Chapter 4. Configuration and customization 169
domain B. This presents the challenge of synchronizing the user accounts that
need to participate in single sign-on between domains
If a custom written cross-domain mapping framework is used, then it is possible
to map a user from one domain to a different user in another domain. However, if
a one-to-one mapping is used, the problem of synchronizing users still would
exist regardless of whether or not the IDs matched from one domain to another.
Virtual hosts and CDSSO
Cross-domain single sign-on is not supported with virtual hosts and virtual host
junctions. If single sign-on is needed between separate DNS domains and/or
Access Manager domains, and either virtual hosts or virtual host junctions are
used, e-community single sign-on is the only technology supported for this type
of functionality.
4.10.3 e-community single sign-on
e-community single sign-on supports a cross-domain authentication capability.
However, it differs from CDSSO in a few key respects. Recall that in CDSSO,
authenticated identities are
forwarded. In an e-community scenario, identities
are instead retrieved—it is a
pull model. The use of e-communities has certain
advantages over CDSSO, yet it also has architectural impacts that are not
encountered in a CDSSO environment.
Instead of having to use special URLs to indicate the use of single sign-on as in
the CDSSO model, e-community allows for direct access to secured links. This
has a benefit over CDSSO in that users can bookmark links to resources but will
still be allowed to participate in e-community.
In this model, multiple Access Manager domains are defined to be part of a
single e-community. While each participating domain has its own user registry,
one of the domains is designated to be the
home domain. Users requesting
protected resources in any of the participating domains initially authenticate to a
Master Authentication Server (MAS) in the home domain. After the initial
authentication has taken place, the user has an e-community identity based on
the home domain’s user registry. A user’s e-community identity subsequently
can be mapped, as required, to local identities by WebSEAL servers in other
domains within the e-community.