Hi, at one of my customer we have an old Siteminder infrastrutcure composed by a CA Secure proxy server, a Policy Server, and a Policy Store on Ca Directory. The user store is an enterprise LDAP and is the same for both environments. All the application are accessed behind the SPS
We have installed a fresh infrastructure, with a new SPS, a new Policy Server and a new Policy Store, all the components are on new servers.The User store is the same of the old environment.
The new policy store has been cloned from the old one. It means that we phisically copied the data folder from dxserver in the old environment, and of course we used the same encryption key both for the old and the new policy server.
The two environments are working perfectly fine, but what surprised me is that we have SSO between them, even if they do NOT share keystore and policy store, they only have same cookie domain (dcc.it)
Once the user is authenticated and autorized to an application in the old environment (https://app1.old.dcc.it)it can move to the the new one environment (https://app1.new.dcc.it) without entering credentials (the new Policy Server just log a ValidateAccept) , so it is able to validate the session in some way.
Same if the user access first to the new environment and then move to the old.
This is the expected behaviour or is it due to policy store cloned between the two environment?
Your setup is not uncommon for customer who want disparate environmentswith SSO
In building your second environment you satisfied ALL SSOrequirements, keystore is part of your policy store so the keys would be thesame
Required for SSO:
Hi Stephen, thank you for your reply.
So if i correctly understood the keystore content is static. Otherwise after initial cloning of the keystore (embedded with old policy store) content should be different in the two environments and SSO should not be possible anymore. Is it right?
If you cloned the keys and session ticket are the same = SSO until a rollover occurs in one of the environments. If you select dynamic rollover the first time keys roll SSO will be lost. For customer that want disparate stores with SSO they either share the same keystore OR uses static keys