This is an odd situation, but I wonder if someone can help solving this.
ISAM is a Identity Provider to multiple applications.
Each application has their own domain (e.g. app1.example.com and app2.acme.com), although both are domains that belong to the SAME organization.
They want a single-sign on solution, meaning if a user logs in to app1, he does not need to login to app2. An important information is that the same ISAM is shared between both domains.
Because of organization requirements, SAML, OAuth and OIDC cannot be used.
So, a user logs in on app1, and ISAM, as an IdP, validates and generates a Session Cookie.
The same user now tries to access app2, and the organization wants to provide the access without having the user to login again (single Sign-on)!
The only way I can make this work, is being able to share the session cookie between both domains.
Which means that app1, and app2 need to receive the same session cookie. A different alternative would have the used have multiple session cookies (one per domain)
I hope things are clear regarding the scenario.
ISAM, as an Identity Provider, generates the session cookies (one per domain).
A possible solutions, is to create a session cookie that could be sent to the user and whenever he attempts to connect to App1 or App2, the browser would send the session cookie.
As you know the cookies are restricted by domain. So, the session cookie obtained from app1, would only be sent to .example.com domains. Likewise, the session cookie obtained from app2, would only be sent to .acme.com.
How can I change the cookies that are sent to the user's browser when ISAM generates the session cookies?
Can i have the reverse proxy generate the same cookie for multiple domains? one per app?
Is there any other solution?
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------