[jboss-user] [Security & JAAS/JBoss] - JBoss federated SSO setup
alllle
do-not-reply at jboss.com
Mon Jun 30 20:50:40 EDT 2008
Hi,
I'm trying out the JBoss SSO and got stuck with cross domain SSO setup. I wonder if anyone can point out what I was doing wrong.
I am running two JBoss instances on the local box, with JBoss config name "sso-site1" and "sso-site2". For sso-site2, I've changed all the ports it uses by prefixing them with a 1 so they are in the 10000-19999 range. I am accessing the two sites using www.ssosite1.com:8080 and www.ssosite2.com:18080 after updating the Windows host file.
I also dropped the jboss-sso.sar and jboss-federation-server-exploded.ear to the deploy directory of both sites.
I then deployed ssoapp1 and ssoapp2 to sso-site1 and sso-site2, respectively. Below are the settings of various files. For ssoapp1, it uses "site1" in various places as mentioned below. For ssoapp2, it uses "site2" wherever "site1" is used in ssoapp1.
jboss-sso.sar/conf/sso.cfg.xml
| <login>
| <provider id="si:myconmpany:site1:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>
| </login>
|
| <sso-processor>
| <processor class="org.jboss.security.saml.JBossSingleSignOn">
| <property name="trustServer">http://www.ssosite1.com:8080/federate/trust</property>
| </processor>
| </sso-processor>
|
|
JBoss conf/login-config.xml
| <application-policy name="ssodemo-site1">
| <authentication>
| <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="required">
| <module-option name="unauthenticatedIdentity">guest</module-option>
| <module-option name="password-stacking">useFirstPass</module-option>
| <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
| <module-option name="provider">si:myconmpany:site1:login</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
jboss-federation-server.sar/conf/server.cfg.xml
| <federation-server>
| <partners>
| <partner domain="ssodemo-site1" server="http://www.ssosite1.com:8080/federate"/>
| <partner domain="ssodemo-site2" server="http://www.ssosite2.com:18080/federate"/>
| </partners>
| </federation-server>
|
WEB-INF/Context.xml
| <Context>
| <!-- a federation routing valve -->
| <Valve className="org.jboss.security.valve.SSOFederationRouter" />
| <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/ssoapp1/close_session.jsp" />
|
| <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="ssodemo:site1" />
|
| <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="BASIC" provider="si:mycompany:site1:login" />
| </Context>
|
WEB-INF/jboss-web.xml
| <security-domain>java:/jaas/ssodemo-site1</security-domain>
|
WEB-INF/web.xml
| <security-constraint>
| <display-name>protected resources</display-name>
| <web-resource-collection>
| <web-resource-name>protected contents</web-resource-name>
| <url-pattern>/protected/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>Authenticated</role-name>
| </auth-constraint>
| </security-constraint>
| <login-config>
| <auth-method>BASIC</auth-method>
| <realm-name>SSO Authentication App1 @ Site1</realm-name>
| </login-config>
| <security-role>
| <role-name>Authenticated</role-name>
| </security-role>
|
I think I've connected all the dots. The login worked okay. Once login, I can see the SAML token in the cookie. However, when I click a link to jump from site1 to site2 (or vise versa), the SAML token is not restored and therefore, I am getting the login prompt again.
Any idea what is missing?
Thanks in advance.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4161637#4161637
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4161637
More information about the jboss-user
mailing list