Limiting the ability to generate vouch-for tokens

The WebSEAL configuration file includes an optional parameter that enables us to limit the ability to generate vouch-for tokens to the MAS. The disable-ec-cookie option in the e-community-sso stanza is set to no by default. Changing the value of this option to yes disables the use of the e-community cookie and permits only the MAS to generate vouch-for tokens. In this case, the single-signon process always uses the MAS, allowing the MAS to detect all hosts that sign on across the e-community. This option is useful for customers who want to construct a customized ECSSO signoff process. For information on a customized single signoff process, see Logout using pkmslogout-nomas.

Parent topic: Configuration of e-community single sign-on