Author: ppenicka
Date: 2012-12-07 12:27:30 -0500 (Fri, 07 Dec 2012)
New Revision: 8979
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
BZ#856450: modified information about SSO in a cluster based on an updated Confluence
document.
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-05 04:55:31
UTC (rev 8978)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-07 17:27:30
UTC (rev 8979)
@@ -8,6 +8,20 @@
<simpara>
<revhistory>
<revision>
+ <revnumber>6.0.0-24</revnumber>
+ <date>Fri Dec 7 2012</date>
+ <author>
+ <firstname>Petr</firstname>
+ <surname>Penicka</surname>
+ <email></email>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>BZ#856450: modified information about SSO in a cluster based
on an updated Confluence document.</member>
+ </simplelist>
+ </revdescription>
+ </revision>
+ <revision>
<revnumber>6.0.0-22</revnumber>
<date>Fri Nov 30 2012</date>
<author>
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-05
04:55:31 UTC (rev 8978)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-07
17:27:30 UTC (rev 8979)
@@ -4,11 +4,11 @@
%BOOK_ENTITIES;
]>
<chapter id="sect-Reference_Guide-SSO_Single_Sign_On">
- <title>SSO - Single Sign On</title>
+ <title>Single Sign-On</title>
<section id="sect-SSO_Single_Sign_On_-Overview">
<title>Overview and Configuration Assumptions</title>
<para>
-JBoss Portal Platform provides an implementation of Single Sign On
(<literal>SSO</literal>) as an integration and aggregation platform.
+JBoss Portal Platform provides an implementation of single sign-on
(<literal>SSO</literal>) as an integration and aggregation platform.
</para>
<para>
When logging into the portal, users can access many systems through portlets
using a single identity. In many cases, however, the portal infrastructure must be
integrated with other SSO enabled systems.
@@ -62,279 +62,9 @@
Remove
<filename>JBOSS_HOME/server/PROFILE/deploy/gatein-sample-extension.ear</filename>
and
<filename>JBOSS_HOME/server/PROFILE/deploy/gatein-sample-portal.ear</filename>
which are packaged by default with JBoss Enterprise Portal Platform.
</para> --> </warning>
</section>
- <section
id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve">
- <title><remark>NEEDINFO</remark>Enabling SSO using JBoss SSO
Valve</title>
- <remark>Is the SSO valve still valid for JPP 6?</remark>
-<!-- Source Metadata
-URL:
https://issues.jboss.org/browse/JBQA-4530
-Author [w/email]: Marek Posolda (mposolda(a)redhat.com)
-
-URL:
http://community.jboss.org/wiki/JBossWebSingleSignOn
-Author [w/email]: Brian Stansberry (bstansberry(a)jboss.com)
-
-URL:
https://issues.jboss.org/browse/JBEPP-615
-Author [w/email]: Marek Posolda (mposolda(a)redhat.com)
- --> <para>
- The JBoss SSO valve is useful to authenticate a user on one JBoss Portal
Platform node in a cluster and have that authentication automatically carry across to
other nodes in the cluster.
- </para>
- <para>
- This authentication can also be used in any other web applications which may
require authentication, <emphasis role="bold">provided that these
applications use same roles as the main portal instance</emphasis>. Attempting to
use an SSO authentication in an application that uses different roles may create
authorization errors (<emphasis role="bold">403</emphasis> errors,
for example).
- </para>
- <note>
- <title>Reauthentication</title>
- <para>
- This behavior is coming from the fact that same JAAS principal is added
by SSO valve to all HTTP requests, even to other web applications.
- </para>
- <para>
- So the same roles are required because of it. There is an alternative
that allows you to configure the SSO valve with the
<parameter>requireReauthentication=true</parameter> parameter, which will
force the SSO valve to perform reauthentication with saved credentials in each HTTP
request against security domain of particular web application where the request is
coming.
- </para>
- <para>
- This will ensure that a new principal for that web application will be
created with updated roles for that web application.
