by IDAMGroup
CA Siteminder Single Sign-On
How to configure Single Sign-On Across Multiple Cookie Domains
When user logs into Website A and while switching to website B on the same browser, they are asked to enter the user credentials which are in different cookie domain. The ability to pass single sign-on information across multiple cookie domains enables a user to authenticate at a site in one cookie domain, and then go to a site in another cookie domain without being rechallenged for credentials.
In this post i will show you how to Configure Single-Sign-On for different domains pointing to same user store.
You can configure SSO for domains pointing on different user store as well which i will explain in different post
What is Cookie domain?
For the below domains
websitea.mysitea.com
webwin.mysiteb.com
Here cookie domain is ” *.mysitea.com” and “*.mysiteb.com”
What is Cookie provider ?
Cookie Provider is a siteminder Webagent which ensure that it has siteminder SMsession cokiee in the cookie provider domain
Only one Cookie Provider can be configured in a deployment
Diagram for SSO
How SSO works
- User access URL Webwin.mysiteB.com
- The Webwin.mysiteB.com redirects to Cookie Provider webone.mysiteA.com for cookie
- The cookie provider checks whether it has cookie or not and then sets the SMSESSION to No
- The webwin.mysiteB.com reads that SMSESSION value and challenges the user if it is No.
- Once the user is authenticated in Webwin.mysiteB.com it redirects to Cookie Provider and set the cookie as mysiteB.com.
- Redirects to mysiteA.com and set SMSESSION cookie for mysiteA.com
- Redirects to protected resource
So when a user requests a protected resource in a domain within the single-sign on environment, and is challenged for credentials for authentication and when the user is authenticated, the following cookies are set in the browser of the user:
-
- The local cookie for the domain where the user has authenticated.
- The cookie provider sets the cookie.
- The user can navigate between the domains in the single-sign on environment without being re challenged.
To enable Single Sign On
On the cookie provider webagent in this example it is webone.websiteA.com
Infrastructure –> Agent Configuration Object–> WebOne_ACO
Enable RequireCookies
Enable PresistentCookies
Specify CookieDomain
CookieDomainScope
If the CookieDomainScope parameter is set to 2, the cookie domain would be .websiteA.com and .WebsiteB.com respectively
Enable IP Address Validation for Single Sign-On Environments
An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to another system. To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies
PersistentIPCheck
Modify the Session Update Period
Enter the Cookie provider URL
Go to second agent IBMHTTP_ACO ACO and set the Cookie provider URL and specify the Cookie Provider URL.
http://webone.mysitea.com:82/siteminderagent/SmMakeCookie.ccc
or
http://webone.mysitea.com:82/SmMakeCookie.ccc
Click Ok and submit the changes
Testing
Access http://webone.mysiteA.com:82/ and switch to http://webone.mysiteB.com:8080/snoop on the same browser, user should not be challenged for credentials.
---------------------------------------------------------------------------------------------------------------------------------------------
Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.