[jboss-user] [Security & JAAS/JBoss] - Re: How is JBoss SSO SAML token been validated?

[sohil.shah@jboss.com]

anonymous wrote : 
  | And this trust callback happens directly between the federate server in the backend on the server side, no browser redirection involved? 
  | 

Yes this is a backend server side communication. There is no browser involvement here. Browser is only used to store/propagate the token. At some point I would also like a complete cookie-less approach for token storage/propagation, but its something I have only thought about for now.

anonymous wrote : 
  | Where does the site2 gets the URL of the issuing site? The SAML token doesn't seem to have that information. 
  | 

Correct. For security reasons, the SAML token does not need to carry this information. 
This information is contained as part of the federation server configuration where information about the partners it needs to support/trust within the federation is provided.

Here is a sample configuration file for a federation server. Note: this is new functinality added on the trunk, so it different than the CR1 release. This will be included in the next release

Here is the conf/server.cfg.xml file

  | <?xml version='1.0' encoding='ISO-8859-1'?>
  | 
  | 
  | 
  | <jboss-sso>
  | 
  | 
  | 
  | 	<!-- 
  | 
  | 		partners configuration of the federation server...
  | 
  | 		partners are the collection of sites which are part of the Single Sign On    Federation
  | 
  | 		it lists the web domains and their corresponding federation servers in this domain
  | 
  | 	-->
  | 
  | 	<federation-server>
  | 
  | 		<partners>
  | 
  | 			<partner domain="jboss.com" server="https://node1.jboss.com:8443/federate">
  | 
  | 				<host>
  | 
  | 					<id>node1.jboss.com</id>
  | 
  | 					<secret>node1.jboss.com/somesecret</secret>
  | 
  | 				</host>
  | 
  | 				<host>
  | 
  | 					<id>node2.jboss.com</id>
  | 
  | 					<secret>node2.jboss.com/somesecret</secret>
  | 
  | 				</host>
  | 
  | 				<!-- 
  | 
  | 					Used to configure the TrustPlugin which is responsible for validation of an incoming assertion/token
  | 
  | 				    Basically this verifies the token against the partner sending the assertion and makes sure with
  | 
  | 				    the partner that this assertion/token is valid so the user can be granted access without
  | 
  | 				    challenging them for credentials
  | 
  | 				-->
  | 
  | 				<trust>
  | 
  | 					<url>https://node1.jboss.com:8443/federate/trust/validateSecret</url>
  | 
  | 					<plugin class="org.jboss.security.federation.trust.JBossSSOTrustPlugin">
  | 
  | 						<property name="allowSelfSignedSSLCert">true</property>
  | 
  | 					</plugin>
  | 
  | 				</trust>
  | 
  | 			</partner>
  | 
  | 			<partner domain="jboss.org" server="https://node1.jboss.org:8443/federate">
  | 
  | 				<host>
  | 
  | 					<id>node1.jboss.org</id>
  | 
  | 					<secret>node1.jboss.org/somesecret</secret>
  | 
  | 				</host>
  | 
  | 				<trust>
  | 
  | 					<url>https://node1.jboss.org:8443/federate/trust/validateSecret</url>
  | 
  | 					<plugin class="org.jboss.security.federation.trust.JBossSSOTrustPlugin">
  | 
  | 						<property name="allowSelfSignedSSLCert">true</property>
  | 
  | 					</plugin>
  | 
  | 				</trust>
  | 
  | 			</partner>
  | 
  | 		</partners>		
  | 
  | 	</federation-server>	
  | 
  | 
  | 
  | </jboss-sso>
  | 

The trust server url is what is used based on the partner in question

Thanks

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4163720#4163720

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4163720