SPNego on multiple domains
We're on NW Portal 7.0 SP23.
We have Kerberos authentication setup where:
Prod-Portal is connected to Prod-LDAP, SSO works fine on Primary-DOMAIN and
QA-Portal is connected to QA-LDAP and SSO works fine on Secondary-DOMAIN.
When a user existing in Prod-LDAP logs in to Primary-DOMAIN and access Prod-Portal, SSO works fine.
Similarly, when a user existing in QA-LDAP logs into Secondary-DOMAIN and accesses QA-Portal, SSO works fine.
If we want to enable SSO for QA-Portal on the Primary-DOMAIN, (in addition to other configuration) do we need to change our UME to point to Primary-LDAP and/instead of Secondary-LDAP, considering that the user names in Primary-LDAP and Secondary-LDAP are the same? (Secondary-LDAP is a subset of Primary-LDAP)
I think we do, but want to find out if there is any other way.