|Applies To||RSA ClearTrust Agent 4.6 for Microsoft IIS|
Microsoft Windows Server 2003
Single Sign-On (SSO)
|Issue||How to restrict Single Sign-On (SSO) to a specific web server or virtual host in RSA ClearTrust|
Trying to make users get re-prompted for authentication when accessing a specific web server
|Resolution||The simplest manner to accomplish this is to configure this virtual host with a unique authentication cookie by assigning it a different cleartrust.agent.cookie_name. Single Sign-On (SSO) is accomplished by passing the authentication cookie. RSA ClearTrust Agents will only accept authentication cookies from Agents that use the same cookie name, so in this way, it is possible to restrict SSO between groups of Agents or a single Agent. This solution prevents SSO in both directions into and out of hosts protected by this Agent.|
It is also possible to restrict the cookie by modifying scope of the cookie itself using the cleartrust.agent.cookie_domain setting. This setting identifies which web server domain name cookies will be issued under. This method require that you carefully restructure the actual domain names of your web servers so cookies issued to browsers from one web server are not accepted by other web servers. It is even possible to configure web servers to ensure that users from one domain can SSO to other domains, but users from the other domains cannot SSO back to the original domain. This method is probably not useful in your environment because it requires the domain structure of your web sites to be modified.
|Legacy Article ID||a28351|