Technical Note: Sun Java System Access Manager Cross-Domain Single Sign-On

Web Policy Agent Use Case 2: Accessing a Protected Resource in the Non-Primary Domain First

In this use case, an unauthenticated user first accesses a protected resource in the non-primary domain (.sun.com). He then accesses a protected resource in the primary domain (.iplanet.com).

  1. An unauthenticated user attempts to access http://comal-b.central.sun.com:80/app1/test1.html. The agent intercepts the request and receives no SSO token. Because the SSO is enabled, the agent responds with a redirection to the Access Manager CDC servlet URL https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet.

    REQUEST:


    GET /app1/test1.html HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
    application/x-shockwave-flash, 
       application/vnd.ms-excel,application/vnd.ms-powerpoint, application/msword, */*
    Accept-Language: en-us
    Cookie: SUN_ID=69.196.39.237:227251153914164
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
    SV1; .NET CLR 1.1.4322)
    Host: comal-b.central.sun.com

    RESPONSE:


    HTTP/1.1 302 Moved Temporarily
    Server: Sun-ONE-Web-Server/6.1
    Date: Thu, 10 Aug 2006 14:47:15 GMT
    Content-length: 0
    Content-type: text/html
    Location: https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet?goto=
       http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html%3FsunwMethod%
       3DGET&RequestID;=13293&MajorVersion=1&MinorVersion=0&ProviderID;=http%3A%2F%
       2Fcomal-b.central.sun.com%3A80%2Famagent&IssueInstant;=2006-08-10T09%3A47%3A15Z
    Connection: close
  2. The browser follows the redirection to access the CDC servlet without any SSO token. The CDC servlet responds with a login page.

    REQUEST:


    GET /amserver/cdcservlet?goto=http%3A%2F%2Fcomal-b.central.sun.com%3A80%
       2Fapp1%2Ftest1.html%3FsunwMethod%3DGET&RequestID;=13293&MajorVersion=
       1&MinorVersion=0&ProviderID;=http%3A%2F%2Fcomal-b.central.sun.com%3A80%
       2Famagent&IssueInstant;=2006-08-10T09%3A47%3A15Z HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
       application/x-shockwave-flash, application/vnd.ms-excel, 
       application/vnd.ms-powerpoint, application/msword, */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
    SV1; .NET CLR 1.1.4322)
    Host: am-pool0.red.iplanet.com:8443
    Connection: Keep-Alive

    RESPONSE:


    HTTP/1.1 200 OK
    Server: Sun-ONE-Web-Server/6.1
    Date: Thu, 10 Aug 2006 14:46:27 GMT
    Content-type: text/html;charset=UTF-8
    Cache-control: private
    Pragma: no-cache
    Expires: 0
    X-dsameversion: 7 2005Q4
    Am_client_type: genericHTML
    Set-cookie: JSESSIONID=FCD5ED4FC043E1E2C2789D228413DB87;Path=/;Secure
    Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwS5LT8TIP9%2Bs3ZqdIV0aEtBDSLrHxr
    %2Fcs%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23
       ;Domain=.iplanet.com;Path=/
    Set-cookie: amservercookie=02;Domain=.iplanet.com;Path=/
    
    <... login page content omitted by the author ...>
  3. The user types in his credential on the login page and clicks Submit. A login form is posted to Access Manager. If the user authenticates successfully, the Access Manager responds by setting an SSO token (iPlanetDirectoryPro) in the domain .iplanet.com. The response also redirects the browser back to the CDC servlet https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet.