- </para>
- <para>
- In other words; when
<parameter>requireReauthentication</parameter> is <emphasis
role="bold">false</emphasis> (the default state), you need to have the
same roles among web applications. When
<parameter>requireReauthentication</parameter> is <emphasis
role="bold">true</emphasis> you need to have same username and
passwords.
- </para>
- </note>
- <para>
- More info about the JBoss SSO valve can be found at <ulink
url="http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Web_Platform...
type="http"/>.
- </para>
- <para>
- To successfully implement SSO integration, do the following:
- </para>
- <procedure
id="proc-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-SSO_Integration">
- <title>SSO Integration</title>
- <remark>The file paths in this procedure need to be verified if this
procedure is to remain for JPP 6</remark>
- <step>
- <para>
- Open the
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/jbossweb.sar/server.xml</filename>
file and uncomment one of the two <parameter>Valve</parameter> entries:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- For a <emphasis>non-clustered</emphasis>
implementation, uncomment:
- </para>
- <programlisting language="XML"
role="XML"><Valve
className="org.apache.catalina.authenticator.SingleSignOn" />
-</programlisting>
- </listitem>
- <listitem>
- <para>
- For a <emphasis>clustered</emphasis>
implementation, uncomment:
- </para>
- <programlisting language="XML"
role="XML"><Valve
className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn"
/></programlisting>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- For implementation of the SSO valve among the different nodes of
cluster, all the nodes must share the same domain
(<emphasis>node1.yourdomain.com</emphasis> and
<emphasis>node2.yourdomain.com</emphasis>, for example).
- </para>
- <para>
- This domain needs to be configured in the SSO valve parameter
<parameter>cookieDomain</parameter>. This is required because the SSO valve
adds the cookie <emphasis role="bold">JSESSIONIDSSO</emphasis>,
which is, by default bound only to the host where the request is originating.
- </para>
- <para>
- When the <parameter>cookieDomain</parameter> parameter is
used, the cookie is bound to the domain (like
<emphasis>yourdomain.com</emphasis>), which will ensure that it is shared
among both hosts <emphasis>node1.yourdomain.com</emphasis> and
<emphasis>node2.yourdomain.com</emphasis>.
- </para>
- <para>
- So in this case, the valve configuration would be:
- </para>
- <programlisting language="XML" role="XML"><Valve
className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn"
-cookieDomain="yourdomain.com" />
-</programlisting>
- </step>
- <step>
- <para>
- Another important thing is that both cluster nodes needs to be on
same cluster (using same parameter <emphasis
role="bold">-g</emphasis> and same parameter <emphasis
role="bold">-u</emphasis> and also using parameter <emphasis
role="bold">-Dexo.profiles=cluster</emphasis>).
- </para>
- <para>
- They must also share the same NFS directory and the same database and
apply all the configuration needed for JBoss Portal Platform cluster.
- </para>
- </step>
- </procedure>
- <formalpara
id="form-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Testing_SSO_in_a_physical_cluster">
- <title>Testing SSO in a physical cluster</title>
- <para>
- In this example, we will try to simulate testing on more physical
machines by simply using virtual hosts on single machine.
- </para>
- </formalpara>
- <procedure
id="proc-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Testing_the_SSO_Valve">
- <title>Testing the SSO Valve</title>
- <remark>The file paths in this procedure need to be verified if this
procedure is to remain for JPP 6</remark>
- <step>
- <para>
- If you are using a Linux system, you can configure file <emphasis
role="bold">/etc/hosts</emphasis> to contain these lines:
- </para>
- <programlisting>
-127.0.1.1
machine1.yourdomain.com
-127.0.1.2
machine2.yourdomain.com
-</programlisting>
- </step>
- <step>
- <para>
- Open the
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/all/<replaceable>PROFILE</replaceable>/jbossweb.sar/server.xml</filename>
file.
