The following wiki link details a ForgeRock configuration that demonstrates how to achieve cross-domain single sign-on with session upgrade, using OpenID Connect.
Business Case: One of the primary tenants of achieving customer facing omni-channel business presence, is to balance security with reduction of friction. As part of that overall goal, this paper describes a particular set of configuration options that enable the tracking of a user’s actions throughout session in order to enforce security and provide context aware services. This is achieved in an adaptive fashion that reduces friction by not forcing a user to authenticate until absolutely needed. This model does however enable capabilities that provide incentive for suggestive authentication, in order to have richer experience.
Technical Constraint: This particular solution is rather trivial when leveraging the included OpenAM abstraction components either (OpenIG or Policy agents). However due to a recent customer request, this paper describes a deployment approach in a fashion that maximized the developer involvement rather than abstract away from developers the complexity. From a business perspective, this may be the less attractive of a deployment approach, however after describing the more complex case, makes the ideal option easier to understand. So, this solution architecture will have a technical constraint that it must not rely upon proxy or agent-based components; rather, the clients directly engage over modern open standards such as OpenID Connect.
Use-Case: Cross-Cookie-Domain Single Sign-on with support of notion of some resources may require authenticated user, while other resources may consider anonymous as an acceptable status from the centralized access management system. Once authenticated however, other resources should be notified that user has upgraded from anonymous to authenticated user.