In general, problems with SSO relate to some sort of mismatch of domain names. For example, a cookie that is
configured on a third-level domain such as sso.example.net will not work with an application on a
similar domain such as app.example.net. Even if the Session ID is valid, the application will not
receive the SSO Token. The request is then redirected to OpenAM. The client gets what appears as a SSO Token in the
diagram, which is actually a valid SSO tracking cookie that redirects immediated, and the cycle continues.
Other issues that may lead to similar problems are shown here.
-
When a cookie domain does not match a domain for the protected application
Assume the application is configured on a domain named
example.org. That application will not receive an SSO Token configured on theexample.netdomain. -
When a third-level domain is used for the SSO Token
If an SSO Token is configured on
sso.example.net, an application onapp.example.netdoes not receive the corresponding cookie. In this case, the solution is to configure the SSO Token onexample.net. -
When the
Secureflag is used with a regular HTTP applicationIf you need encrypted communications for an application protected by OpenAM, use the
Secureflag and make sure the application is accessible over HTTPS. -
When the path listed in the cookie does not match the path for the application
Perhaps the cookie is configured with an
/helloworldpath; that won't match an application that might be configured with an/hellomarspath. In that case, the application will not receive the cookie. -
When an inappropriate name is used for the cookie domain
As noted earlier, client browsers are configured to ignore first-level domains such as
comandnetas well as functional equivalents such asco.ukandco.jp. -
When working with different browsers
The
namevalue