- </para>
- </step>
- <step>
- <para>
- Uncomment the line:
- </para>
- <programlisting language="XML" role="XML"><!--
-<Valve
className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn"
/>
--->
-</programlisting>
- </step>
- <step>
- <para>
- And edit it to match the following:
- </para>
- <programlisting language="XML" role="XML"><Valve
className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn"
-cookieDomain="yourdomain.com" />
-</programlisting>
- <para>
- This will ensure the <literal>JSESSIONIDSSO</literal>
cookie is used in the correct domain, allowing the SSO authentication to occur.
- </para>
- </step>
- <step>
- <para>
- Copy server configuration <emphasis
role="bold">all</emphasis> and create another two configurations
<emphasis role="bold">node1</emphasis> and <emphasis
role="bold">node2</emphasis> from it.
- </para>
- </step>
- <step>
- <para>
- Start both cluster nodes with commands:
- </para>
- <programlisting>
-./run.sh -c node1 -b
machine1.yourdomain.com -Dexo.profiles=cluster
-Djboss.messaging.ServerPeerID=0 &
-./run.sh -c node2 -b
machine2.yourdomain.com -Dexo.profiles=cluster
-Djboss.messaging.ServerPeerID=1 &
-</programlisting>
- </step>
- <step>
- <para>
- Go to
<uri>http://machine1.yourdomain.com:8080/portal</uri> and login as a user.
- </para>
- </step>
- <step>
- <para>
- Access a private URL on the second host, such as
<uri>http://machine2.yourdomain.com:8080/portal/dologin</uri>, for example.
- </para>
- <para>
- Now you should be logged directly into
<literal>machine2</literal> thanks to SSO valve.
- </para>
- </step>
- <step>
- <para>
- Logout from SSO initiating
machine1.yourdomain.com should also logged
you out from other cluster nodes. So you should be logout directly from machine2 as well.
- </para>
- </step>
- </procedure>
- <remark>The file paths in this procedure need to be verified if this procedure
is to remain for JPP 6</remark>
- <formalpara
id="form-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Enabling_SSO_with_Other_Web_Applications">
- <title>Enabling SSO with Other Web Applications</title>
- <para>
- As mentioned earlier, in order to use SSO authentication between JBoss
Portal Platform instances and other web applications, the roles defined in the web
application must match those used in the portal instance (unless you have the
<parameter>requireReauthentication</parameter> parameter set to
<literal>true</literal>).
- </para>
- </formalpara>
- <para>
- As an example, to use the SSO Valve to authenticate a user in both a portal
instance and the JMX Console, the following actions would be required:
- </para>
- <procedure>
- <title/>
- <step>
- <para>
- Open the
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/node1/deploy/jmx-console.war/WEB-INF/web.xml</filename>
file and edit it as follows:
- </para>
- <substeps>
- <step>
- <para>
- Change the
<parameter><role-name></parameter> entry in the
<parameter><auth-constraint></parameter> element (line
<literal>110</literal>) from <literal>JBossAdmin</literal> to
<literal>users</literal>:
- </para>
- <programlisting language="XML"
role="XML"><auth-constraint>
- <!--<role-name>JBossAdmin</role-name>-->
- <role-name>users</role-name>
-</auth-constraint></programlisting>
- </step>
- <step>
- <para>
- Change the
<parameter><role-name></parameter> entry in the
<parameter><security-role></parameter> element (line
<literal>120</literal>) from <literal>JBossAdmin</literal> to
<literal>users</literal>
- </para>
- <programlisting language="XML"
role="XML"><security-role>
- <!--<role-name>JBossAdmin</role-name>-->
- <role-name>users</role-name>
-</security-role></programlisting>
- </step>
- </substeps>
- </step>
- </procedure>
- <formalpara
id="form-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Testing_SSO_With_Other_Web_Applications">
- <title>Testing SSO With Other Web Applications</title>
- <para>
- To test that SSO authentication is enabled from portal instances to other
web applications (in this case, the JMX Console), do the following:
- </para>
- </formalpara>
- <procedure
id="proc-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Test_SSO_Between_Portal_and_JMX_Console">
- <title>Test SSO Between Portal and JMX Console</title>
- <remark>The file paths in this procedure need to be verified if this
procedure is to remain for JPP 6</remark>
- <step>
- <para>
- Start a portal instance on one node:
- </para>
- <programlisting>./run.sh -c node1 -b
machine1.yourdomain.com
-Dexo.profiles=cluster -Djboss.messaging.ServerPeerID=0 &
-</programlisting>
- </step>
- <step>
- <para>
- Navigate to
<uri>http://machine1.yourdomain.com:8080/portal/private/classic</uri> and
authenticate with the pre-configured user account
"<systemitem>root</systemitem>" (password
"<systemitem>gtn </systemitem>").
