Symantec Access Management

  • 1.  Using IWA authentication scheme for different domain.

    Posted 07-21-2017 09:40 AM

    Hi All,


    Please share your ideas on the fastest way to implement this CA single sign on Task w.r.t. making the changes in authentication scheme for a different domain. Please share all the necessary steps (w.r.t, dns, ACO, etc,).


    1. Currently we have an IWA server ( supporting IWA authentication for federation apps on a domain

    2. Now we want to use the same IWA server to extend IWA authentication functionality for a federation app on a different domain e.g.


    Would request for complete steps as this is a very critical task for us.

  • 2.  Re: Using IWA authentication scheme for different domain.

    Broadcom Employee
    Posted 07-21-2017 09:37 PM

    Since it looks like you're referring to DNS domains and not Active Directory domains, you may not need to do anything to support your use case.  The IWA auth scheme will automatically set a session cookie for the DNS domain that was in the user's request when the user was challenged for authentication.  By default, this will mean no single sign on between the two applications because the user's session for one application will not be recognized by the other app.  If you need SSO between the apps, you can configure a Cookie Provider which establishes a trust within Siteminder between the two domains such that when a user gets authenticated in one domain the user will automatically be given a session in the second domain.


    More info about sessions and DNS domains can be found here:
    Single Sign-On Cookie Domains and Web Agents - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 


    Full info for configuring a Cookie Provider, including a video, can be found here:
    Configure Web Agent Single Sign-On Settings - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation