- In the OpenAM console, browse to Access Control >
Realm Name> Agents > J2EE >
Agent Name> SSO.
- Select Enable Cross Domain SSO.
- Check that the CDSSO Redirect URI is set.
Depending on where you deployed your Java EE agent application, the default is something like
- Set the list of URLs for CDSSO Servlet URL to the Cross Domain Controller Servlet URLs of the servers the agent accesses, such as
If the agent accesses OpenAM through a load balancer, use the load balancer URLs, such as
- Leave the CDSSO Clock Skew set to 0.
Make sure instead that the clocks on the servers where you run OpenAM and policy agents are synchronized.
- Set the list of URLs for CDSSO Trusted ID Provider to the Cross Domain Controller Servlet URLs of the OpenAM servers the agent accesses, such
This list should include one CDC Servlet URL for every OpenAM server the agent might access. You do not need to include site or load balancer URLs.
- To protect the SSO token from network snooping, you can select CDSSO Secure Enable to mark the SSO token cookie as secure.
If you select this, then the SSO token cookie can only be sent over a secure connection (HTTPS).
- Add the domains involved in CDSSO in the CDSSO Domain List.
- If necessary, update the Agent Root URL for CDSSO list on the Global tab page.
If the policy agent is on a server with virtual host names, add the virtual host URLs to the list.
If the policy agent is behind a load balancer, add the load balancer URL to the list.
- Save your work.
Procedure to Enable CDSSO For a Java EE Policy Agent