- </para>
- </step>
- <step>
- <para>
- Navigate to
<uri>http://machine1.yourdomain.com:8080/jmx-console</uri>. You should be
automatically authenticated into the JMX Console.
- </para>
- </step>
- </procedure>
- <formalpara
id="form-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Using_SSO_to_Authenticate_From_the_Public_Page">
- <title>Using SSO to Authenticate From the Public Page</title>
- <para>
- The previous configuration changes in this section are useful if a user
is using a secured URL (<ulink
url="http://localhost:8080/portal/private/classic" type="http"/>,
for example) to log in to the portal instance.
- </para>
- </formalpara>
- <para>
- Further changes are needed however, if SSO authentication is required to work
with the <guilabel>Sign In</guilabel> button on the front page of the portal
(<ulink url="http://localhost:8080/portal/classic"
type="http"/>).
- </para>
- <para>
- To enable this functionality, the <guilabel>Sign In</guilabel>
link must redirect to some secured URL, which will ensure that JAAS authentication will be
enforced directly without showing login dialog.
- </para>
- <procedure
id="proc-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Redirect_to_Use_SSO_Valve_Authentication">
- <title>Redirect to Use SSO Valve Authentication</title>
- <remark>The file paths in this procedure need to be verified if this
procedure is to remain for JPP 6</remark>
- <step>
- <para>
- Open the
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file and edit the line:
- </para>
- <programlisting language="Java" role="java"><a
class="Login"
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-</programlisting>
- <para>
- To read:
- </para>
- <programlisting language="Java" role="java"><a
class="Login"
href="/portal/private/classic"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-</programlisting>
- </step>
- <step>
- <para>
- Open the
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file and change the line:
- </para>
- <programlisting language="Java" role="java"><a
onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
-</programlisting>
- <para>
- To read:
- </para>
- <programlisting language="Java" role="java"><a
href="/portal/private/classic"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
-</programlisting>
- </step>
- </procedure>
- </section>
<section id="sect-SSO_Single_Sign_On_-Central_Authentication_Service">
<title><remark>BZ#856430</remark>Central Authentication Service
(CAS)</title>
- <para>The CAS Single Sign On (SSO) plug-in enables seamless integration
between the platform and the CAS SSO framework. General information about CAS can be
found on the
+ <para>The CAS single sign-on (SSO) plug-in enables seamless integration
between the platform and the CAS SSO framework. General information about CAS can be
found on the
<ulink
url="http://www.jasig.org/cas">Jasig website</ulink>
.
</para>
@@ -774,9 +504,9 @@
</section>
<section
id="sect-Reference_Guide-SSO_Single_Sign_On_-Java_Open_Single_Sign_On_Project">
<title>Java Open Single Sign-On Project</title>
- <para>Configuring JOSSO for JBoss Enterprise Application Platform requires an
Apache server instance to host JOSSO. JBoss Enterprise Application Platform communicates
with the JOSSO Apache instance through the Single Sign On plug-in.</para>
+ <para>Configuring JOSSO for JBoss Enterprise Application Platform requires an
Apache server instance to host JOSSO. JBoss Enterprise Application Platform communicates
with the JOSSO Apache instance through the single sign-on plug-in.</para>
<para>
- This Single Sign On plug-in enables seamless integration between JBoss Portal
Platform and the Java Open Single Sign-On Project (JOSSO) Single Sign On Framework.
Details about JOSSO can be found at <ulink url="http://www.josso.org"/> .
+ This single sign-on plug-in enables seamless integration between JBoss Portal
Platform and the Java Open Single Sign-On (JOSSO) framework. Details about JOSSO can be
found at <ulink url="http://www.josso.org"/> .
</para>
<para> The procedures in this section detail setting up the JOSSO server to
authenticate against the JBoss Portal Platform login module.
</para>
@@ -1241,7 +971,7 @@
</step>
<step>
<para>
- The user experiences a seamless single sign on (SSO) into the web
application.
+ The user experiences a seamless single sign-on (SSO) into the web
application.
</para>
</step>
</procedure>
@@ -1619,8 +1349,117 @@
Clicking the 'Sign In' link on the JBoss Portal
Platform should automatically sign the 'demo' user into the portal.
</para>
<para>
- If you destroy your kerberos ticket with command
<command>kdestroy</command>, then try to login again, you will directed to the
login screen of JBoss Enterprise Portal Product because you do not have active Kerberos
ticket. You can login with predefined account and password
"demo"/"gtn" .
+ If you destroy your kerberos ticket with command
<command>kdestroy</command>, then try to login again, you will directed to the
login screen of JBoss Portal Platform because you do not have active Kerberos ticket. You
can login with predefined account and password
"demo"/"gtn" .
</para>
+ </section>
+ </section>
+ <section
id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve">
+ <title>Single Sign-On in a Cluster</title>
+<!-- Source Metadata
+URL:
https://issues.jboss.org/browse/JBQA-4530
+Author [w/email]: Marek Posolda (mposolda(a)redhat.com)
+
+URL:
http://community.jboss.org/wiki/JBossWebSingleSignOn
+Author [w/email]: Brian Stansberry (bstansberry(a)jboss.com)
+voiii
+URL:
https://issues.jboss.org/browse/JBEPP-615
+Author [w/email]: Marek Posolda (mposolda(a)redhat.com)
+ -->
+ <para>
+ In a cluster, the JBoss SSO valve can be used to authenticate a user on one
JBoss Portal Platform node and have that authentication automatically carried across to
other nodes in the cluster.
+ </para>
+ <section
id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve-Default_Config">
+ <title>Default Configuration</title>
+ <para>
+ The JBoss SSO valve is enabled by default. The enablement is ensured by the
following JBoss Web subsystem configuration entry in the
<filename>JPP_DIST/standalone/configuration/standalon-ha.xml</filename> file:
+ </para>
+<programlisting language="XML"><![CDATA[
+<sso cache-container="web" cache-name="sso"
reauthenticate="false" />
+]]></programlisting>
+ <para>
+ When a loadbalancer is used in a cluster, no further configuration is needed to set
up single sign-on. All JBoss Portal Platform servers in the cluster are accessed through
the same URL, which is the URL of the loadbalancer. Automatic single sign-on is performed
when the loadbalancer redirects client requests to individual nodes in the cluster.
+ </para>
</section>
+ <section>
+ <title>Clustered Single-Sign On in a Shared DNS Domain</title>
+ <para>
+ If multiple JBoss Portal Platform servers are accessed through different URLs in the
same DNS domain, single sign-on can be configured by adding the
<parameter>domain</parameter> parameter to the
<parameter>sso</parameter> configuration entry.
+ </para>
+<programlisting language="XML"><![CDATA[
+<sso cache-container="web" cache-name="sso"
reauthenticate="false" domain="yourdomain.com"/>
+]]></programlisting>
+ <para>
+ The parameter must be added to the entry on all servers in the cluster and the name of
the shared DNS domain must be specified as its value. This configuration ensures that the
<parameter>JSESSIONIDSSO</parameter> cookie will be scoped to the specified
domain, which is otherwise scoped only to the host where the initial authentication was
performed.
