Customize SSO configuration using LTPA cookies for the Liberty profile
With single sign-on (SSO) configuration support, when Liberty profile servers share the same LTPA keys, web users can authenticate once when accessing Liberty profile resources such as...
- HTML
- JSP files
- Servlets
Example
When a user successfully passes authentication on one of Liberty profile servers, the server generates authentication information that is transported to the web browser in a cookie. The cookie is propagated to other Liberty profile servers.
The default cookie name used to store the SSO token is called ltpaToken2. We can customize the cookie name using the ssoCookieName attribute of the <webAppSecurity> element. All the servers that participate in SSO must use the same cookie name.
To set the user to be logged out after the HTTP session expires and the name of the SSO cookie as myCookieName:
<webAppSecurity logoutOnHttpSessionExpire="true" ssoCookieName="myCookieName" />
For SSO to work across Liberty servers, full profile servers, or both, set the following resources:
- The servers must use the same LTPA keys and share the same user registry.
- If the servers are not in the same domain, use the ssoDomainNames attribute of the <webAppSecurity> element to list the domains. The following example code sets the domain name to domain.com:
<webAppSecurity ssoDomainNames="domain.com" />
- If the servers are in the same domain, set the ssoUseDomainFromURL attribute of the <webAppSecurity> element to true, or specify the domain name in the ssoDomainNames attribute. The following example code sets ssoUseDomainFromURL to true so the domain name is taken from the request URL:
<webAppSecurity ssoUseDomainFromURL="true" />
Parent topic: Authenticate users
Parent topic: Configure web security related propertiesConcepts: Authentication
Single sign-on for authentication using LTPA cookies
Configure LTPA