Single Signon across multiple sub-domains in Tomcat
The CLM documentation clearly states that single sign-on across multiple servers is not supported in Tomcat:
http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0/topic/com.ibm.jazz.install.doc/topics/t_deploy_single_sign-on.html?resultof=%22%73%69%6e%67%6c%65%22%20%22%73%69%6e%67%6c%22%20%22%73%69%67%6e%22%20
However, for those who have a common domain/sub-domains, I got it working. I have only tested this on a single server -- would this configuration work on multiple servers?
Edit your tomcat server.xml. On the line that states:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
Modify it to add a cookieDomain parameter. The JTS must be on a higher common domain than the rest of the applications. If your subdomains are:
JTS = jazz.example.com
RTC = rtc.jazz.example.com
RQM = rqm.jazz.example.com
RRC = rrc.jazz.example.com
Then your line should look like the following:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" cookieDomain="jazz.example.com" />
You would need to register the applications using these domains in jts/setup.
For more information on SingleSignOn in Tomcat, see:
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Single_Sign_On_Valve
http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0/topic/com.ibm.jazz.install.doc/topics/t_deploy_single_sign-on.html?resultof=%22%73%69%6e%67%6c%65%22%20%22%73%69%6e%67%6c%22%20%22%73%69%67%6e%22%20
However, for those who have a common domain/sub-domains, I got it working. I have only tested this on a single server -- would this configuration work on multiple servers?
Edit your tomcat server.xml. On the line that states:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
Modify it to add a cookieDomain parameter. The JTS must be on a higher common domain than the rest of the applications. If your subdomains are:
JTS = jazz.example.com
RTC = rtc.jazz.example.com
RQM = rqm.jazz.example.com
RRC = rrc.jazz.example.com
Then your line should look like the following:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" cookieDomain="jazz.example.com" />
You would need to register the applications using these domains in jts/setup.
For more information on SingleSignOn in Tomcat, see:
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Single_Sign_On_Valve
4 answers
Hey Ben, I don't think it will work. The Tomcat single sign on solution is very simple, it just uses cookies to establish a session which is then recognized across all the web apps on a single virtual host. As far as I know, there's no mechanism in Tomcat to make this work across hosts, which would require some sort of shared keys or session synchronization. The simplest true SSO solution I know of is WebSphere's LTPA.
Thanks,
Scott
Scott, it can work, but you have to put the JTS on a domain higher than everything else in order to make it work. I'll edit my instructions above. I'm pretty sure it would work in a multiple server configuration, so long as the servers are all in the same domain.
LTPA is clearly a better method, though...
LTPA is clearly a better method, though...
Hello Benjamin,
i try your solution in an environment with multiple server (1 by application). In front of these servers, we have an Apache reverse proxy who redirects all our requests. It means that we access to Jazz's applications by theses URL :
http://name.domain.com/jts or
http://name.domain.com/ccm or
http://name.domain.com/jazz, or
.....
I added this line in each server.xml : <valve className="org.apache.catalina.authenticator.SingleSignOn" cookieDomain="name.domain.com"/>
But, it doesn't seem to work. Have you some experience in your proposition since this post ?
Thanks for your help.
i try your solution in an environment with multiple server (1 by application). In front of these servers, we have an Apache reverse proxy who redirects all our requests. It means that we access to Jazz's applications by theses URL :
http://name.domain.com/jts or
http://name.domain.com/ccm or
http://name.domain.com/jazz, or
.....
I added this line in each server.xml : <valve className="org.apache.catalina.authenticator.SingleSignOn" cookieDomain="name.domain.com"/>
But, it doesn't seem to work. Have you some experience in your proposition since this post ?
Thanks for your help.