E-community conditions and requirements

• The e-community implementation requires a consistent configuration across all WebSEAL servers in all domains participating in the e-community.
• For e-community to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment. If any host name does not include a domain, e-community cannot be enabled and an error message is logged in msg_webseald.log. When setting up an e-community environment, ensure the machine-specific networking setup for each participating server is configured to identify the server with a fully qualified host name.
• All WebSEAL servers participating in e-community must have machine times synchronized. Authentication between servers can fail when machine time differences are too great.
• The e-community implementation is supported on both HTTP and HTTPS.

• Individual e-community domains manage their own user identities and associated privileges. We can use the Cross-domain Mapping Function (CDMF) API to map a user from a remote domain to a valid user in the local domain.

  If the e-community domains share global user identities, those users could be distinguished by different passwords in the different domains. For example, a user "abc" can exist in both domain A and domain B, using different passwords for each domain.

• Configuration for e-community is set in the WebSEAL configuration file of each participating WebSEAL server.

• If the originally requested URL is not redirected back to the browser from the MAS (or vouch-for server), there could be a problem with page caching if the browser is Microsoft Internet Explorer. If this is the case, configure the browser to always check for newer versions of stored pages:
  Tools > Internet Options > General > Temporary Internet Files > Settings

• Do not configure the MAS server on the same interface (IP address) of another participating WebSEAL instance.
• Because some WebSEAL configuration requires machine host names to be described as fully qualified host names, we must ensure the system and network can resolve machine names into fully qualified host names. For example, using fully qualified host names allows for many host names (IP addresses) per machine, as in the case of multiple WebSEAL instances.

• Resolving machine names in an e-community environment
  E-community can be disabled upon WebSEAL startup because the machine itself is not adequately configured to resolve machine names.

Parent topic: Configuration of e-community single sign-on