IBM Security Verify

 View Only
  • 1.  Sharing Cookies accross domains

    Posted Thu April 22, 2021 07:07 AM
    This is an odd situation, but I wonder if someone can help solving this.

    ISAM is a Identity Provider to multiple applications.

    Each application has their own domain (e.g. app1.example.com and app2.acme.com), although both are domains that belong to the SAME organization.
    They want a single-sign on solution, meaning if a user logs in to app1, he does not need to login to app2. An important information is that the same ISAM is shared between both domains.

    Because of organization requirements, SAML, OAuth and OIDC cannot be used.

    So, a user logs in on app1, and ISAM, as an IdP, validates and generates a Session Cookie.
    The same user now tries to access app2, and the organization wants to provide the access without having the user to login again (single Sign-on)!

    The only way I can make this work, is being able to share the session cookie between both domains.
    Which means that app1, and app2 need to receive the same session cookie. A different alternative would have the used have multiple session cookies (one per domain)

    I hope things are clear regarding the scenario.

    ISAM, as an Identity Provider, generates the session cookies (one per domain).
    A possible solutions, is to create a session cookie that could be sent to the user and whenever he attempts to connect to App1 or App2, the browser would send the session cookie.

    As you know the cookies are restricted by domain. So, the session cookie obtained from app1, would only be sent to .example.com domains. Likewise, the session cookie obtained from app2, would only be sent to .acme.com.

    How can I change the cookies that are sent to the user's browser when ISAM generates the session cookies?
    Can i have the reverse proxy generate the same cookie for multiple domains? one per app?
    Is there any other solution?

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------


  • 2.  RE: Sharing Cookies accross domains

    Posted Thu April 22, 2021 08:05 AM
    Hi Joao,

    Put simply, the sharing of cookies across domains is not possible - that is a restriction of the HTTP protocol.
    Also, a server in one domain cannot set cookies in a different domain - so you can't pre-create session cookies in other domains at login time.

    Federation protocols like SAML etc. were created as the solution to this issue - i.e. the ability to transfer a session from one domain to another.
    If you don't use a federation protocol then the only alternative is some bespoke equivalent which I would not recommend.  Standards are better.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Sharing Cookies accross domains

    Posted Thu April 22, 2021 12:48 PM
    In the situation described in this URL, https://stackoverflow.com/questions/11434866/automatic-cookie-single-sign-on-on-multiple-domains-like-google
    they use a mechanism to overcome this issue.

    In this link, https://stackoverflow.com/questions/37559827/how-youtube-gets-logged-in-to-gmail-account-without-getting-redirected/37565692#37565692
    they are suggesting to share a JWT among domains.

    I don't think any of these solutions have any bearing in ISVA. It is a solution that app1 and app2 need to deal. In scenario of the first URL would have to be managed between google and youtube.

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------



  • 4.  RE: Sharing Cookies accross domains

    IBM Champion
    Posted Fri April 23, 2021 02:55 AM
    Hi Joao,

    There is however a workaround if all sites share the same top domain:
    - app1.mydomain.com
    - app2.mydomain.com
    - app3.mydomain.com

    You can then configure Webseal to place the cookie on mydomain.com (instead of using the full domain name app1.mydomain.com)
    The same cookie will then be sent by the browser for all requests to any *.mydomain.com site.


    However if you wish to implement a real SSO, I don't think you will have any other choice than using SAML/OIDC.


    Regards,
    André

    ------------------------------
    André Leruitte
    ------------------------------



  • 5.  RE: Sharing Cookies accross domains

    Posted Fri April 23, 2021 05:56 AM
    One option to consider would be the cross domain single sign-on (CDSSO) mechanism.

    ------------------------------
    sudhir kapu
    ------------------------------