    REQUEST:


    POST /amserver/UI/Login HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
       application/x-shockwave-flash, application/vnd.ms-excel, 
       application/vnd.ms-powerpoint, application/msword, */*
    Referer: https://am-pool0.red.iplanet.com:8443/amserver/
       cdcservlet?goto=http%3A%2F%2Fcomal-b.central.sun.com%
       3A80%2Fapp1%2Ftest1.html%3FsunwMethod%3DGET&RequestID;
       =13293&MajorVersion=1&MinorVersion=0&ProviderID;=http%3A%2F%
       2Fcomal-b.central.sun.com%3A80%2Famagent&IssueInstant;=2006-08-10T09%3A47%3A15Z
    Accept-Language: en-us
    Content-Type: application/x-www-form-urlencoded
    
    Connection: Keep-Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
    SV1; .NET CLR 1.1.4322)
    Host: am-pool0.red.iplanet.com:8443
    Content-Length: 391
    Cache-Control: no-cache
    Cookie: JSESSIONID=FCD5ED4FC043E1E2C2789D228413DB87; 
       AMAuthCookie=AQIC5wM2LY4SfcwS5LT8TIP9%2Bs3ZqdIV0aEtBDSL
       rHxr%2Fcs%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23; amservercookie=02

    RESPONSE:


    HTTP/1.1 302 Moved Temporarily
    Server: Sun-ONE-Web-Server/6.1
    Date: Thu, 10 Aug 2006 14:47:53 GMT
    Content-length: 0
    Content-type: text/html
    Cache-control: private
    Pragma: no-cache
    Connection: close
    X-dsameversion: 7 2005Q4
    Am_client_type: genericHTML
    Location: https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet?
       TARGET=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html
       %3FsunwMethod%3DGET&RequestID;=13293&MajorVersion=1&MinorVersion=
       0&ProviderID;=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Famagent
       &IssueInstant;=2006-08-10T09%3A47%3A15Z
    Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwlpUfPmb1dtNENXWxnAoZSuWvmQ5pg
       UB0%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23;
       Domain=.iplanet.com;Path=/
    Set-cookie: amservercookie=02;Domain=.iplanet.com;Path=/
    Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwlpUfPmb1dtNENXWxnAoZSu
       WvmQ5pgUB0%3D%40AAJTSQACMTEAAlMxAAIwMg%;
       Domain=.iplanet.com;Path=/
    Set-cookie: AMAuthCookie=LOGOUT;Domain=.iplanet.com;
       Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/
  4. The browser follows the redirection to access the CDC servlet again. This time the SSO token iPlanetDirectoryPro is sent in the HTTP request because the server DNS domain matches the cookie domain. The CDC servlet validates the SSO token and responds with a HTML page. The page contains a HTML FORM which will be automatically posted to the URL on the agent (http://comal-b.central.sun.com:80/app1/test1.html?sunwMethod=GET, derived from the goto and target parameters). The form's hidden field LARES is an encoded Liberty-like AuthnResponse that contains the existing SSO Tokein in the domain .iplanet.com.

    REQUEST:


    GET /amserver/cdcservlet?TARGET=http%3A%2F%
       2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html%3F
       sunwMethod%3DGET&RequestID;=13293&MajorVersion=1&MinorVersion=
       0&ProviderID;=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Famagent&IssueInstant;
       =2006-08-10T09%3A47%3A15Z HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
       application/x-shockwave-flash, application/vnd.ms-excel, 
       application/vnd.ms-powerpoint, application/msword, */*
    Referer: https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet?
       goto=http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Fapp1%2Ftest1.html%
       3FsunwMethod%3DGET&RequestID;=13293&MajorVersion=1&MinorVersion=0&ProviderID;
       =http%3A%2F%2Fcomal-b.central.sun.com%3A80%2
       Famagent&IssueInstant;=2006-08-10T09%3A47%3A15Z
    Accept-Language: en-us
    Connection: Keep-Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
    SV1; .NET CLR 1.1.4322)
    Host: am-pool0.red.iplanet.com:8443
    Cache-Control: no-cache
    Cookie: JSESSIONID=FCD5ED4FC043E1E2C2789D228413DB87; 
       amservercookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwlpUfPm
       b1dtNENXWxnAoZSuWvmQ5pgUB0%3D%40AAJTSQACMTEAAlMxAAIwMg%3D%3D%23

