I'm struggling with CORS and a SSO configuration between two WAS servers using LTPA key share.
CORS calls from server1 (domain1) to server2 (domain2) work fine if I don't have authentication on server2 (meaning the cross domain Ajax call works), but it doesn't if I have.
The context is: The web client logs into domain1, one part of the UI needs to display some data coming from server 2 (domain2). Server 1 and server 2 share the same LTPA key with the same realm. That works fine, I can make manual calls (with curl for example) to domain2 using the LtpaToken2 from the webclient obtain from domain1.
The problem is: When I make the CORS call from the web client, I use withCredentials to true, but withCredentials includes cookies from the remote domain, and of course I have no cookie yet since the browser does not know the domain2 yet. What I need to do is include the LtpaToken2 cookie from the local domain (domain1) when doing the cross-domain ajax call to domain2. That way I will be authenticated. But because of the cookie cross domain policy I'm stuck.
Am I approaching the problem in the wrong way here? How would you handle that: doing a CORS call to a yet unknown domain using the LtapToken from the local domain?
Thank you very much for your help!
