B on the same browser, they are asked to enter the user credentials which are in different cookie domain. The ability to pass single sign-on information across multiple cookie domains enables a user to authenticate at a site in one cookie domain, and then go to a site in another cookie domain without being rechallenged for credentials.

In this post i will show you how to Configure Single-Sign-On  for different domains pointing to same user store.

You can configure SSO for domains pointing on different user store as well which i will explain in different post

What is Cookie domain?

For the below domains

websitea.mysitea.com
webwin.mysiteb.com

Here cookie domain is ” *.mysitea.com” and “*.mysiteb.com”

What is Cookie provider ?

Cookie Provider is a siteminder Webagent which ensure that it has siteminder SMsession cokiee in the cookie provider domain

Only one Cookie Provider can be configured in a deployment

Diagram for SSO

 

Siteminder SSO

How SSO works

  1.  User access URL Webwin.mysiteB.com
  2. The Webwin.mysiteB.com redirects to Cookie Provider webone.mysiteA.com for cookie
  3. The cookie provider checks whether it has cookie or not and then sets the SMSESSION to No
  4. The webwin.mysiteB.com reads that SMSESSION value and challenges the user if it is No.
  5. Once the user is authenticated in Webwin.mysiteB.com it redirects to Cookie Provider and set the cookie as mysiteB.com.
  6. Redirects to mysiteA.com and set SMSESSION cookie for mysiteA.com
  7. Redirects to protected resource

 

So when a user requests a protected resource in a domain within the single-sign on environment, and is challenged for credentials for authentication and when the user is authenticated, the following cookies are set in the browser of the user:

    • The local cookie for the domain where the user has authenticated.
    • The cookie provider sets the cookie.
  1. The user can navigate between the domains in the single-sign on environment without being re challenged.

 

To enable Single Sign On

On the cookie provider webagent  in this example  it is webone.websiteA.com

Infrastructure –> Agent Configuration Object–> WebOne_ACO

Enable RequireCookies

 

mytechref_294

 

Enable PresistentCookies

 

mytechref_296

 

Specify CookieDomain

 

mytechref_298

 

CookieDomainScope

If the CookieDomainScope parameter is set to 2, the cookie domain would be .websiteA.com and .WebsiteB.com respectively

Enable IP Address Validation for Single Sign-On Environments

An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to another system. To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies

PersistentIPCheck

 

mytechref_302

 

Modify the Session Update Period

 

mytechref_305

 

Enter the Cookie provider URL

Go to second agent  IBMHTTP_ACO  ACO and set the Cookie provider URL and specify the Cookie Provider  URL.

http://webone.mysitea.com:82/siteminderagent/SmMakeCookie.ccc

or

http://webone.mysitea.com:82/SmMakeCookie.ccc

mytechref_307

Click Ok and submit the changes

 

Testing

 

Access http://webone.mysiteA.com:82/ and switch to   http://webone.mysiteB.com:8080/snoop on the same browser, user should not be challenged for credentials.

 

---------------------------------------------------------------------------------------------------------------------------------------------

Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.