[jboss-user] [Security & JAAS/JBoss] - How to implement Federated SSO using our own custom logon ap

[njw]

Apologies if these appear to be really dumb questions, but I've spent most of this week going round in circles trying make sense of what I need to do and have failed miserably so far. 

What I'm looking for is for someone to 'point me in the right direction' regarding what I'd need to do to implement SSO and Federation at our site. Although I'm familiar with the web app side of things (Struts, JDBC etc) and we use Jboss as our production server, I'm new to SAML, JAAS etc so please be gentle with me :-)

Our long-term strategy will put us in the position of having :-

- web apps hosted on our own servers which communicate with our own systems

- web apps hosted on our own servers which communicate with systems hosted on third party sites, mainly via web services

- third party companies who host web apps on their servers with whom we need to federate

What we want to do is intercept requests from users who are not logged on and reroute them to our own custom-written logon application, which prompts for user and password details. Once they are logged on it will forward the user onto their chosen web app and/or federate to one of our third party companies.

The wep apps are deployed as war files developed using Struts (and possibly Spring in the future). 

There are a couple of key considerations :- 

- the 'logon' web app will go beyond the standard 'user & password' entry in that it will be a two-stage process. On the first page we want to ask for the user id and one other item of data (probably birthdate), then use this to populate a second page where we ask for specific characters from their password (e.g characters 5 and 9). The character positions will vary each time and the length of the password will vary between users. This application will interface to an Oracle database where we maintain and validate the user details.

- as well as the user id the web apps will also need other attributes relating to that person, particularly data needed to identify the user at the third party companies. These id's will be stored on the Oracle database

- we want to avoid implementing a logon page for each application and use just a single standalone war file to do this

- we dont need to federate from Day 1, intially all we want is SSO between our apps but we dont want to have to redevelop later to support federation

So, how do I tie all the above together into one seamless experience for the user ?

I've downloaded JBoss Federated SSO but failed at the first hurdle because we're not using LDAP. I can see that I need to implement my own LoginProvider but cant work out what form this should take (war, ear etc), how to deploy it, or how it relates to the logon app we need to build, or how our 'business' apps understand which user they are dealing with



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3991605#3991605

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3991605