Does SSO still work? As of Crowd 3.2 you cannot specify a bare domain beginning with a dot as the cookie domain anymore and still login to crowd itself.

Hi Vick,

It does still work - please see our guide:

SSO within a Single Domain

If you wish to have single sign-on (SSO) support for *.mydomain.com, you will need to configure the SSO domain in Crowd as .mydomain.com — including the full stop ('.') at the beginning

Have you had an experience where it has not worked, or run into a bug? Please let us know how to help.

Thanks,

Ann

Hi @Vick Khera

As @AnnWorley noted the SSO still works and you do not need to specify a base domain starting with a dot. The RFC 6265 states regarding the domain attribute in the Set-Cookie header:

If the first character of the attribute-value string is %x2E ("."):

      Let cookie-domain be the attribute-value without the leading %x2E
      (".") character.

   Otherwise:

      Let cookie-domain be the entire attribute-value.

I believe the problem you are seeing in the Crowd 3.2 (and in Crowd 3.1) is related to this issue.

Indeed Crowd should not act in a way where this leading dot is not permitted as the same RFC 6265 states in the server requirements (4.1.2.3):

 [...]

(Note that a leading %x2E ("."), if present,
   is ignored even though that character is not permitted,

 [...]

however this is the way Tomcat 8.5.x works by default and this is the Tomcat version that is being included since Crowd 3.1.x

Sorry for the inconvenience but we are already working on resolving this problem. In order to resolve it by yourself just remove the leading dot in the SSO cookie domain in Crowd config.

Hope that helps,

Marcin Kempa

Yes, you get a well known exception from the cookie validator when logging into Crowd itself. I filed an issue already. Cookie domains are not allowed to begin with a "." and now the validator enforces it.

@Marcin Kempa Thanks! I had to delete the property from the database when I upgraded from 3.1 to 3.2. I just restored it without the leading dot.

I can imagine that the experience here is not great... I am now updating the https://jira.atlassian.com/browse/CWD-5141 with the appropriate information.

Again sorry for the inconvenience!

@Vick Khera indeed looks like the problem only occurs in Crowd 3.2.0

Once the SSO domain is change, Crowd will start to set the SSO cookie for this domain, however browser may still have the old one for the domain with the dot at the beginning and may choose this one to be send back to server (for browsers according to RFC 6265 it does not matter if the domain starts with a dot or not).

If the old cookie is sent then Crowd may reject such session and users would have problems with authentication. Even if they login again Crowd will send a cookie with a domain without the dot and the old one will still be there and the user would arrive at the same situation back again.

The solution might be to either remove Crowd SSO cookies from the browser or change the name of the SSO cookie in Crowd config and all other applications that are connected to Crowd so the SSO still works.

The former solution has this problem that you would have to tell that to all of your users if they experience this kind of problem. The latter may require some more work from you and potentially a restart of applications connected to Crowd.

I have not test this scenario yet, but this is what I believe may happen. We are exploring different solutions for this problem and will post and update on the ticket here https://jira.atlassian.com/browse/CWD-5141.

Best Regards,

Marcin Kempa

The https://jira.atlassian.com/browse/CWD-5141 issue was resolved in Crowd 3.2.1 which is now available for downloads.

Best Regards,

Marcin Kempa