Cross-domain single sign-on with virtual hosts
Use cross-domain single sign-on feature to do single sign-on between multiple virtual hosts on a single WebSEAL instance.
The virtual hosts all share the configuration file on to the WebSEAL instance. However, cross-domain single sign-on with virtual hosts has certain configuration limitations.
Cross-domain single sign-on configuration does not allow specification of per-domain single sign-on keys for environments with multiple virtual hosts that support different domains. All virtual hosts associated with the WebSEAL instance must share the one [cdsso-peers] stanza used for key configuration. Therefore, the virtual hosts must share a common key used by each domain to communicate to another domain.
In the following example, two virtual hosts on a single WebSEAL instance:
- a.a.com
- b.b.com
Both domains are owned by separate entities and each of these entities has a separate CDSSO arrangement with another WebSEAL server, c.c.com. Ideally, a.a.com and b.b.com would have separate keys to use for single sign-on with c.c.com. The ideal configuration would appear as follows:
[cdsso-peers] # used by a.a.com to communicate with c.c.com c.c.com = c-a.key # used by b.b.com to communicate with c.c.com c.c.com = c-b.key
This configuration is not possible on a single WebSEAL instance (hosting both a.a.com and b.b.com virtual hosts). The [cdsso-peers] stanza allows only one key to be specified for a target domain.
The only configuration allowed forces both a.a.com and b.b.com to use the same key. For example:
[cdsso-peers] # used by both a.a.com and b.b.com to communicate with c.c.com c.c.com = c-ab.key
Each owner of the a.a.com and b.b.com domains must accept the condition they share the key.
In addition, if the one key is compromised, both a.a.com and b.b.com are compromised.
Parent topic: Virtual Hosting