Skip to Content
author's profile photo
Former Member

Single Sign on with multiple domains

We are using Portal 5.0 and trying to use single sign to connect other SAP component systems.

But the servers are in different domains, so we have not been able to successful to using single sign on.

Our portal domain name is

Our SAP WAS /BSP server name is dfuxpv02.dfna.corp.dom

Our ITS server name is dfwitsp1.dfna.corp.dom

We are having problems since the single sign cookie created supports single domains.

Have can we resolve this issue.



Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • author's profile photo
    Former Member
    Aug 11, 2004 at 05:52 AM

    Perhaps the /community [original link is broken] topic groupd might be a good place to search for answers as well?

    Add comment
    10|10000 characters needed characters exceeded

  • Aug 11, 2004 at 07:29 AM

    Well, if you want to hear my personal opinion:

    better stick to the cookie specification ( and accept the constraint that cookies will only be send to domains that tail-match the domain-constraint specified in the set-cookie http response.

    Although this specification is not an official internet standard most browsers are implementing the cookie mechanism according to this specification.

    Unfortenately there's no option to specify that a cookie should be send to a list of servers and/or sub-domains.

    However one physical server can have multiple (FQDN) hostnames. So if you intend to send the cookie to a group of servers the best approach is to create a new (DNS) (sub-)domain exclusively for those servers.

    Theoretically (and also practically) it is possible to set cookies for multiple domains (by using a webservice that will set cookies on request of a caller). But that approach is dangerous:

    (1) not the server but the http client is defining the content of the cookie (= part of the http server response)

    (2) (unintended) many servers can obtain the cookie which will be send to all servers that reside in all (tail-matching sub-)domains; although most likely only one or two servers of each domain are intended recipients

    Regards, Wolfgang

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Srini,

      the SAP WebAS will use the domain information provided by the URL (http request) to set the cookie (http response). This allows one system to be accessible by multiple (FQDN) hostnames. The WebAS is not aware of that - as long as the TCP packages are routed by the network it's fine with the server. So much for the cookies.

      The constraints regarding FQDN hostnames are listed in the SAP note 654982.

      For SSL/https the situation is different:

      since the browser (SSL client) will check wether the SSL server certificate (CN part of the subject name) is matching the URL (hostname incl. domain) but on the other hand the server can only have one SSL server certificate at one time you'll face problems with virtual hosting. In such a case you'll have to terminate the SSL connection at a reverse proxy / the SAP WebDispatcher. But in that case you'll loose the ability of SSO based on X.509 client certificates - unless using the option of "X.509 client certificate forwarding" which however is only available with Netweaver 04 (SAP_BASIS 6.40); see SAP note 538405 (notice: you will require not only a newer WebDispatcher but also an WebAS 6.40).

      Regards, Wolfgang

      NetWeaver Foundation, Security Development