Introduction
JBoss Identity Federation contains sample applications that show how JBID can be used to implement SAMLv2 Web Browser SSO. Starting with JBID version 1.0.0-beta1, three sets of applications are supplied: one for any generic web container, one for Tomcat and one for a JBoss AS 5.x server.
The difference between the apps for generic web container and Tomcat/JBossAS ones are that the generic web container do not involve the servlet spec container authentication.
Tomcat examples
The applications should work at least on a Tomcat 6.x server, running Java 1.6. If Java 1.5 is used, you should copy a JAXB 2.x implementation to the lib directory of Tomcat.
The sample IDP (IDentity Provider) applications can be deployed by copying their war files to Tomcat's lib folder:
web-root | Package | Signs Outgoing Messages | Ignores Incoming Signatures |
---|---|---|---|
/idp | idp.war | no | yes |
/idp-sig | idp-sig.war | yes | no |
/idp-sig-no-val | idp-sig-no-val.war | yes | yes |
They rely on the security context that has been set up in the application server. The realm should contain the following users and roles:
Username | Roles |
---|---|
employee | Employee |
sales | Sales, Employee |
manager | manager, Sales, Employee |
The file $TOMCAT_HOME/conf/tomcat-users.xml can be used to configure those users:
<tomcat-users>
<role rolename="manager"/>
<role rolename="Sales"/>
<role rolename="Employee"/>
<user password="manager" roles="manager,Employee,Sales" username="manager"/>
<user password="sales" roles="Employee,Sales" username="sales"/>
<user password="employee" roles="Employee" username="employee"/>
</tomcat-users>
The sample SP (Service Provider) applications should also be deployed:
web-root | Package | IDP | Outgoing Message Binding | Authorized User Roles |
---|---|---|---|---|
/sales | sales.war | idp | HTTP Redirect | Sales |
/sales-sig | sales-sig.war | idp-sig | HTTP Redirect | Sales |
/sales-post-sig | sales-post-sig.war | idp-sig | HTTP Post | Sales |
/employee | employee.war | idp | HTTP Redirect | Employee |
The following files need to be added to Tomcat's lib folder:
- jboss-identity-bindings-<version>.jar
- jboss-identity-fed-<version>.jar
After starting Tomcat, try to login in the different applications, using the different users, and experience the SSO behaviour.
JBoss AS 5.x examples
The JBoss AS 5.x examples consist of:
- an identity provider, implemented as a JSP application that uses the JBID Tomcat valve, and
- a Seam application that uses the Seam filter to connect to the IDP as a service provider.
They are packages as the file fed-example.ear, which should be copied to the deploy directory.
The following JBID files need to be copied to the lib folder of the application server:
- jboss-identity-bindings-<version>.jar
- jboss-identity-bindings-jboss-<version>.jar
- jboss-identity-fed-<version>.jar
The IDP will use the default login module of JBoss, using a realm with the following users:
Username | Roles |
---|---|
employee | Employee |
sales | Sales, Employee |
manager | manager, Sales, Employee |
For this to work, you need to create a file defaultUsers.properties in the conf directory of your server instance:
employee=employee
sales=sales
manager=manager
You also need a defaultRoles.properties in the conf directory:
manager=manager,Sales,Employee
sales=Sales,Employee
employee=Employee
After starting JBoss, you can surf to the public page of the Seam application:
http://localhost:8080/seam-sp/PublicPage.seam
When clicking on a private page, you will be redirected to the IDP to login. After authentication, you will be redirected to the requested private page. It is also possible to start with a clean session and directly request a private page:
http://localhost:8080/seam-sp/PrivatePage1.seam
Generic Web Container Applications
There are two web applications that can be run on any servlet container. The Web Apps are called idp-standalone.war and sales-standalone.war. The applications support SAMLv2 HTTP POST Binding of the SAML2 Web Browser SSO Profile.
Comments