Layer7 Access Management

Expand all | Collapse all

Configuring SSO between two Different Domains

Jump to Best Answer
  • 1.  Configuring SSO between two Different Domains

    Posted 11-09-2016 01:58 PM

    Hi All,

    I am trying to test Single Sign On between existing R12   and newly built 12.52 SP2 environment. They both are in different domains: Lets suppose R12 is a.com and 12.52sp2 is b.com. We also have a separate policy store/ key store for b.com.

    Done resetting the encryption key on 12.52 to match r12,  Weekly dynamic  Agent Key rollover is set on r12.

    Questions:

    1. Do I have to wait for the Agent key rollover to happen before i can test sso between both environments?

    2. I understand that Agent key and session key has to be same for SSO to work. Is it going to be updated after rollover or do I need  to manually assign them?

    3. Since they both are in different domains, what additional steps are required there?

    Thanks,

    DanishA 



  • 2.  Re: Configuring SSO between two Different Domains
    Best Answer

    Posted 11-09-2016 03:35 PM

    Hi, You will need to match a few things.

     

    1. encryption key

    2. agent keys(and session ticket key)

    3. user store name

    4. userstore DN structure.(and userdn)

     

    So you should make it look like it is the same(?) env.

     

    the keystore, it should be replicated between your a.com and b.com

    And your a.com PS(r12) should generate agent keys.

    Your b.com PS(r12.52) should have "EnableKeyUpdate=1" in the registry.

     

    This forces your b.com PS to poll the keystore for changes.



  • 3.  Re: Configuring SSO between two Different Domains

    Posted 11-09-2016 03:47 PM

    Thanks! I will post the results.



  • 4.  Re: Configuring SSO between two Different Domains

    Posted 11-09-2016 03:53 PM

    Just wanted to clarify on Enable Key Update. Is it required if I have separate Key Stores?



  • 5.  Re: Configuring SSO between two Different Domains

    Posted 11-09-2016 04:06 PM

    Hi Danish,

     

    EnableKeyUpdate is required as long as there are multiple Policy Servers referencing disparate policy stores, but share a central keystore.