Cross Domain Authentication

Presentation

For security reason, a cookie provided for a domain cannot be sent to another domain. To extend SSO on several domains, a cross-domain mechanism is implemented in LemonLDAP::NG.
  1. User owns SSO cookies on the main domain (see Login kinematics)
  2. User tries to access a protected application in a different domain
  3. Handler does not see SSO cookies (because it is not in main domain) and redirects user on Portal
  4. Portal recognizes the user with its SSO cookies, and see he is coming from a different domain
  5. Portal redirects user on protected application with a token as URL parameter. The token is linked to a session which contains the real session ID
  6. Handler detects URL parameter, gets the real session ID, delete the token session and creates a SSO cookies on its domain, with session ID as value

Configuration

Go in Manager, General Parameters » Cookies » Multiple domains and set to On.

To use this feature only locally, edit lemonldap-ng.ini in section [all]:

[all]
cda = 1