Single Sign On (SSO) using JBoss and SAML

In this article I am going explain SSO and how to setup SSO in JBoss.

Single Sign On (SSO) is a specialized form of user authentication that enables a user to be authenticated once, and gain access to resources on multiple systems/web applications during that session.

The JBoss SSO framework is combination of three components:

1. Federation Server

2. Token Marshalling Framework

3. Identity Connector Framework

Following are the steps to setup JBoss SSO:

Step-1: Installation

Download JBoss from here : Download

Unzip/Untar the distribution on your machine e.g.: C:/jboss

Download JBoss Federated SSO from here : Download

Unzip/Untar the distribution on your machine egg C:/Jboss Federated SSO

Copy the jboss-sso.sar and jboss-federation-server.ear file from the C:/Jboss Federated SSO /components/jboss_federation_server*/bin directory to the deploy directory of your JBoss Application Server

Step2 - Configure the Identity Management Framework

Edit the file jboss-sso.sar/conf/sso.cfg.xml to set the Login provider like LDAP, Custom Login Provider or DemoLoginProvider bundled in jboss-identity-management.jar.

E.g.:

<identity-management>

          <login>

<provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.LDAPIdentityProvider">

                    <property name="connectionURL">

                         jdbc:ldap://localhost:389/dc=jboss,dc=com?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000

                    </property>

                    <property name="username">cn=Admin,dc=jboss,dc=com</property>

                    <property name="password">jbossrocks</property>

                    <property name="identityOu">jbosssso</property>

                    <property name="roleOu">role</property>

               </provider>

          </login>                    

     </identity-management>

Or

<login>

<provider id="si:jboss-sso:demo:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>

</login>

Note: you can see or add users in users_en.properties file bundled in jboss-identity-management.jar.

Step3 - Configure the Federated SSO Trust Server

Edit the file jboss-sso.sar/conf/sso.cfg.xml to set the SSO trust server

<sso-processor>

                    <processor class="org.jboss.security.saml.JBossSingleSignOn">

          <property name="trustServer">http://node1.testsso.org:8080/federate/trust</property>

                    </processor>

</sso-processor>

Step4 - Configure your web application to activate Federated SSO

Step 4.1: Add the following context.xml under WEB-INF folder of your WAR file:

<?xml version="1.0"?>

    <Context>

       <!-- 

             logoutURL - URL for performing logout/signout function in your application

        -->        

       <Valve className="org.jboss.security.valve.PlainSSOAutoLogout" 

     logoutURL="{logoutURL of your application}"></Valve>

       <!-- 

             assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites

       -->

       <Valve className="org.jboss.security.valve.PlainSSOTokenManager" 

       assertingParty="{uniqueId to identify this web application in the federation}"></Valve>

       <!-- 

          tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT

       -->

       <Valve className="org.jboss.security.valve.PlainSSOAutoLogin"></Valve>

   </Context>

Step 4.2: When the authentication usecase is executed within your web application via the login screen or some other mechanism, part of executing that process, when the login is successful, send a notification of this event to the SSO Engine using the following API call:

org.jboss.security.saml.SSOManager. processManualLoginNotification(HttpServletRequest request,String user)

Step 4.3 : When the SSOEngine performs an automatic login in response to a trusted SSOToken, it will send the following notification on your LoginProvider:

processSSOLoginNotification(LoginContext)

  Here, you can handle any web application environment necessary to setup an authenticated user session

Step5 – Run and test your application

· Note: On Windows add the following entries to your hosts file to simulate applications running on different web domains\ (On Vista hosts file is lying under C:\Windows\System32\drivers\etc folder)

o 127.0.0.1        node1.testsso.com

o 127.0.1.1        node1.testsso.org

• Deploy your web application in the ‘deploy’ directory of the ‘default’ configuration\

run -c default -b node1.testsso.com\

• Now create an exact same copy of ‘default’ configuration and name it ‘default2′\

run -c default2 -b node1.testsso.org

For more details please refer to link http://www.jboss.org/community/docs/DOC-12304

Thanks,

~Kumar