|Applies To||RSA ClearTrust 5.5.3 Authorization Server (AServer)|
RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0
Single Sign-On (SSO)
Inter-Site Single Sign-On (ISSO)
|Issue||What is being done with RSA ClearTrust shared secret, and how is this used for Single Sign-On (SSO) and Inter-Site Single Sign-On (ISSO)?|
The RSA ClearTrust shared secret is only used to encrypt the package of session keys issued by the keyserver; the shared secret itself is not the session key. Typically there are 15 session keys maintained at any one time - one for encryption, and the rest are expired encryption keys used for decryption. These keys are used by the Authorization Server for encrypting and decrypting the cookies.
In the case of older Agents (version 4.0 and earlier) or in the case of later Agents configured for Inter-Site Single Sign-On (ISSO), the Agents must also be configured to receive the session keys from the keyserver, and must have a shared secret. In the earlier Agents, this is required because the cookie encryption and decryption is done at the Agent itself. For Agents configured for ISSO, the session keys are used by the ISSO WAX .DLL to decrypt the browser cookie passed between domains during the initial ISSO handshake.
|Legacy Article ID||a26978|