CDSSO conditions and requirements

• All WebSEAL servers participating in CDSSO must have machine times synchronized. Authentication between servers can fail when machine time differences are too great.

• For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment. If any host name does not include a domain, CDSSO cannot be enabled and an error message is logged in msg_webseald.log. When setting up a CDSSO environment, ensure the machine-specific networking setup for each participating server is configured to identify the server with a fully qualified host name.

• Because some WebSEAL configuration requires machine host names to be described as fully qualified host names, we must ensure the system and network can resolve machine names into fully qualified host names. For example, using fully qualified host names allows for many host names (IP addresses) per machine, as in the case of multiple WebSEAL instances.

• Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments. Always generate unique key pairs for each CDSSO environment.

• Resolving machine names
  CDSSO can be unintentionally disabled upon WebSEAL startup because the machine itself is not adequately configured to resolve machine names.

Parent topic: Configuration of cross-domain single signon