[jboss-user] [Security & JAAS/JBoss] - Re: JBOSS Federated SSO

sohil.shah@jboss.com do-not-reply at jboss.com
Thu Jan 4 11:32:58 EST 2007 

Sanket-

Let me see if I can answer this without confusing the issue:

anonymous wrote : 
  | 1. Identity Management
  | 

This is a pretty broad subject. As far as JBoss Federated SSO is concerned, its a framework that provides a way to integrate with users' existing Identity Management systems (ones that do user management,provisioning). The Framework provides what I would call an Identity Connector component. Our documentation currently calls it Identity Management component, but its scope is more for integrating with existing Identity Management systems


anonymous wrote : 
  | 2. Sesison Management (Login/Logout across apps)
  | 3. Token Management 
  | 

Yes, Federated SSO does this even with applications housed in completely different web domains

anonymous wrote : 
  | 4. Security (OWASP, Token,Password, OASIS) 
  | 

Yes, the framework has built-in support for SAML tokens. SAML is an OASIS standard and pretty much the de facto standard now for builiding SSO architecture. Here is a very good presentation on SAML at JavaPolis http://www.infoq.com/news/2006/12/saml. Our architecture aligns very well with the concepts discussed in this presentation. 


anonymous wrote : 
  | 5. User Administration (Reset,Forgot,Search, Role Mapping) 
  | 6. Dashboard
  | 7. Auditing 
  | 

These features are out of scope for a SSO Framework. Ofcourse, SSO Framework integrates (covered in point 1) with Identity Management systems like SiteMinder etc that provide these features


anonymous wrote : 
  | 8. User Registration and Synchronization across apps 
  | 

This is a feature on our roadmap. http://jira.jboss.com/jira/browse/JBSSO-13


anonymous wrote : 
  | 9. Interdomain, clustered, multi app support. 
  | 

Absolutely. Federated SSO was designed from the ground up with cross domain Single Sign On in mind

anonymous wrote : 
  | I know JBOSS SSO is close to this but since its still in beta i will not like to propose this to the client. Can you or anybody give me more leads on an of the following:
  | 1. JOSSO
  | 2. JBOSS - Tomcat default valve plugin
  | 3. JBOSS Federated SSO
  | 4. Any other SSO framework. 
  | 

JBoss - Tomcat default valve plugin is for SSO between web apps loaded inside the same tomcat container as virtual hosts. It is not intended for cross domain, business/partner site integration usecases.

Others I am not too familiar with to make an accurate comment.


Hope this helps.

Thanks
Sohil

JBoss Federated SSO, Lead



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3997975#3997975

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3997975

More information about the jboss-user mailing list