Web Agent Guides › Web Agent Configuration Guide › Single Sign-On (SSO) › Single Sign-On Across Multiple Domains › Single Sign-On Across Multiple Cookie Domains

Single Sign-On Across Multiple Cookie Domains

SiteMinder implements single sign-on across multiple cookie domains using a SiteMinder Web Agent configured as a cookie provider.

The cookie domain where the cookie provider Web Agent resides is named the cookie provider domain. All the other Web Agents from the other cookie domains within the single sign-on environment, point to one cookie provider.

SiteMinder cookie providers work using the following process:

1. A user requests a protected resource in a domain within the single sign-on environment, and is challenged for credentials.
2. When the user is authenticated, the following cookies are set in the user's browser:
   • the local cookie for the domain where the user has authenticated
   • the cookie set by the cookie provider.
3. The user can navigate between the domains in the single sign-on environment without being rechallenged until either of the following events occur:
   • The user's session times out
   • They end the session (usually by closing their browser)

Will the Web Agents in your single sign-on environment need to be load-balanced?

Because all Web Agents in an SSO environment must refer to a single cookie provider domain, add a load-balancer between the web servers in your cookie provider domain and the other cookie domains in your SSO environment as shown in the following illustration:

The Web Agent in the example.org cookie domain points and the Web Agent in the example.com cookie domain both point to the same cookie provider domain of example.net. A load-balancer distributes the traffic evenly between all the web servers in the example.net cookie provider domain.

Note: SSO across multiple cookie domains does not require that the same user directory be used across the SSO environment. However, if you are using replicated user directories with non-replicated policy stores, the user directory must be named identically for all policy stores. Also, the session ticket key, which encrypts session tickets, must be the same for all key stores in the SSO environment. The session ticket determines the duration of a valid user session.