000022116 - What is being done with RSA ClearTrust shared secret  and how is this used for Single Sign-On (SSO) and Inter-Site Single Sign-On (ISSO)?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022116
Applies ToRSA ClearTrust 5.5.3 Authorization Server (AServer)
RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0

Single Sign-On (SSO)
Inter-Site Single Sign-On (ISSO)
IssueWhat is being done with RSA ClearTrust shared secret, and how is this used for Single Sign-On (SSO) and Inter-Site Single Sign-On (ISSO)?
Resolution
The RSA ClearTrust shared secret is only used to encrypt the package of session keys issued by the keyserver; the shared secret itself is not the session key. Typically there are 15 session keys maintained at any one time - one for encryption, and the rest are expired encryption keys used for decryption. These keys are used by the Authorization Server for encrypting and decrypting the cookies.

In the case of older Agents (version 4.0 and earlier) or in the case of later Agents configured for Inter-Site Single Sign-On (ISSO), the Agents must also be configured to receive the session keys from the keyserver, and must have a shared secret. In the earlier Agents, this is required because the cookie encryption and decryption is done at the Agent itself. For Agents configured for ISSO, the session keys are used by the ISSO WAX .DLL to decrypt the browser cookie passed between domains during the initial ISSO handshake.
Legacy Article IDa26978

Attachments

    Outcomes