Unable to Log Into an Integrated Application Using Different Base URL
Symptoms
User is not able to log in to an application integrated with Crowd, when using different URLs.
Use Case
Login to the same JIRA instance using jira.domain.com and mysite.com/issuetracker URLs. When using jira.domain.com the login works fine, but when using mysite.com/issuetracker, the login screen is reloaded and no error message is displayed. A common cause of this issue is when JIRA (or the integrated application) is proxied behind an Apache server.
Cause
Crowd's SSO Domain is set to .domain.com and the Crowd-Cookie Host field was set to .domain.com. Since applications being accessed with different URLs are not able to read cookies stamped with .domain.com (they have access to cookies stamped with their own domain only), accessing any application with a domain different from this will cause the login to fail.
Resolution
- If SSO between multiple applications is not necessary, the solution is to delete the current SSO domain value and keep it blank. Crowd will stop stamping the domain to the cookies and then for each different URL accessing the integrated application, the current host name will be used as the cookie domain.
- If using SSO, the applications will not be able to be accessed through different domains.