Technical Note: Sun Java System Access Manager Cross-Domain Single Sign-On

CDSSO versus SAML/Liberty

CDSSO has nothing to do with SAML/Liberty even though its implementation uses Liberty-like protocol exchange AuthNResponse. SAML/Liberty solves a broader set of SSO issues where CDSSO focuses on a much narrower subset.

CDSSO requires all Access Manager policy agents to be configured to use a single Access Manager server. This means only one user identity can exist in the entire system. In SAML/Liberty, user identities can exist in multiple systems such as Service Providers (SPs) and Identity Providers (IDPs). SAML/Liberty enables account mapping from IDP to SP. Account mapping from IDP to SP is not possible with CDSSO. Because of the single user store assumption, issues such as account mapping, attribute flow and session synchronization in SAML/Liberty are not relevant to CDSSO. If the situation fits the following, then CDSSO may be a simpler and more suitable solution than SAML/Liberty:

  1. Only Sun Java System Access Manager and Sun policy agents are involved.

  2. Access Manager policy agents are all configured to use the same Access Manager infrastructure where multiple Access Manager instances can exist.

  3. Access Manager uses a single user identity store.

  4. Multiple Access Manager instances configured for high-availability must all reside in a single DNS domain. Only policy gents can reside in different DNS domains.