|
|
|
Use the SSOTrustedZone parameter to specify the single sign-on zone's order of trust. When processing a request, the Web Agent looks for a SESSION or IDENTITY cookie for each zone in the order they appear in the list.
Any cookies found are validated as usual (decrypted, and tested for a valid host name, single sign-on zone name, and timeouts), then stored in an ordered list of trusted sessions if valid. Prior to authentication, the user's active session (and therefore user identity) are considered the first session in the ordered list of valid sessions.
During authentication, the Web Agent will call validate using the first session in the list. If the validation succeeds, the agent moves on and establishes user identity and affirms the active accordingly. If validation fails, the next session is used in a new validation call, and so forth until validation succeeds or the agent runs out of sessions. If no session validates, the agent challenges the user as usual.
Once validated, the agent ignores all other sessions and instead sticks only to the session that validated for the remainder of request processing. This means that should authorization fail, the user is challenged immediately. Any other existing sessions in the request are not used.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |