Cross Domain Authentication

Presentation

For security reason, a cookie provided for a domain cannot be sent to another domain. To extend SSO on several domains, a cross-domain mechanism is implemented in LemonLDAP::NG.
  1. User owns SSO cookies on the main domain (see Login kinematics)
  2. User tries to access a protected application in a different domain
  3. Handler does not see SSO cookies (because it is not in main domain) and redirects user on Portal
  4. Portal recognizes the user with its SSO cookies, and see he is coming from a different domain
  5. Portal redirects user on protected application with his session ID as URL parameter
  6. Handler detects URL parameter and create a SSO cookies on its domain, with session ID as value

Configuration

Go in Manager, General Parameters » Cookies » Multiple domains and set to On.

To use this feature only locally, edit lemonldap-ng.ini in section [all]: 

[all]
cda = 1