This topic has 2 replies, 2 voices, and was last updated 5 years, 5 months ago by 
.
-
Posts
-
Hello. I have requirements that leave the built-in OpenAM login page insufficient for my needs. I understand this is not uncommon. I also have requirements for CDSSO (most specifically: protection against Cookie Hijacking).
However, I find that when the WPA is configured for CDSSO, then it seems the WPA ignores the “OpenAM Login URL” on the “OpenAM Services” config page, and instead goes directly to the “CDSSOServlet URL” on the SSO config page.
Does that mean I’m unable to use a custom login page if I use CDSSO?
Once you enable CDSSO on the WPA, you are telling the agent to redirect to the CDSSO Servlet for authentication. When the request is received, the servlet checks for the SSO token. If no valid token is found, the client is redirected to the authentication service in the other domain. That page is configurable as a standard login page. (Note: You can also modify the CDSSO Servlet page to give an indication to the user, but this is not the login form.) Since you have enabled CDSSO, the OpenAM Login URL is not used.
Configuration instructions can be found in the “Configuring Cross-Domain Single Sign-On” section of the OpenAM Administration Guide. Procedure 11.2 provides WPA config instructions. 11.3 explains how to customize the CDSSO servlet page, if needed. 11.5 explains how to protect against cookie hijacking, which should address your needs.
https://backstage.forgerock.com/docs/openam/13.5/admin-guide/chap-cdsso
Hi Keith, thanks for the reply. Is there any way to define the login page that the CDSSO servlet sends the user to? I’m confused about your statement, “That page is configurable as a standard login page” — are you saying that the CDSSO can only send you to the built-in login page, with the customization limitations that we already know of.
You must be logged in to reply to this topic.
