To Enable CDSSO and Cookie Hijacking Prevention in Java EE Policy Agent
To Enable CDSSO and Cookie Hijacking Prevention in the Web Policy Agent
The configuration instructions in this section use the following mapping based on Figure 16–5:
Table 16–2 Mapping Fig 16–5 to Server Names
Figure Label |
Server Name Example |
---|---|
Load Balancer 1 |
lb1_server.hostname |
Load Balancer 2 |
lb2_server.hostname |
OpenSSO Enterprise Server 1 |
server1.hostname |
OpenSSO Enterprise Server 2 |
server2.hostname |
Enable CDSSO for the Centralized Mode policy agent profile.
Log in to the OpenSSO Enterprise server as an administrator.
In the OpenSSO Enterprise administration console, go to Realm > Agents > J2EE Agents > Agent_Name > SSO.
Enable the property Cross Domain SSO
Set the value for the CDSSO Redirect URI.
Example: /agentapp/sunwCDSSORedirectURI
Set the value for the CDSSO Servlet URL.
Example:
lb2_server_protocol://lb2_server.hostname:lb2_server.port/server-deployment-uri/cdcservlet |
Set the CDSSO Clock Skew to 0.
Add the CDSSO Trusted ID Provider.
Example:
server1_protocol://server1.hostname:server1.port/server1-deployment-uri/cdcservlet server2_protocol://server2.hostname:server2.port/server2-deployment-uri/cdcservlet |
Enable CDSSO for the Local Mode policy agent profile:
Edit OpenSSOAgentConfiguration.properties and set CDSSO related parameters. Example:
com.sun.identity.agents.config.cdsso.enable = true com.sun.identity.agents.config.cdsso.redirect.uri=/agentapp/sunwCDSSORedirectURI com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = <lb2_server_protocol>://<lb2_server.hostname>: <lb2_server.port>/<server-deployment-uri>/cdcservlet com.sun.identity.agents.config.cdsso.clock.skew = 0 com.sun.identity.agents.config.cdsso.trusted.id.provider[0]= <server1_protocol>://<srver1.hostname>: <server1.port>/<server1-deployment-uri>/cdcservlet com.sun.identity.agents.config.cdsso.trusted.id.provider[1] = <server2_protocol>://<server2.hostname>: <server2.port>/<server2-deployment-uri>/cdcservlet |
Enable Cookie Hijacking Prevention in the OpenSSO Enterprise server.
Log in OpenSSO Enterprise server as an administrator.
In the OpenSSO Enterprise administration console, go to Configuration >Sites and Server >Default server settings > Advanced and set the following properties:
com.sun.identity.enableUniqueSSOTokenCookie=true com.sun.identity.authentication.uniqueCookieName=sunIdentityServerAuthNServer com.sun.identity.authentication.uniqueCookieDomain=server domain |
Go to Configuration > System > Platform .
Remove server domain and add the OpenSSO Enterprise server host name.
If OpenSSO Enterprise is deployed behind a load balancer, then in step 3c, do not use the OpenSSO server host name. Instead, be sure to use the load balancer host name.
Enable a unique SSO token cookie in the agent profile.
Do one of the following:
For the Centralized Mode policy agent, go to RootRealm > Agents> J2EE Agents > AgentName > Advanced > Custom Properties, and add the following property: com.sun.identity.enableUniqueSSOTokenCookie=true.
For the Local Mode policy agent, in the OpenSSOAgentConfiguration.properties file, add the following property: com.sun.identity.enableUniqueSSOTokenCookie=true.
Enable CDSSO for the Centralized Mode policy agent profile.
Log in to the OpenSSO Enterprise server as an administrator.
In the OpenSSO Enterprise administration console, go to Realm > Agents > Web Agents > Agent_Name > SSO.
Enable the property Cross Domain SSO.
Set the value for the CDSSO Servlet URL.
Example:
lb2_server_protocol://lb2_server.hostname:lb2_server.port/server-deployment-uri/cdservlet |
Enable CDSSO for the Local Mode policy agent profile:
Edit OpenSSOAgentConfiguration.properties and set CDSSO related parameters. Example:
com.sun.identity.agents.config.cdsso.enable = true com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = lb2_server_protocol://lb2_server.hostname: lb2_server.port/server-deployment-uri/cdcservlet |
Enable Cookie Hijacking Prevention in the OpenSSO Enterprise server.
Log in OpenSSO Enterprise server as an administrator.
In the OpenSSO Enterprise administration console, go to Configuration >Sites and Server >Default server settings > Advanced and set the following properties:
com.sun.identity.enableUniqueSSOTokenCookie=true com.sun.identity.authentication.uniqueCookieName=sunIdentityServerAuthNServer com.sun.identity.authentication.uniqueCookieDomain= server domain |
Go to Configuration > System > Platform .
Remove server domain and add the server host name.
If OpenSSO Enterprise is deployed behind a load balancer, then in step 3c, do not use the OpenSSO server host name. Instead, be sure to use the load balancer host name.