Cross-domain single signon overview

Cross-domain single signon (sometimes referred to as CDSSO) provides a default mechanism for transferring user credentials between unique servers and domains. CDSSO allows Web users to perform a single signon and move seamlessly between two separate secure domains when requesting a resource. The CDSSO authentication mechanism does not rely on a master authentication server (sometimes referred to as the MAS) (see E-community single signon).

CDSSO supports the goals of scalable network architecture by allowing the integration of multiple secure domains. For example, a large corporate extranet can be set up with two or more unique domains—each with its own users and object space. CDSSO allows movement of users between the domains with a single signon.

When a user makes a request to a resource located in another domain, the CDSSO mechanism transfers an encrypted user identity token from the first domain to the second domain. The identity information in this token indicates to the receiving domain the user is successfully authenticated in the first domain. The identity does not contain password information. The receiving server uses this token to build credentials in its own cache for that user. The user is not forced to perform an additional login.

Parent topic: Cross-domain single signon concepts