In Cross-Domain Authentication, only one accelerator can be chosen as a Cross-Domain Broker (DB), while other accelerators are non-DBs. The DB works as a coordinator to see whether a successful authentication (login) has been performed. The CDA feature should be enabled only when there is more than one accelerator with authentication turned on and users want to use single sign-on and graded authentication among these accelerators.
Before choosing accelerators as members of CDA, consider the following criteria:
Security. Security is the first concern. For example, if you have www.c.com and www.lc.com with certificate authentication for both accelerators, if the certificate for www.c.com is not trusted by www.lc.com, one (or both) of them should not be CDA-enabled. If both accelerators are CDA-enabled, a user can log in to one of the accelerators but will not be prompted to log in again when he or she accesses the other accelerator. Because CDA uses a single session cookie for all CDA-enabled accelerators, if a user logs out or times out from one of the accelerators, he or she will be logged out from all CDA-enabled accelerators.
Graded Authentication. CDA provides a single sign-on feature by allowing accelerators with the same type of authentication to require log in only once.
NOTE:For accelerators that use different authentication methods, we do not recommend that you use CDA unless one session cookie is important for these accelerators. (For example, www.lc.com uses Radius authentication, www.l.com uses LDAP, and www.c.com uses certificate. In this example, there are no common authentication methods among www.l.com, www.c.com, and www.lc.com.)
Performance. CDA uses redirection to set and get the session cookie between DB and non-DB accelerators. The overhead for these additional redirections has little performance impact because it reduces the total number of logins that involve manual interaction. There is no extra redirection when accessing a DB-enabled accelerator.
The selection of a DB is critical in CDA. You should never disable a DB-enabled accelerator, or disable its authentication. Also, because there is no extra redirection when accessing a DB-enabled accelerator, we recommend that you select the most frequently accessed accelerator to be the DB.
NOTE:If these criteria are difficult to meet, you can select any CDA member to be the DB.