[jboss-user] [Security & JAAS/JBoss] - SAML token propagation
danjava2000
do-not-reply at jboss.com
Thu May 28 10:35:53 EDT 2009
Hi all,
I am wondering how the SAML token is propagated between domains.
When I log in the first server, I see clearly in the console that the SAML token has been generated and that it has been put on the trust server.
Now, if I am trying to log on the second server, I see that the SSOTokenManager is looking for SAML token in the request or in a cookie. Since it is at neither place, the application is showing login page (which I don't want for sure).
What I am doing wrong here? Do I need to add a specific parameter in the request ?
Notice in the following code fragments that I implemented my own LoginProvider and LoginModule. But neither one is invoked when I hit for the first time the second server.
I am using JBoss Federated SSO 1.0 CR1 on JBoss AS 4.0.2 with the following settings:
On both servers I have the following setup:
My SSO server config:
| <jboss-sso>
| <identity-management>
| <login>
| <provider id="si:intertrade:jboss-sso:database:login" class="com.intertrade.common.sso.DatabaseLoginProvider">
| <property name = "hashAlgorithm">SHA1</property>
| <property name = "hashEncoding">base64</property>
| <property name = "unauthenticatedIdentity">guest</property>
| <property name = "dsJndiName">java:/topcatDB</property>
| <property name = "principalsQuery">select user_password from USERS where USER_NAME = ?</property>
| <property name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</property>
| </provider>
| </login>
| </identity-management>
|
|
| <!-- sso processor for SingleSignOn, the default JBossSingleSignOn processor uses OpenSAML-1.0,
| the next version of this processor will use the latest SAML specification
| -->
| <sso-processor>
| <processor class="org.jboss.security.saml.JBossSingleSignOn">
| <property name="trustServer">https://scarlet.montreal.intertrade.com:8443/federate/trust</property>
| </processor>
| </sso-processor>
| </jboss-sso>
|
My JAAS login config:
| <application-policy name = "topcat">
| <authentication>
| <login-module code="com.intertrade.common.sso.DatabaseLoginModule" flag = "required">
| <module-option name = "password-stacking">useFirstPass</module-option>
| <module-option name = "hashAlgorithm">SHA1</module-option>
| <module-option name = "hashEncoding">base64</module-option>
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| <module-option name = "dsJndiName">java:/topcatDB</module-option>
| <module-option name = "principalsQuery">select user_password from USERS where USER_NAME = ?</module-option>
| <module-option name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</module-option>
| <module-option name = "provider">si:intertrade:jboss-sso:database:login</module-option>
| </login-module>
| </authentication>
| </application-policy>
Federated server setting:<jboss-sso>
| <federation-server>
| <partners>
| <partner domain="intertrade.com" server="https://scarlet.montreal.intertrade.com:8443/federate"/>
| <partner domain="tradelinks.net" server="https://localhost.tradelinks.net:8443/federate"/>
| </partners>
| </federation-server>
| </jboss-sso>
|
On server 1 (scarlet.montreal.intertrade.com), I have the following tomcat valve settings:
| <?xml version="1.0"?>
| <Context>
| <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /-->
|
| <!--
| logoutURL - URL for performing logout/signout function in your application
| -->
| <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/>
|
| <!--
| assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
| -->
| <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://scarlet.montreal.intertrade.com:8443/federate"/>
|
| <!--
| tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
| -->
| <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/>
| </Context>
|
On server 2 (localhost.tradelinks.net), I have the following tomcat valve settings:
| <?xml version="1.0"?>
| <Context>
| <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /-->
|
| <!--
| logoutURL - URL for performing logout/signout function in your application
| -->
| <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/>
|
| <!--
| assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
| -->
| <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://localhost.tradelinks.net:8443/federate"/>
|
| <!--
| tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
| -->
| <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/>
| </Context>
|
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233930#4233930
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4233930
More information about the jboss-user
mailing list