000022403 - How to restrict Single Sign-On (SSO) to a specific web server or virtual host in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022403
Applies ToRSA ClearTrust Agent 4.6 for Microsoft IIS
Microsoft Windows Server 2003
Single Sign-On (SSO)
IssueHow to restrict Single Sign-On (SSO) to a specific web server or virtual host in RSA ClearTrust
Trying to make users get re-prompted for authentication when accessing a specific web server
ResolutionThe simplest manner to accomplish this is to configure this virtual host with a unique authentication cookie by assigning it a different cleartrust.agent.cookie_name. Single Sign-On (SSO) is accomplished by passing the authentication cookie. RSA ClearTrust Agents will only accept authentication cookies from Agents that use the same cookie name, so in this way, it is possible to restrict SSO between groups of Agents or a single Agent. This solution prevents SSO in both directions into and out of hosts protected by this Agent.

It is also possible to restrict the cookie by modifying scope of the cookie itself using the cleartrust.agent.cookie_domain setting. This setting identifies which web server domain name cookies will be issued under. This method require that you carefully restructure the actual domain names of your web servers so cookies issued to browsers from one web server are not accepted by other web servers. It is even possible to configure web servers to ensure that users from one domain can SSO to other domains, but users from the other domains cannot SSO back to the original domain. This method is probably not useful in your environment because it requires the domain structure of your web sites to be modified.
Legacy Article IDa28351