[jboss-user] [Security & JAAS/JBoss] - Re: JBoss Federated SSO: Does it support?

Thu Jan 24 00:27:59 EST 2008

Arjun-

Here is the detailed documentation for the JBoss Federated SSO project http://labs.jboss.com/wiki/Jbosssso

As per your questions:

anonymous wrote : 
  | Q1) Is JBoss SX a pre requisite for JBoss SSO?? 
  | 
JBoss SX is not a requirement for JBoss SSO. It supports both JAAS based authentication mechanism as well as an custom authentication mechanism. The wiki has detailed information related to both approaches

anonymous wrote : 
  |  3.1. Ability to attach a Web filter (Servlet 2.3 Sepc) in the 3rd part App which can be on any App/Web Server. The filter will communicat with the SSO server. This reduces integration cost. 
  | 
With JBoss SSO, Single Sign On orchestration/Token management is provided out-of-the-box using Tomcat Valve approach. This mechanism takes care of all communication/secure exchanges between your web application and the SSO Federation Server. All your application needs to do is provide the web application integration discussed in the wiki. Hence, you don't need a Servlet Filter in your web application to communicate with the SSO Server

anonymous wrote : 
  | Do I have to recompile it for JDK1.4 
  | 

The framework in its current codebase is fully compliant with JDK1.4. It should also run out-of-the-box in JDK5 as well

anonymous wrote : 
  | Is there a dependency on a specific JBoss App Server version or can we run it on a JBoss 3.2.7 also? 
  | 

The JBoss AS versions supported are 4.0.4 and 4.0.5. Integration with newer versions is on the roadmap. Backporting for older versions is not

anonymous wrote : 
  | Can I run it on Tomcat? 
  | 

No at the moment. It runs within the Tomcat integrated with the AS

anonymous wrote : 
  | Configure, SSO sessions time outs 
  | 

Yes. This is the exact same as your Tomcat's http session timeout of your application. And if one application is logged out, the Federated Logout function performs corresponding logout in the other web applications as well

anonymous wrote : 
  | Attach a Bean(s) to a SSO session; so we can expose a serivce to request for information about that session without hitting the database 
  | 

Not sure if I understand. Are you referring to the availability of an HttpSession for your web application here? Whats the usecase? Think of JBoss SSO as a black box layer on top of your web application for orchestrating Single Sign On between a group of Federated web applications. Hence, nothing changes for your web application functionality including your use of HttpSession etc

anonymous wrote : 
  | Configure things like Person can login once with credentials only, or can have multiple login-ins. 
  | 

JBoss SSO does not dictate the application requirements for your login usecase. It comes into play (SSO orchestration) once an authentication is successfull and a Logged In Principal is established

anonymous wrote : 
  | SSO Sessions should extend or be normal Web Server sessiosn or if not then provide support for clustering, for session replication. 
  | 

Web Server Sessions remain as is. Nothing changes here. Your web application is completely unaware of the presence of an SSO layer, and all facilities like HttpSession clustering/replication are available the same way before the SSO layer was integrated

anonymous wrote : 
  | Whats the underlysing principle behind the SSO? Like CAS is based ona Kerberosv5 based protocol. 
  | 

Underlying principles for the approach is:

1/ De-centralized approach using a Federation of independent web applications that could possibly even live in completely different web domains.

2/ A standard based approach using SAML so that independent web applications like say your companies internal portal and your SAAS provider (like SalesForce) can exchange SSO Assertions and Trust Handshake securely

Hope this helps

Thanks

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4122886#4122886

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4122886