SSO does not work across multiple domains
 Technote (troubleshooting)
 
Problem(Abstract)
Even though SSO is enabled with multiple domain names, authentication to both domains is required.
 
Cause
According to the IBM® WebSphere® Application Server Information Center, you can specify multiple domains separated by a semicolon (;), a space ( ), a comma (,), or a pipe (|).


Even after specifying both domains in the SSO settings, such as "ibm.com;test.com" authentication to both domains, is required.

This is because the domains are different. Single Sign-on is cookie based and cookies are only valid in the domain for which they are issued. They can only be issued for a single domain. RFC2109 provides more details about how cookies work.

 
Resolving the problem
You can have multiple domains configured, but a login to one is not valid in the other domain unless one domain is a sub-domain of the other.
Note: The idea here of WebSphere Application Server allowing multiple domains is to allow a single server to issue cookies for more than one domain instead of limiting it to one. This way the same server can be used for both domains.
 
Related information
Information center: Single sign-on settings
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 6.0
Software edition:
Reference #: 1214442
IBM Group: Software Group
Modified date: Sep 18, 2007