    RESPONSE:


    HTTP/1.1 200 OK
    Server: Sun-ONE-Web-Server/6.1
    Date: Thu, 10 Aug 2006 14:47:54 GMT
    Content-type: text/html
    Pragma: no-cache
    Content-length: 3685
    Connection: keep-alive
    
    <HTML>
    <BODY Onload="document.Response.submit()">
    <FORM NAME="Response" METHOD="POST" ACTION=
    "http://comal-b.central.sun.com:80/app1/test1.html?sunwMethod=GET">
    <INPUT TYPE="HIDDEN" NAME="LARES" VALUE="PGxpYjpBdXRoblJlc3BvbnNlIH
    htbG5zOmxpYj0iaHR0cDovL3Byb2plY3RsaWJlcnR5Lm9yZy9zY2hlbWFzL2NvcmUvM
    jAwMi8xMiIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFz
    c2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDp
    wcm90b2NvbCIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZH
    ...
    NpZyMiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEta
    W5zdGFuY2UiIFJlc3BvbnNlSUQ9InM4N2IzNTkzOGRhZjk1YzQ4MTBmYzJlODJkMTFl
    MGMyZDI2Y2I4ZDA0IiAgSW5SZXNwb25zZVRvPSIxMzI5MyIgIE1ham9yVmVyc2lvbj0
    iMSIgIE1pbm9yVmVyc2lvbj0iMCIgIElzc3VlSW5zdGFudD0iMjAwNi0wOC0xMFQxND
    0Nzo1NFoiPjxzYW1scDpTdGF0dXM+CjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJzYW
    2FtbDpBc3NlcnRpb24+CjxsaWI6UHJvdmlkZXJJRD5odHRwczovL2lkZS0xNS5yZWQu
    Y3NlcnZsZXQ8L2xpYjpQcm92aWRlcklEPjwvbGliOkF1dGhuUmVzcG9uc2U+Cg=="/>
    </FORM>
    </BODY></HTML>
  5. The browser automatically posts the form with LARES to the goto URL 'http://comal-b.central.sun.com:80/app1/test1.html?sunwMethod=GET, without any user interaction. The agent validates the AuthNResponse, and responds by setting a new SSO token iPlanetDirectoryPro with an empty cookie domain. A cookie with no domain will be restricted to be sent to the originating server only in the future. Also note the cookie value is exactly the same as the one set in Step 3 response by Access Manager.

    The policy agent also performs necessary session validation and policy evaluation. If all well, the user is allowed for the access. The protected page is served in the response.

    REQUEST:


    POST /app1/test1.html?sunwMethod=GET HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
       application/x-shockwave-flash, application/vnd.ms-excel, 
       application/vnd.ms-powerpoint, application/msword, */*
    Accept-Language: en-us
    Content-Type: application/x-www-form-urlencoded
    Pragma: no-cache
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
    SV1; .NET CLR 1.1.4322)
    Host: comal-b.central.sun.com
    Content-Length: 3482
    Cookie: SUN_ID=69.196.39.237:227251153914164
    
    <... posted form omitted by the author ...>

    RESPONSE:


    HTTP/1.1 200 OK
    Server: Sun-ONE-Web-Server/6.1
    Date: Thu, 10 Aug 2006 14:48:44 GMT
    Content-length: 35
    Content-type: text/html
    Set-cookie:iPlanetDirectoryPro=AQIC5wM2LY4SfcwlpUfPmb1dtNENXWx
       nAoZSuWvmQ5pgUB0%3D%40AAJTSQACMTEAAlMxAAIwM=g%3D%3D%23;Path=/
    Last-modified: Thu, 10 Aug 2006 14:40:34 GMT
    Accept-ranges: bytes
    Connection: close
    
    Success! This is test1.html page.