Symantec Access Management

Expand all | Collapse all

Federation and SSO across different domains

  • 1.  Federation and SSO across different domains

    Posted Dec 11, 2015 06:07 AM

    Hi,

    i'd need to setup a federation between two providers, but they are in different domains.

    Is it possible to use a cookie provider even in this situation to ensure the sso between the two federated domains?

    Or is there another configuration that i could use?

     

    Thanks,

    Alex



  • 2.  Re: Federation and SSO across different domains

    Posted Dec 13, 2015 01:08 AM

    Hi AlessandroDiMassimo75351330,

     

    Federation enables single sign-on across partner Web sites in multiple domains, without cookie provider. IdP and SP are usually on different cookie domains.

     

    Federation addresses the following challenges:

    • Exchanging user information between partners in a secure fashion
    • Establishing a link between a user identity at a partner and a user identity in your company
    • Enabling single sign-on across partner Web sites in multiple domains
    • Handling different user session models between partner sites, such as single logout across all partner Web sites or separate sessions for each partner Web site
    • Controlling access to resources based on user information received from a partner
    • Interoperability across heterogeneous environments, such as Windows, UNIX operating systems and various Web servers, such as IIS, Sun Java System (formerly iPlanet/Sun ONE), and Apache


  • 3.  Re: Federation and SSO across different domains

    Posted Dec 14, 2015 06:35 AM

    Thanks a lot.

    My scenario is actually this: two environments in different domains but with same identity store

    - the first one is a SSO WAC Siteminder environment in the domain *test1.com

    - the second is a SSO WAC Siteminder environment in the domain *test2.com; in addition, always in the *test2.com domain, i have some other applications, not integrated with SSO WAC Siteminder,  but  SAML2 compliant ( i am going to federate these ones).

    I think that for the two sso wac siteminder environments i can use a cookie provider to allow the sso, but the sso is still working with the federated applications?

     

    thanks,

    Alex



  • 4.  Re: Federation and SSO across different domains

    Posted Dec 15, 2015 04:19 AM

    Hi AlessandroDiMassimo75351330

     

    Two Siteminder environments with different cookie domains can configured to single sign-on with cookie provider.

     

    When user attempted to federate later on, Siteminder will validate the existing user session. If user session is valid and user is allowed to federate, SSO will continue.



  • 5.  Re: Federation and SSO across different domains

    Posted Dec 15, 2015 05:40 AM

    Hello wonsa03

     

    I have only one doubt about what I read in the documentation of the federation

    "CA and CA Federation SiteMinder® SiteMinder® Federation, Which use the Web Agent Option Pack, do not support the use of the Cookie Provider for Federated configurations."

    Is it another type of configuration?

     

    Thanks,

    Alex



  • 6.  Re: Federation and SSO across different domains

    Posted Dec 17, 2015 11:33 AM

    Ideally withing the Organization it should be SSO and not federation. I would explore the opportunity of adding a Web Layer ahead of the SAML Compliant Applications and have SSO implemented on the Web Layer to pass down HTTP Headers to the Application. Just my 1 cent to keep the solution simple.

     

     

    Regards

     

    Hubert



  • 7.  Re: Federation and SSO across different domains

    Posted May 22, 2016 02:27 PM

    HubertDennis and wonsa03

     

    Hi Guys,

    I have very similar requirement to be fulfilled and I have present a document on the feasibility. Here is my scenario.

     

    I have two siteminder environments with different keystores, and same user store with the second siteminder having additional user store, domains doesn't change, its test.com for both the siteminder environments, however both have different set of applications. According to the clients requirements.

     

    Use Case:

    User logs into application in First enviornment and then clicks on a link which takes to second siteminder environment. Will the user be authenticated and authorizsed with the same cookie, obviosuly it wont since the key store is different.

     

    Solutions I provided:

    Do a cross domain for this application

    Federation from first to second

    integrate the applications from second to first and eliminate one siteminder, which would reduce lot of hassles.

     

    My queries are:

     

    If i have to do Federation, how is it possible to make either of the one has idp and sp, since both has same user store?

    is it possible to do Cross Domain?

    or how to manually use the key when this application is accessed?

    or else what are the feasible solutions i could think of instead of the above, simple and easy solution?



  • 8.  Re: Federation and SSO across different domains

    Posted May 26, 2016 09:44 AM

    Christie

     

    Here are my thoughts.

     

    I often see that the concept of Federation is misconstrued and misused. Ideally we federate across partners, organizations and thus identities are stored in dissimilar stores.

     

    Based off the above premise, my effort would always be to see if this is within the same organization then to avoid federation.

     

    Am not much worried about cookie domains within an Organization as we could always mitigate that with a Cookie Provider.

     

    In terms of User Directory when SiteMinder does SSO, it does verify the Authenticated User Directory matches. Hence if we authenticated against UD1 in Infrastructure-1, when we SSO to infrastructure-2 then the validation realm on infrastructure-2 has to be associated with the same User Directory Object (UD name should match). You did mention that in Infrastructure-2 there'd be additional User Directory Object - in that case unless we have a Directory Mapping OR Identity Mapping configured SSO won't work. Hence for additional User Directories in Infrastructure-2 we'd need to consider Directory Mapping OR Identity Mapping solution.

     

    In terms of Keystore. If both infrastructure uses Dynamic Keys; the best one would be to point Infrastructure-2 Policy Server's to KeyStore of Infrastructure-1 on a Weekend. The WebAgents would pick up the new keys during the PSPollInterval. At worse we may need to additionally recycle the WebAgents on Infrastructure-2. (OR Vice Versa i.e. Point Infrastructure-1 to Infrastructure-2 KeyStore).

     

    The other Alternative is for KeyStore is, let both infrastructures point to its own keystore. We set static keys on both infrastructure. Already logged in Users may be thrown out because once we set static keys, all key set in keystore is overwritten by static value (i.e. Previous Key, Current Key etc). WebAgent should pickup the updated keys in PSPollInterval.  At worse we may need to additionally recycle the WebAgents.

     

    Most Important, do this in a preprodn env. Test out the change steps. Test the Applications. Then Production.

     

    Bottomline, though Federation looks like a favorable option. I'd also look at moving the solution into a Standard SSO space, as within an Organization we should look at Consolidating Identities under a single roof as far as possible (Federation on the other hand is for disjoint identity / organization structures).

     

     

     

    Regards

     

    Hubert



  • 9.  Re: Federation and SSO across different domains

    Posted Jan 03, 2018 05:31 AM

    Hi All...

     

    I went though the conversation....Guys, I am trying to configure cross domain SSO...

    Can anybody guide me towards any CA Doc/knowledge base article??

     

    Thanks...

    Regards!!



  • 10.  Re: Federation and SSO across different domains

    Posted Jan 03, 2018 08:14 AM

    Hi Deb, 

     

    Refer to the below link which will help you for this requirement :

     

    Single Sign-On Cookie Domains and Web Agents - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Regards,

    Ram,



  • 11.  Re: Federation and SSO across different domains

    Posted Jan 03, 2018 08:37 AM

    Is there any document which capture the steps to be followed? The configuration steps from Admin UI perspective