This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:ssocookie [2019/01/15 15:55] (current)
Line 1: Line 1:
 +====== Single Sign On cookie, domain and portal URL======
 +===== SSO cookie =====
 +The SSO cookie is built by the portal (as described in the [[:documentation:presentation#login|login kinematic]]), or by the Handler for cross domain authentication (see [[:documentation:presentation#cross_domain_authentication_cda|CDA kinematic]]).
 +To edit SSO cookie parameters, go in Manager, ''General Parameters'' > ''Cookies'':
 +  * **Cookie name**: name of the cookie, can be changed to avoid conflicts with other LemonLDAP::NG installations
 +  * **Domain**: validity domain for the cookie (the cookie will not be sent on other domains)
 +  * **Multiple domains**: enable [[cda|cross domain mechanism]] (without this, you cannot extend SSO to other domains)
 +  * **Secured cookie**: 4 options:
 +    * **Non secured cookie**: the cookie can be sent over HTTP and HTTPS connections
 +    * **Secured cookie**: the cookie can only be sent over HTTPS
 +    * **Double cookie**: two cookies are delivered, one for HTTP and HTTPS connections, the other for HTTPS only
 +    * **Double cookie for single session**: same as double cookie but only one session is created in session database
 +  * **Javascript protection**: set httpOnly flag, to prevent cookie from being caught by javascript code
 +  * **Cookie expiration time**: by default, SSO cookie is a session cookie, which means it will be destroyed when browser is closed. You can change this behavior by setting a cookie expiration time. It must be an integer. **Cookie Expiration Time** value is a number of seconds until the cookie expires. Set a zero value to disable expiration time and use a session cookie.
 +<note warning>When you change cookie expiration time, it is written on the user hard disk unlike session cookie</note>
 +<note important>Changing the domain value will not update other configuration parameters, like virtual host names, portal URL, etc. You have to update them by yourself.</note>
 +===== Portal URL =====
 +Portal URL is the address used to redirect users on the authentication portal by:
 +  * **Handler**: user is redirected if he has no SSO cookie (or in [[CDA]] mode)
 +  * **Portal**: the portal redirect on itself in many cases (credentials POST, SAML, etc.)
 +<note warning>The portal URL **must** be inside SSO domain. If secured cookie is enabled, the portal URL **must** be HTTPS.</note>