I have a question.
Suppose that there are 2 separate applications in the same cookie domain which authenticates against 2 different directory i.e. LDAP and ODBC. A user who is present in both the directories (i.e. same username and password) access the 1st application which authenticates against LDAP , would that user be able to SSO to the other application with authenticates against ODBC? If Yes, then how? and if NO, then why?
In this use case let's consider the below:
1) Application 1 has default directory/Identity Mapping and is authenticating and authorizing against LDAP.
2) Application 2 has default directory/Identity Mapping and is authenticating and authorizing against ODBC.
3) User accessing the application has exact same username/unique identifier(i.e. UserID from login) and password in both directories.
4) Application Protected is of same protection level and in same cookie domain and there is SSOTrust as well.
5) Now if the user access Application 1 and is authenticated/Authorized and SMSESSION in generated, then would the same SMSESSION can be used to access Application 2 or would user get the login page again? If No then why? and If Yes, then how?
I think this query stems from Access for user LDAP and ODBC
For SSO to work across Policy Domain few things play a very vital role.
When we authenticate against Application-1, SM_USERSESSIONDIRNAME is set to the name of UD (LDAP) which was used for successful authentication in Application-1.
When we traverse to Application-2, Policy Server would identify that the Policy Domain is set to Authenticate only using ODBC and the incoming SMSESSION is tied to LDAP. Hence it will reject the SMSESSION and challenge you to login again.
If you need SMSESSION (SM_USERSESSIONDIRNAME = LDAP) from Application-1 to succeed in Application-2; then you'll need to add LDAP as an Authentication UD in Application-2 and then create a DirMapping in Application-2 to Authorize against ODBC. Same rule applies in reverse from Application-2 to Application-1.
HubertDennis Thank you for clarification and it is really helpful. Yes, this does come from my previous query and i was still in doubt regarding the outcome.