Single Sign On (SSO) using JBoss and SAML

In this article I am going explain SSO and how to setup SSO in JBoss.

Single Sign On (SSO) is a specialized form of user authentication that enables a user to be authenticated once, and gain access to resources on multiple systems/web applications during that session.

The JBoss SSO framework is combination of three components:

1. Federation Server

2. Token Marshalling Framework

3. Identity Connector Framework

Following are the steps to setup JBoss SSO:

Step-1: Installation

Download JBoss from here : Download

Unzip/Untar the distribution on your machine e.g.: C:/jboss

Download JBoss Federated SSO from here : Download

Unzip/Untar the distribution on your machine egg C:/Jboss Federated SSO

Copy the jboss-sso.sar and jboss-federation-server.ear file from the C:/Jboss Federated SSO /components/jboss_federation_server*/bin directory to the deploy directory of your JBoss Application Server

Step2 - Configure the Identity Management Framework

Edit the file jboss-sso.sar/conf/sso.cfg.xml to set the Login provider like LDAP, Custom Login Provider or DemoLoginProvider bundled in jboss-identity-management.jar.

E.g.:

<identity-management>

          <login>

<provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.LDAPIdentityProvider">

                    <property name="connectionURL">

                         jdbc:ldap://localhost:389/dc=jboss,dc=com?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000

                    </property>

                    <property name="username">cn=Admin,dc=jboss,dc=com</property>

                    <property name="password">jbossrocks</property>

                    <property name="identityOu">jbosssso</property>

                    <property name="roleOu">role</property>

               </provider>

          </login>                    

     </identity-management>

Or

<login>

<provider id="si:jboss-sso:demo:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>

</login>

Note: you can see or add users in users_en.properties file bundled in jboss-identity-management.jar.

Step3 - Configure the Federated SSO Trust Server

Edit the file jboss-sso.sar/conf/sso.cfg.xml to set the SSO trust server

<sso-processor>
                    <processor class="org.jboss.security.saml.JBossSingleSignOn">
          <property name="trustServer">http://node1.testsso.org:8080/federate/trust</property>
                    </processor>
</sso-processor>

Step4 - Configure your web application to activate Federated SSO

Step 4.1: Add the following context.xml under WEB-INF folder of your WAR file:

<?xml version="1.0"?>
    <Context>
       <!-- 
             logoutURL - URL for performing logout/signout function in your application
        -->        
       <Valve className="org.jboss.security.valve.PlainSSOAutoLogout" 
     logoutURL="{logoutURL of your application}"></Valve>
     
       <!-- 
             assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
       -->
       <Valve className="org.jboss.security.valve.PlainSSOTokenManager" 
       assertingParty="{uniqueId to identify this web application in the federation}"></Valve>
   
       <!-- 
          tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
       -->
       <Valve className="org.jboss.security.valve.PlainSSOAutoLogin"></Valve>
   </Context>
 

Step 4.2: When the authentication usecase is executed within your web application via the login screen or some other mechanism, part of executing that process, when the login is successful, send a notification of this event to the SSO Engine using the following API call:

org.jboss.security.saml.SSOManager. processManualLoginNotification(HttpServletRequest request,String user)

Step 4.3 : When the SSOEngine performs an automatic login in response to a trusted SSOToken, it will send the following notification on your LoginProvider:

processSSOLoginNotification(LoginContext)

  Here, you can handle any web application environment necessary to setup an authenticated user session

Step5 – Run and test your application

· Note: On Windows add the following entries to your hosts file to simulate applications running on different web domains\ (On Vista hosts file is lying under C:\Windows\System32\drivers\etc folder)

o 127.0.0.1        node1.testsso.com

o 127.0.1.1        node1.testsso.org

  • Deploy your web application in the ‘deploy’ directory of the ‘default’ configuration\

run -c default -b node1.testsso.com\

  • Now create an exact same copy of ‘default’ configuration and name it ‘default2′\

run -c default2 -b node1.testsso.org

For more details please refer to link http://www.jboss.org/community/docs/DOC-12304

Thanks,

~Kumar

December 29th, 2008 in Jboss, Miscellaneous

Comments (4)

NikhilJune 17th, 2009 at 6:05 pm

Hi Sudarshan,

I downloaded the src bundle of JBoss SSO, but am not seeing any folder named bin as you mentioned in below text of step 1:

Copy the jboss-sso.sar and jboss-federation-server.ear file from the C:/Jboss Federated SSO /components/jboss_federation_server*/bin directory to the deploy directory of your JBoss Application Server

are jboss-sso.sar and jboss-federation-server.ear files or folder?
which deploy folder should I choose? There are three delpoy folders all/deploy, default/deploy and minimal/deploy

In step 2 you wrote:
Step2 - Configure the Identity Management Framework

Edit the file jboss-sso.sar/conf/sso.cfg.xml to set the Login provider like LDAP, Custom Login Provider or DemoLoginProvider bundled in jboss-identity-management.jar.

which file we have to edit. The file in JBoss Application server or file in JBoss SSO folder?

Kindly help me to resolve these issues

Thanks for your help

Nikhil

Kumar SudhanshuJune 17th, 2009 at 10:50 pm

Thanks a lot for identifying this issue. For you kind information Jboss Federated SSO directory structure got changed in latest version. Please refer following link

http://www.jboss.org/community/wiki/StartFedSSO/diff?secondVersionNumber=49

Here is that answer that you need and not clearly mention in my blog:
—jboss-sso.sar and jboss-federation-server.ear are files and you can deploy in any deploy but by default “default” configuration get loaded by jboss.

—You have to edit files lying in JBoss Application server.

Thanks,
~Kumar

NikhilJune 18th, 2009 at 10:00 am

Thanks for the update..
I followed the link given by you but its giving me some build error:

see the issue posted at location:
http://www.jboss.org/index.html?module=bb&op=viewtopic&t=157258

should I use any older version of SSO?

Thanks
Nikhil

NikhilJune 18th, 2009 at 11:00 am

Hi Sudhanshu,

I am not able to see any file named jboss-sso.sar and jboss-federation-server.ear in folder C:\apps\jboss-sso-1.0CR1\bin and even not in the SSO src folder. I am able to see the folder having same name at location jboss-sso.sar and jboss-federation-server.ear . There is no file named ” jboss-sso.sar and jboss-federation-server.ear” in these folder.
Please help me to install the SSO.

If the new SSO version has issue, is there any way to get old version of it?

Thanks
Nikhil

Leave a comment

Your comment