Symantec Access Management

I have a different applications and resources on separate servers in different cookie domains. when i login to main site (cookiedomain=.a.gov) and go to another site (cookiedomain=.b.local) it is asking me login again. if i move between same cookie domain it works fine.

how can i login once and move between diff. cookie domain site without login in again?

any help is appreciated.

Hi Sunil,

If you have disparate policy server's and you want to have SSO between them, you need to make sure you have the following three requirements met:

1) A common keystore
2) the user directory name needs to be the same (the actual LDAP servers, of course, can be different.)
3) The User DN of the user is the same

Assuming you can meet all three of those requirements, you should be able to achieve your goal.

-Steve

why we need to have same user directory names for the SSO to work between policy servers using different policy stores and user stores

Sunil,

I'm going to assume you don't have disparate policy stores and are using the same policy store for all your applications.

if that's the case what you are trying to do is quite simple. You need to specify a cookie provider, search for it in the documentation for more specifics.

The basic idea is that when a request is intercepted by an agent in cookie domain a.com, the agent checks to see if there is a valid smsession cookie, if not it will check its config to determine if a cookie provider has been specified. If the cookie provider is cp.b.com, the agent will redirect the user to a special url in on cp.b.com to check and see if it has a session in that domain. If it finds a session in b.com, that session is translated back to a.com, the user is redirected back to a.com and the user gets in.

The process is quite simple in concept as it only requires an entry in the agent configuration object of each agent to point them to the cookie provider.

Jason

Hi Jason,

You are Right, i am using only one policy store for all. I have a 1st site with cookiedomain "a.local" and 2nd site with cookiedomain "a.gov". if i move between sites it is asking 2nd login again. If both cookiedomain is same it is not asking 2nd login.

These 2 sites always have two diff. domains. are you referring any changes to ACO to make this work?

Thanks.

Sunil,

yes I'm referring to setting the cookieprovider attribute in the Agent conf object.

So for example in an agent for a.gov set the cookieprovier to a server in a.local.

Then when you login to a.local, navigate to an a.gov (where the agent has the cookieprovider specified) and you will get SSO across the cookie domains. The same process will happen if you do the opposite.

I would encourage you however to read the documentation on it.

Hi

For Single Sign-On Across Multiple Domains you need to do the following


1. create two agents using siteminder administration console.
2. create respective agent conf objects for the above agents with the below options
ValidTargetDomain--> .a.local for the first ac object
ValidTargetDomain-->.a.gov for the second ac object

3. create realms, rules and responses according to your requirement.
add the rules to the policy object.

4. configure Web agent in the webserver as usual using the agent conf object.

5. Now open the WebAgent.conf and add the below lines

#agentname="<AgentName>, <IPAddress>"
agentname="wa1,***.a.local"
agentname="wa1,***.a.gov"

#AgentConfigObject="ac1"

NOTE: Comment the AgentConfigObject

6. In the /etc/hosts file give your IP address to the
10.10.10.222 ***.a.local
10.20.2.2 ***.a.local

NOTE: ping ***.a.local (and ping ***.a.local)and check whether it is alive.

7. Restart the webserver and verify.

Revert back if any issues.

Regards,
MADHU

Hi Sunil,

The information you are need to review is located in the webagent config guide:


Below is the exact chapter:
Web Agent Guide › Single Sign-On (SSO) › Single Sign-On Across Multiple Domains › Single Sign-On Across Multiple Cookie Domains

You need to designate one domain as the master domain, for example a.gov in your case.

So all other ACO objects in the environment that want to be part of the multi domain SSO must define the a.gov as their cookie provider.

In the ACO, makde sure "CookieProvider" parameter is uncommented and points to

http://server.a.gov:port/siteminderagent/SmMakeCookie.ccc

Thanks,

Bharath

Bharat,

In our site we have a apache webserver where we are using only one server which server multiple applications. What this means is this is we have only one ACO object and only one WebAgant.conf file which have bunch of application entries like

AgentConfigObject="1-agent-conf"

agentname="application1-company,application1.company.com"
agentname="application2-company,application2.company.com"
agentname="application3-company,application3.company.com"
agentname="application4-company,application4.company.com"
agentname="application5-company,application5.company.com"


Now if I want configure the same apache instance for different domain like application8.newcompany.com, how can you do that? What are the options that I have?

Thanks in advance,
Matheen