Customizing SSO configuration using LTPA cookies in Liberty
With single sign-on (SSO) configuration support, web users can authenticate once when accessing Liberty resources such as HTML, JavaServer Pages (JSP) files, and servlets, or accessing resources in multiple Liberty servers that share the same Lightweight Third Party Authentication (LTPA) keys.
When a user passes authentication on one of the Liberty servers, authentication information generated by the server is transported to the web browser in a cookie. The cookie is used to propagate the authentication information to other Liberty servers.
The LTPA is configured and ready for immediate use. The default cookie name used to store the SSO
token is called
ltpaToken2. If you want to use a different name for the cookie, you
can customize the cookie name using the ssoCookieName attribute of the
<webAppSecurity> element. If you customize the cookie name, make sure that all
the servers that participate in SSO use the same cookie name.
For more information about SSO, see SSO concept in Liberty.
<webAppSecurity logoutOnHttpSessionExpire="true" ssoCookieName="myCookieName" />
- The servers must use the same LTPA keys and share the same user registry.
- If the servers are not in the same domain, use the ssoDomainNames attribute
<webAppSecurity>element to list the domains. The following example code sets the domain name to domain.com:
<webAppSecurity ssoDomainNames="domain.com" />
- If the servers are in the same domain, set the ssoUseDomainFromURL
attribute of the
<webAppSecurity>element to true, or specify the domain name in the ssoDomainNames attribute. The following example code sets ssoUseDomainFromURL to true so that the domain name is taken from the request URL:
<webAppSecurity ssoUseDomainFromURL="true" />