1. Administering Oracle Access Management
  2. Managing Access Manager SSO, Policies, and Testing
  3. Supporting Multiple Split SSO Domains Using ECC

29 Supporting Multiple Split SSO Domains Using ECC

OAM supports multi-domain SSO by default, where SSO can be achieved across multiple internet domains. Also, OAM supports split-domain authentication, where SSO will be available for applications in a specific domain and there will be no cross-domain SSO between domains.

The following two scenarios are supported.

Scenario 1: Using different policies for the same application in each domain

In this case, if the user wants to apply different authentication policies and schemas to each application based on the web domain, they need to create separate application domains for each application and web domain. For each web domain, all the user interaction with the OAM server must happen in the same domain. Application Webgate in a domain must interact with a reverse proxy in the same domain, and the OAM credential collector pages must be served from the reverse proxy in the same domain.

Follow the steps mentioned below to set different policies for the same application in each domain:
  1. Define separate application domains and policies for each web domain and application.
  2. Use separate WebGate for each application domain.
  3. Use separate reverse proxies per domain.
  4. Configure an optional load balancer to support multiple web domains and their reverse proxies.
  5. Update challenge redirects URL in the authentication schemes used in policies to point to the domain load balancer/reverse proxy.
    For example, Domain1: mydomain.com

    Figure 29-1 Mydomain example


    Mydomain example

    Domain2: example.com

    Figure 29-2 Example Domain


    Example Domain

Scenario 2: Using the same policies for the same application in both the domains

In this case, all the policies are the same across domains but the login URLs must stay in the same domain. All the user interactions with the OAM server remain in the same web domain. Application WebGate in a domain must interact with a reverse proxy in the same domain, and the OAM credential collector pages must be served from the reverse proxy in the same domain.

The following configurations enable the authentication schemes to be selected based on the web domain and the login URLs to be configured based on the domain.
  1. Define a single application domain per application for all the web domains.
  2. Use a separate reverse proxy and WebGate for each web domain or use a separate virtual host configuration for each web domain.
  3. Configure a load balancer to support all domains to the front end of the OAM server or create a separate reverse proxy for each domain.
  4. Create separate authentication schemes for each web domain. Update the challenge redirect URL to the domain URL.
    Domain1: example.com

    Figure 29-3 Example Domain Schema


    Example Domain Schema

    Domain2: mydomain.com

    Figure 29-4 MyDomain Schema


    MyDomain Schema

  5. Update the policy to define pre-authentication rules.
    1. Define a pre-authentication rule in the authentication policy for each domain like request.returnHost.lower().find("mydomain") > 0 and assign the authentication scheme defined for that (my domain) to it.
    2. Add pre-authentication rules for each domain that needs to be supported.
      example domain rule

      Figure 29-5 Example Domain Rule


      Example Domain Rule

      mydomain rule

      Figure 29-6 MyDomain Rule


      MyDomain Rule

  6. Run the WLST command disableSkipAuthnRuleEval() to enable rule evaluation.