Web Agent Guides › Web Agent Configuration Guide › Single Sign-On (SSO) › How Single Sign-on Works in a Single Domain

How Single Sign-on Works in a Single Domain

SiteMinder provides single sign-on functionality across single and multiple cookie domains. This simplifies using applications across different Web servers and platforms, and improves the user experience because the users do not have to re-authenticate as they move across a single sign-on environment.

A single domain is an environment where all resources exist in the same cookie domain. Multiple Web Agents in the same cookie domain can be configured for single sign-on if you specify the same cookie domain in each Web Agent's configuration.

If single sign-on is enabled, it uses the following process:

1. The user authenticates once.
2. The Web Agent caches the successful authentication, and then issues a single sign-on cookie to the user's browser.
3. The single sign-on cookie provides the session information, so that users can access the following types of resources without reauthenticating:
   • Protected resources in other realms with an equal or lower protection level
   • Another web server within this cookie domain

   Users who try to access resources with a higher protection level must re-authenticate before they are granted access.

The following illustration shows single sign-on in a single cookie domain:

Note: If you are using replicated user directories with non replicated policy stores, the user directory must be named identically for all policy stores. Also, the session ticket key, which encrypts session tickets, must be the same for all key stores in the SSO environment. The session ticket determines the duration of a valid user session.