<divclass="noteclassic">For security reason, a cookie provided for a domain cannot be sent to another domain. To extend <abbrtitle="Single Sign On">SSO</abbr> on several domains, a cross-domain mechanism is implemented in LemonLDAP::NG.
</div><ol>
<liclass="level1"><divclass="li"> User owns <ahref="documentation/latest/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> on the main domain (see <ahref="documentation/presentation.html#login"class="wikilink1"title="documentation:presentation">Login kinematics</a>)</div>
</li>
<liclass="level1"><divclass="li"> User tries to access a protected application in a different domain</div>
</li>
<liclass="level1"><divclass="li"> Handler does not see <ahref="documentation/latest/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> (because it is not in main domain) and redirects user on Portal</div>
</li>
<liclass="level1"><divclass="li"> Portal recognizes the user with its <ahref="documentation/latest/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a>, and see he is coming from a different domain</div>
<liclass="level1"><divclass="li"> Portal redirects user on protected application with a token as <abbrtitle="Uniform Resource Locator">URL</abbr> parameter. The token is linked to a session which contains the real session ID</div>
<liclass="level1"><divclass="li"> Handler detects <abbrtitle="Uniform Resource Locator">URL</abbr> parameter, gets the real session ID, delete the token session and creates a <ahref="documentation/latest/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> on its domain, with session ID as value</div>
Choose “<abbrtitle="Cross Domain Authentication">CDA</abbr>” as type for each virtualHost concerned by <abbrtitle="Cross Domain Authentication">CDA</abbr><em>(ie not in main domain)</em>.