E-community features and requirements

E-community features and requirements

The ECSSO model supports access using direct URLs (bookmarks) to resources. This feature contrasts with the cross-domain single signon (CDSSO) model, which relies on a specially configured pkmscdsso link (see Cross-domain single signon concepts).
All users who participate in the e-community authenticate against a single master authentication server (MAS) located in the "home" domain.
The e-community implementation allows for "local" authentication if the user does not have a valid account with the MAS (for example, users who belong to domain B but do not participate in the domain A-domain B e-community, where domain A is the "home" domain).
Unless WebSEAL is configured to handle authentication failure at the MAS, a user who fails authentication with the MAS when requesting a resource in a non-MAS (but participating) domain is given the option to authenticate to the local server where the request is being made.
The MAS (and eventually other selected servers in the remote domains) "vouches for" the user's authenticated identity.
Domain-specific cookies are used to identify the server that can provide vouch-for services. Domain cookies allow servers in a remote domain to request vouch-for information locally. The encrypted contents of e-community cookies do not contain user identity or security information.
Special tokens are used to pass encrypted "vouched for" user identity. The vouch-for token does not contain actual user authentication information. Integrity is provided by shared secret key (triple-DES). The token contains a timeout (lifetime) value to limit the duration of the token validity.
WebSEAL provides a configuration option that, when enabled, permits only the MAS to generate "vouch-for" tokens.

Parent topic: E-community single signon concepts