If there is WebSEAL in two different domains, is it possible to provide SSO between them? After authenticating in domain A by login / password, go to domain B without re-authentication and vice versa.

------------------------------
Igor Vinogradov
------------------------------

Hi Igor,

There are some tricks with session cookies that you can use if the domains have a common DNS component (domain1.common.com and domain2.common.com).  Check the [session-cookie-domains] stanza and information on the shared-domain-cookie in [session] stanza.  However, there are security implications of doing this and I also seem to remember that this isn't enough to share sessions between Virtual Host Junctions (because of the way sessions are managed internally).

To truly get SSO between DNS domains you need to transfer some token between the domains (even if they are on the same WebSEAL).  That's just how HTTP sessions are designed.  WebSEAL has some older proprietary ways of doing this - check out e-community single sign-on in the docs - or, if you have access to the capabilities, you can set up a SAML or OIDC federation to handle it.

It is quite a common usage pattern to have one WebSEAL set up as an "Identity Provider" (where all authentication is done) and then have other WebSEALs in front of applications which act as "Service Providers".   This provides good support for multi-domain environments and sets you up well for integration with cloud SaaS services (either directly or via  IBM Cloud Identity).

I hope this helps.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed November 27, 2019 03:17 AM
From: Igor Vinogradov
Subject: Cross-domain authentication

If there is WebSEAL in two different domains, is it possible to provide SSO between them? After authenticating in domain A by login / password, go to domain B without re-authentication and vice versa.

------------------------------
Igor Vinogradov
------------------------------

Hello Igor,

I second Jon and highly recommend putting the infrastructure in place to use OpenID Connect or SAML to achieve the cross domain SSO.

ISAM 9.0.6.0+ has the ability to consume the result of an OIDC flow so you could have the Reverse Proxy use the OIDC provider on an 'IdP' reverse proxy to handle your authentication in theory.

If you are using sub domains of the same DNS domain then using the Distributed Session Cache and domain session cookies can be a solution for single sign on in that sense.

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Wed November 27, 2019 04:06 AM
From: Jon Harry
Subject: Cross-domain authentication

Hi Igor,

There are some tricks with session cookies that you can use if the domains have a common DNS component (domain1.common.com and domain2.common.com).  Check the [session-cookie-domains] stanza and information on the shared-domain-cookie in [session] stanza.  However, there are security implications of doing this and I also seem to remember that this isn't enough to share sessions between Virtual Host Junctions (because of the way sessions are managed internally).

To truly get SSO between DNS domains you need to transfer some token between the domains (even if they are on the same WebSEAL).  That's just how HTTP sessions are designed.  WebSEAL has some older proprietary ways of doing this - check out e-community single sign-on in the docs - or, if you have access to the capabilities, you can set up a SAML or OIDC federation to handle it.

It is quite a common usage pattern to have one WebSEAL set up as an "Identity Provider" (where all authentication is done) and then have other WebSEALs in front of applications which act as "Service Providers".   This provides good support for multi-domain environments and sets you up well for integration with cloud SaaS services (either directly or via  IBM Cloud Identity).

I hope this helps.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed November 27, 2019 03:17 AM
From: Igor Vinogradov
Subject: Cross-domain authentication

If there is WebSEAL in two different domains, is it possible to provide SSO between them? After authenticating in domain A by login / password, go to domain B without re-authentication and vice versa.

------------------------------
Igor Vinogradov
------------------------------