Table of Contents

Cross Domain Authentication

Presentation

For security reason, a cookie provided for a domain cannot be sent to another domain. To extend SSO on several domains, a cross-domain mechanism is implemented in LemonLDAP::NG.
  1. User owns SSO cookies on the main domain (see Login kinematics)
  2. User tries to access a protected application in a different domain
  3. Handler does not see SSO cookies (because it is not in main domain) and redirects user on Portal
  4. Portal recognizes the user with its SSO cookies, and see he is coming from a different domain
  5. Portal redirects user on protected application with a token as URL parameter. The token is linked to a session which contains the real session ID
  6. Handler detects URL parameter, gets the real session ID, delete the token session and creates a SSO cookies on its domain, with session ID as value

Configuration

Go in Manager, General Parameters » Cookies » Multiple domains and set to On.

To use this feature only locally, edit lemonldap-ng.ini in section [all]: 

[all]
cda = 1
If your handler is being served by Nginx, you have to uncomment the following lines in your nginx configuration file: 
# If CDA is used, uncomment this 
auth_request_set $cookie_value $upstream_http_set_cookie; 
add_header Set-Cookie $cookie_value;

Handlers

Choose “CDA” as type for each virtualHost concerned by CDA (ie not in main domain).