[jboss-user] [Security & JAAS/JBoss] - Re: federated SSO framework and http cookies

[kenyee]

"sohil.shah at jboss.com" wrote : I have gotten community feedback that besides the username, and password parameters, there needs to be provision for sending in more information as criteria to perform a successful login. This will be addressed so that the LoginProvider interface can be made more generic
  | 

Thanks for the reply, Sohil.
As part of the LoginProvider framework, if we could have some generic interface that lets us tuck away name/value bits of info, I think it'd be useful (we can then save off info like Windows Domains, securID tokens, etc.).  It'd also be useful if we could get/set http cookies via that interface (e.g., "set cookie for your SSO domain").

The use case for the latter case would be: multiple web server types in same domain.  You login to one web server, which injects a cookie into your web browser.  You then hit another web server in your domain, and that web server can use that cookie for validation.  It's a somewhat crude way to do an SSO-like or remember-me-like login.  

If I understand correctly, the SAML token does this in a similar way, but I don't know if you can map from a SAML token to valid authentication information on each web server easily so that your web app on the second server is logged in properly (your LoginProvider seems to depend on a username/password).  I guess it'd really help if there's an example that shows how SSO works in a "remember me" type of application...


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3985038#3985038

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3985038