The OpenSSO documentation says that in order to support SSO across domains, you must use something like SAML (or CDSSO) since cookie based methods only work within a domain. How does this scenario work:
1. User accesses SP app.
2. User is redirected to Identity Provider, authenticated, session created, etc. and redirected back to SP app.
3. User then accesses another SP app in another domain that is within the circle of trust.
Since there is no accessible cookie at the client browser since they came from another domain, how is the second app supposed to lookup the user's existing session with no identifying information?
[Message sent by forum member 'ssoforum' (chrissie.n.childers_at_lmco.com)]
http://forums.java.net/jive/thread.jspa?messageID=392239