[jboss-user] [Security & JAAS/JBoss] - JBoss federated SSO setup

alllle do-not-reply at jboss.com
Mon Jun 30 20:50:40 EDT 2008


I'm trying out the JBoss SSO and got stuck with cross domain SSO setup. I wonder if anyone can point out what I was doing wrong.

I am running two JBoss instances on the local box, with JBoss config name "sso-site1" and "sso-site2". For sso-site2, I've changed all the ports it uses by prefixing them with a 1 so they are in the 10000-19999 range. I am accessing the two sites using www.ssosite1.com:8080 and www.ssosite2.com:18080 after updating the Windows host file.

I also dropped the jboss-sso.sar and jboss-federation-server-exploded.ear to the deploy directory of both sites.

I then deployed ssoapp1 and ssoapp2 to sso-site1 and sso-site2, respectively. Below are the settings of various files. For ssoapp1, it uses "site1" in various places as mentioned below. For ssoapp2, it uses "site2" wherever "site1" is used in ssoapp1. 


  | 	<login>
  | 		<provider id="si:myconmpany:site1:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>				
  | 	</login>
  | 	<sso-processor>
  | 		<processor class="org.jboss.security.saml.JBossSingleSignOn">
  | 			<property name="trustServer">http://www.ssosite1.com:8080/federate/trust</property>
  | 		</processor>
  | 	</sso-processor>

JBoss conf/login-config.xml

  | 	<application-policy name="ssodemo-site1">       
  | 	 <authentication>
  | 	   <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="required">
  | 		<module-option name="unauthenticatedIdentity">guest</module-option>                        
  | 		<module-option name="password-stacking">useFirstPass</module-option>           
  | 		<module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>             
  | 		<module-option name="provider">si:myconmpany:site1:login</module-option>
  | 	  </login-module>          
  | 	 </authentication>
  | 	</application-policy>


  | 	<federation-server>
  | 		<partners>
  | 			<partner domain="ssodemo-site1" server="http://www.ssosite1.com:8080/federate"/>
  | 			<partner domain="ssodemo-site2" server="http://www.ssosite2.com:18080/federate"/>
  | 		</partners>
  | 	</federation-server>	


  | <Context>
  |   <!-- a federation routing valve -->
  |   <Valve className="org.jboss.security.valve.SSOFederationRouter" />
  |   <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/ssoapp1/close_session.jsp" />
  |   <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="ssodemo:site1" />
  |   <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="BASIC" provider="si:mycompany:site1:login" />
  | </Context>


  |   <security-domain>java:/jaas/ssodemo-site1</security-domain>


  |   <security-constraint>
  |     <display-name>protected resources</display-name>
  |     <web-resource-collection>
  |       <web-resource-name>protected contents</web-resource-name>
  |       <url-pattern>/protected/*</url-pattern>
  |     </web-resource-collection>
  |     <auth-constraint>
  |      <role-name>Authenticated</role-name>
  |     </auth-constraint>
  |   </security-constraint>
  |   <login-config>
  |     <auth-method>BASIC</auth-method>
  |     <realm-name>SSO Authentication App1 @ Site1</realm-name>
  |   </login-config>
  |   <security-role>
  |     <role-name>Authenticated</role-name>
  |   </security-role>

I think I've connected all the dots. The login worked okay. Once login, I can see the SAML token in the cookie. However, when I click a link to jump from site1 to site2 (or vise versa), the SAML token is not restored and therefore, I am getting the login prompt again. 

Any idea what is missing?

Thanks in advance.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4161637#4161637

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4161637

More information about the jboss-user mailing list