Version 8

    Introduction

    JBoss Identity Federation contains sample applications that show how JBID can be used to implement SAMLv2 Web Browser SSO. Starting with JBID version 1.0.0-beta1, three sets of applications are supplied: one for any generic web container, one for Tomcat and one for a JBoss AS 5.x server.

     

    The difference between the apps for generic web container and Tomcat/JBossAS ones are that the generic web container do not involve the servlet spec container authentication.

     

    Tomcat examples

     

    The applications should work at least on a Tomcat 6.x server, running Java 1.6. If Java 1.5 is used, you should copy a JAXB 2.x implementation to the lib directory of Tomcat.

     

    The sample IDP (IDentity Provider) applications can be deployed by copying their war files to Tomcat's lib folder:

     

    web-rootPackageSigns Outgoing MessagesIgnores Incoming Signatures
    /idpidp.warnoyes
    /idp-sigidp-sig.waryesno
    /idp-sig-no-validp-sig-no-val.waryesyes

     

    They rely on the security context that has been set up in the application server. The realm should contain the following users and roles:

     

    UsernameRoles
    employeeEmployee
    salesSales, Employee
    managermanager, Sales, Employee

     

    The file $TOMCAT_HOME/conf/tomcat-users.xml can be used to configure those users:

     

    <tomcat-users>

      <role rolename="manager"/>

      <role rolename="Sales"/>

      <role rolename="Employee"/>

      <user password="manager" roles="manager,Employee,Sales" username="manager"/>

      <user password="sales" roles="Employee,Sales" username="sales"/>

      <user password="employee" roles="Employee" username="employee"/>

    </tomcat-users>

     

    The sample SP (Service Provider) applications should also be deployed:

     

    web-rootPackageIDPOutgoing Message BindingAuthorized User Roles
    /salessales.waridpHTTP RedirectSales
    /sales-sigsales-sig.waridp-sigHTTP RedirectSales
    /sales-post-sigsales-post-sig.waridp-sigHTTP PostSales
    /employeeemployee.waridpHTTP RedirectEmployee

     

     

    The following files need to be added to Tomcat's lib folder:

     

    • jboss-identity-bindings-<version>.jar
    • jboss-identity-fed-<version>.jar


    After starting Tomcat, try to login in the different applications, using the different users, and experience the SSO behaviour.

     

     

     

    JBoss AS 5.x examples

     

     

    The JBoss AS 5.x examples consist of:

     

    • an identity provider, implemented as a JSP application that uses the JBID Tomcat valve, and
    • a Seam application that uses the Seam filter to connect to the IDP as a service provider.

     

    They are packages as the file fed-example.ear, which should be copied to the deploy directory.

     

    The following JBID files need to be copied to the lib folder of the application server:

     

    • jboss-identity-bindings-<version>.jar
    • jboss-identity-bindings-jboss-<version>.jar
    • jboss-identity-fed-<version>.jar

     

    The IDP will use the default login module of JBoss, using a realm with the following users:

     

     

    UsernameRoles
    employeeEmployee
    salesSales, Employee
    managermanager, Sales, Employee

     

     

    For this to work, you need to create a file defaultUsers.properties in the conf directory of your server instance:

     

    employee=employee

    sales=sales

    manager=manager

     

    You also need a defaultRoles.properties in the conf directory:

     

    manager=manager,Sales,Employee

    sales=Sales,Employee

    employee=Employee

     

    After starting JBoss, you can surf to the public page of the Seam application:

     

    http://localhost:8080/seam-sp/PublicPage.seam

     

    When clicking on a private page, you will be redirected to the IDP to login. After authentication, you will be redirected to the requested private page. It is also possible to start with a clean session and directly request a private page:

     

    http://localhost:8080/seam-sp/PrivatePage1.seam

     


    Generic Web Container Applications

    There are two web applications that can be run on any servlet container.  The Web Apps are called idp-standalone.war and sales-standalone.war.   The applications support SAMLv2 HTTP POST Binding of the SAML2 Web Browser SSO Profile.