To handle SSO between http and https (sharing sessions accros different transports), you'll need something like
use-same-session.
This would ensure that your
PD-S-SESSION-ID and PD-H-SESSION-ID cookies can be used for both transport methods.
Indeed, to use that over multiple WebSEAL instances, you'll need the concept of session sharing, like the DSC or Redis.
You'll need to configure your WebSEAL instances to be part of the
same replica set.
If you're testing this in a load balanced environment (some front end load balancer in front of WebSEALs), I would expect it to work OK.
If you're testing this in a Dev environment, and are using /etc/hosts file or other methods where you don't control DNS, it might give different results.
All your participating WebSEALs should respond to the same FQDN (e.g. vip.webseal.ibm.com), or alternatively you can ensure that your Session Cookies are
Domain Cookies (so they'll be sent by the browser to all URLs that match the domain instead of the more specific FQDN hostname)
------------------------------
HANS VANDEWEGHE
------------------------------
Original Message:
Sent: Tue August 23, 2022 05:08 AM
From: afras khan
Subject: SSO between WebSEAL instances using Distributed Session Cache DSC
Hello,
Does anyone know how to give SSO between WebSEAL instances. One instance is non-SSL and the other is SSL. I tried using SAML Federation, but it didn't work with non-SSL instances. Now I'm working on DSC but unable to find any documentation on configuring SSO between WebSEAL instances.
ISVA 10.0.3
------------------------------
afras khan
------------------------------