<liclass="level2"><divclass="li"><ahref="#exampleinteroperability_between_2_organizations">Example: interoperability between 2 organizations</a></div></li>
<!-- EDIT2 TABLE [23-86] --><divclass="notewarning">This module is a <abbrtitle="LemonLDAP::NG">LL::NG</abbr> specific identity federation protocol. You may rather use standards protocols like <ahref="idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML</a>, <ahref="idpopenidconnect.html"class="wikilink1"title="documentation:2.0:idpopenidconnect">OpenID Connect</a> or <ahref="idpcas.html"class="wikilink1"title="documentation:2.0:idpcas">CAS</a>.
<liclass="level1"><divclass="li"> The main portal is configured to use <abbrtitle="Cross Domain Authentication">CDA</abbr>. The secondary portal is declared in the Manager of the main <abbrtitle="LemonLDAP::NG">LL::NG</abbr> structure (else user will be rejected).</div>
</li>
<liclass="level1"><divclass="li"> The portal of the secondary <abbrtitle="LemonLDAP::NG">LL::NG</abbr> structure is configured to delegate authentication to a remote portal. A request to the main session database is done (trough <ahref="soapsessionbackend.html"class="wikilink1"title="documentation:2.0:soapsessionbackend">SOAP session backend</a>) to be sure that the session exists.</div>
</li>
<liclass="level1"><divclass="li"> If <code>exportedAttr</code> is set, only those attributes are copied in the session database of the secondary <abbrtitle="LemonLDAP::NG">LL::NG</abbr> structure. Else, all data are copied in the session database.</div>
<liclass="level1"><divclass="li"> User tries to access to an application in the secondary <abbrtitle="LemonLDAP::NG">LL::NG</abbr> structure without having a session in this area</div>
</li>
<liclass="level1"><divclass="li"> Redirection to the portal of the secondary area (transparent)</div>
</li>
<liclass="level1"><divclass="li"> Redirection to the portal of the main area and normal authentication (if not done before)</div>
</li>
<liclass="level1"><divclass="li"> Redirection to the portal of the secondary area (transparent)</div>
</li>
<liclass="level1"><divclass="li"> Secondary portal check if remote session is available. It can be done via direct access to the session database or using SOAP access. Then it creates the session (with attribute filter)</div>
</li>
<liclass="level1"><divclass="li"> User can now access to the protected application</div>
</li>
</ol>
<divclass="noteclassic">Note that if the user is already authenticated on the first portal, all redirections are transparent.
<liclass="level1"><divclass="li"><strong>Cookie name</strong> (optional): name of the cookie of primary portal, if different from secondary portal</div>
</li>
<liclass="level1"><divclass="li"><strong>Sessions module</strong>: set <code>Lemonldap::NG::Common::Apache::Session::SOAP</code> for <ahref="soapsessionbackend.html"class="wikilink1"title="documentation:2.0:soapsessionbackend">SOAP session backend</a>.</div>
<liclass="level2"><divclass="li"><strong>proxy</strong>: SOAP sessions end point (see <ahref="soapsessionbackend.html"class="wikilink1"title="documentation:2.0:soapsessionbackend">SOAP session backend</a> documentation)</div>
<liclass="level2"><divclass="li"> One remote portal that delegates authentication to the second organization (just another file on the same server)</div>
<liclass="level1"><divclass="li"> The normal portal has a link included in the authentication form pointing to the remote portal for the users of the other organization</div>
</li>
</ul>
<p>
So on each main portal, internal users can access normally, and users issued from the other organization have just to click on the link: