MULTI Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.

• For multi domain SSO to work, Access Servers in all domains must use same policy directory.
• Multi domain works only with web gates, not Access Gates.
• Within each individual domain, each web gate must have same “PRIMARY HTTP cookie domain”.

In Multi Domain SSO environment, we should DESIGNATE one web server (where web gate is installed) as “Primary Authentication Server”. Primary Authentication Server acts as a central server for all authentications in multi domain environment. In general the webgate installed in the domain where Access server resides will be designated as the primary authentication server.

Lets assume that OAM components are installed in host1.domain1.com and we will designate host1.domain1.com as the primary authentication server.

• Host2.domain2.com with web gate (ex: webgate2) installed.
• A resource, abc.html, is protected with Form base authentication on host1.mydomain1.com
• A resource, xyz.html, is protected with Basic over LDAP authentication on host2.mydomain2.com.

Following are the steps that explain how multi domain SSO works:

1. User INITIATES a request for a Web page from a browser.
2. For instance, the request could be for host2.mydomain2/xyz.html.
3. Webgate2 (on host2.domain2.com) sends the authentication request back through the user’s browser in search of primary authentication server. In this example you have designated host1.domain1.com to be the primary authentication server.
4. The request for authentication is sent from the user’s browser to the primary authentication server, host1.domain1.com.
5. This request flows to the Access Server. The user logs in with the corresponding authentication scheme and the obSSO cookie is set for host1.domain1.com. The Access Server also generates a session token with a URL that contains the obSSO Cookie.
6. The session token and obSSOCookie are returned to the user’s browser.
7. The session token and obSSOCookie are sent to host2.domain2.com
8. The Web gate (webgate2) on host2.domain2.com sets the obSSOCookie for its own domain (.domain2.com) and satisfies the user’s original request for the resource host2.domain2.com/xyz.html. User gets the resource.
9. On the same browser if user accesses the host1.domain1.com page then resource will be presented without asking credentials as obSSOCookie is ALREADY available with .domain1.com (see step 3).

Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.

In Multi Domain SSO environment, we should designate one web server (where web gate is installed) as “Primary Authentication Server”. Primary Authentication Server acts as a central server for all authentications in multi domain environment. In general the webgate installed in the domain where Access server resides will be designated as the primary authentication server.

Lets assume that OAM components are installed in host1.domain1.com and we will designate host1.domain1.com as the primary authentication server.

Following are the steps that explain how multi domain SSO works: