[jboss-dev-forums] [JBoss Identity Development] - ADFS JBossWS and friends

[acoliver@jboss.org]

I'm going to ask this as if it were a user question.  Anil told me to post it here :-)   Mainly I'm proposing a scenario. 

The basic requirement

IE/Flash ----SOAP----JBoss----SOAP----AnotherJBoss---SOAP---NOTJBOSS

ActiveDirectory

The present solution (https://jira.jboss.org/jira/browse/JBAS-2681):

Microsoft Certificate Server 
Fixed LDAPExtLoginModule to let me authorize only and use the principal from the cert
SSL Cert authentication

That gets us step 1.
Step 2 is how does JBoss call AnotherJBoss passing the credentials 

Present solution involves NOT calling the same port (because I have to NOT do client cert re-authentication) and passing WS-Security info, using another login module that says "if JBoss said he's authenticated then he must be authenticated".  Basically ID and origination IP is the credential.

So how do I get a real single sign on session from client call one server and share that session up to another and possible another NOT JBoss server?  What software, standards, configuration is involved?  How would one put such a thing together.

Ideally the client would:
* only use SSL Authentication anywhere once (Because cross authentication is a bear)
* be able to authorize (get his groups and/or roles) in a convenient manner.


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4268925#4268925

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4268925