+ </para>
+ <para>
+ The following procedure demonstrates how to configure and test single sign-on for
two JBoss Portal Platform servers running in a shared domain on the same physical Linux
machine.
+ </para>
+ <procedure
id="proc-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Testing_the_SSO_Valve">
+ <title>Configuring and Testing Single-Sign On in a Shared DNS
Domain</title>
+ <step>
+ <para>
+ Add the following lines to the <emphasis
role="bold">/etc/hosts</emphasis> file. Modify the IP addresses in
accordance with the IP addresses of the two JBoss Portal Platform servers.
+ </para>
+<programlisting>
+127.0.1.1
machine1.yourdomain.com
+127.0.1.2
machine2.yourdomain.com
+</programlisting>
+ </step>
+ <step>
+ <para>
+ On both servers, open the
<filename><replaceable>JPP_DIST</replaceable>/standalone/configuration/standalone-ha.xml</filename>
file. Add the <parameter>domain</parameter> parameter to the
<parameter>sso</parameter> entry and specify the name of the shared DNS domain
in its value.
+ </para>
+<programlisting language="XML"><![CDATA[
+<sso cache-container="web" cache-name="sso"
reauthenticate="false" domain="yourdomain.com"/>
+]]></programlisting>
+ </step>
+ <step>
+ <para>
+ Start the first server using the following command:
+ </para>
+<programlisting>
+./standalone.sh -b
machine1.yourdomain.com -c standalone-ha.xml -Djboss.node.name=node1
+</programlisting>
+ </step>
+ <step>
+ <para>
+ Start the second server using the following command:
+ </para>
+<programlisting>
+./standalone.sh -b
machine2.yourdomain.com -c standalone-ha.xml -Djboss.node.name=node2
+</programlisting>
+ </step>
+ <step>
+ <para>
+ Access the first server at <ulink
url="http://machine1.yourdomain.com:8080/portal">http://machine1.yourdomain.com:8080/portal</ulink>
and log in as a user.
+ </para>
+ </step>
+ <step>
+ <para>
+ Access the second server at <ulink
url="http://machine2.yourdomain.com:8080/portal">http://machine2.yourdomain.com:8080/portal</ulink>.
When the page loads, you will be automatically logged in with the same user account that
you used on the first server.
+ </para>
+ </step>
+ <step>
+ <para>
+ Log out on any of the two servers. Then switch to the other server and verify
that you have been logged out of this server as well.
+ </para>
+ </step>
+ </procedure>
+ </section>
+ <section
id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve-Other_Web_Apps">
+ <title>Reauthentication</title>
+ <para>
+ The JBoss SSO valve can also be used to authenticate with any other web
application. If that application uses the same roles as the main JBoss Portal Platform
instance, no further configuration is required. Because the JBoss SSO valve includes the
same JAAS principal in all HTTP requests, even in requests to other web applications,
matching roles ensure successful authentication with those applications.
+ </para>
+ <para>
+ To enable single sing-on authentication with an application that uses
different roles, you need to set the <parameter>reauthenticate</parameter>
parameter of the <parameter>sso</parameter> JBoss Web subsystem configuration
entry to <literal>true</literal>.
+ </para>
+<programlisting language="XML"><![CDATA[
+<sso cache-container="web" cache-name="sso"
reauthenticate="true" />
+]]></programlisting>
+ <para>
+ The <literal>true</literal> value ensures that reauthentication
with user credentials will be performed against the web application's security domain
in each HTTP request. This will enforce creation of a new principal with updated roles for
the web application. As user credentials are used for authentication in this case, it is
required that the same user credentials exist in both the web application and the JBoss
Portal Platform instance.
+ </para>
+ </section>
</section>
</chapter>