IBM Security Access Manager for Web, Version 7.0

Cross domain single sign-on (CDSSO)

Security Access Manager Cross-Domain Single sign-on (CDSSO) provides a mechanism for transferring user credentials across multiple secure domains.

CDSSO supports the goals of scalable network architecture by allowing the integration of multiple secure domains. For example, a large corporate extranet can be set up with two or more unique domains—each with its own users and object space. CDSSO allows movement of users between the domains with a single sign-on. The CDSSO authentication mechanism does not rely on a Master Authentication Server as e-Community single sign-on does.

With CDSSO, when a user makes a request to a resource located in another domain, the CDSSO mechanism transfers an encrypted user identity token from the first domain to the second domain. The second domain now has the user's identity (as authenticated in the first domain) and the user is not forced to perform another login.

CDSSO domains are based on DNS domains. All servers in the same DNS domain share the same symmetric key. In order to perform CDSSO with servers in another DNS domain (which may or may not also be in a different Security Access Manager domain) a different key is needed.