Common Domain

Service providers need a way to determine which identity provider is used by a principal requesting authentication. Because authentication domains are configured without regard to their location, this function must work across DNS-defined domains. Thus, a common domain is configured for this purpose. The common domain is established for use only within the scope of the Common Domain Services for Federation Management. In Access Manager deployments, the Common Domain Services for Federation Management are deployed in a web container installed in a predetermined and pre-configured common domain so that the common domain cookie is accessible to all providers in the authentication domain. If the HTTP server in the common domain is operated by the service provider, the service provider will redirect the user agent to the appropriate identity provider.

Let's suppose an authentication domain contains more than one identity provider; in this case, a service provider in the authentication domain trusts more than one identity provider. But, a principal can only issue a federation request to one identity provider, so the service provider to which the principal is requesting access must have the means to determine the correct one. To ascertain a principal’s identity provider, the service provider invokes a protocol exchange to retrieve the common domain cookie, a cookie written for the purpose of introducing the identity provider to the service provider. If no common domain cookie is found when the principal issues a federation request, the service provider must present a list of trusted identity providers from which the principal will choose. After successful authentication, the identity provider writes (using the Writer Service URL as defined in Configuring the Common Domain Services for Federation Management URLs) a common domain cookie. The next time the principal attempts to access a service, the service provider finds and reads the common domain cookie (using the Reader Service URL as defined in Configuring the Common Domain Services for Federation Management URLs), to determine the identity provider.

After a principal authenticates with a particular identity provider, the identity provider redirects the principal's browser to their Common Domain Services for Federation Management using a parameter that indicates they are the identity provider for this principal. The Common Domain Services for Federation Management then writes a cookie using that parameter. Thereafter, all providers configured in this common domain will be able to tell which identity provider is used by the principal. For example, suppose an identity provider is available at http://www.Bank.com and a service provider is available via http://www.Store.com. If the common domain they define is RetailGroup.com, the addresses will be Bank.RetailGroup.com and Store.RetailGroup.com, respectively.

The Common Domain Services for Federation Management is based on the Identity Provider Introduction Profile detailed in the Liberty ID-FF Bindings and Profiles Specifications.