JBossDeveloper

From a brief investigation into Shoboleth and CAS it seems that there is a common pattern to SSO. At a very high level:

[list=]
Unauthenticated user attempts to access a resource.
User is redirected to an authentication server
The authentication server uses a pluggable authentication chain to perform authentication.
If successful the user is redirected back to the orginal resource with a token.
The original resource sends an authentication assertion request to the authentication service (i.e. using SAML) to verify that authentication occurred.
The resource may also request authorization assertions from a SAML service to verify that the user is permitted to use the service (etc).

While it is important to provide a SSO mechanism it is also important to cater for situations where there is no agreement within an organization about how an application authenticates - thus it is important that any solution allows security services (such as authentication and authorization) to be defined at the application level, as well as at the server level.

I'm not familiar with the JBOSS authentication mechanism so I don't know how pluggable it is. However I have used the WebLogic 8.x one, which allows you to configure various pre-supplied authentication services and define how authoratative they are. IMHO this is not sufficient - it should be possible to plug in a totally bespoke implementation too. WebSphere allows you to do this, perhaps WebLogic 9 does (and perhaps JBoss does? :-) )

Anyhow, in a SSO situation the plugin mechanism would be used by the authentication server rather than directly by an application. An application would always use the SSO authentication mechanism and it is perhaps here that it is most important that JBOSS should support SAML? After all I could just use CAS as the actual authentication service? Perhaps my reading of all this is flawed though - I certainly need to learn more about how all of these pieces should go together and about how they would be used in a non-web application.

CAS initially used a proprietary protocol to perform the authentication assertion phase of single-signon, it appears that it now uses SAML for this phase. [URL=http://www.ja-sig.org/wiki/display/CAS/Shawn+CAS+and+SAML]This is a good description of the role that SAML plays in CAS[/URL]. It mentions a browser profile for SAML which defines how the redirect part works.

There is a very interesting overview of Shiboleth http://www.switch.ch/aai/demo/demo_intro.html. Its worth working through the demo all the way to the technical introduction link. It seems that they use SAML for inter-domain SSO and CAS for intra-domain SSO.

@sohil: I'm not sure from your interface definition, but just to clarify: SAML does not istelf define an authentication service, only an assertion service about prior acts of authentication.

hi sohil,

is there any link provided for jboss operation network for sso like we have it for some tools like adventnet appmanager which is :

http://hostname:port/jsp/SingleSignOn.jsp?username=<login_username>&password=<login_password>
( ex: http://appmanager:9090/jsp/SingleSignOn.jsp?username=admin&password=admin )

thanks,
sushma.

Hi All,
I have wss4j enabled webservices on axis ws-stack. I use gt4.0.1. I can make calls from java clients to .net wss4j enabled ws as well as vice versa. I use wse2.0 sp3. It has been some time since I reconnected to this personal endeavour. I need to define and execute a business workflow perhaps using jbpm 3.1.2 starters kit. I understand this is not the latest stable version. Can I wire my wss4j enabled endpoint references to jbpm based jpdl process itineraries ?

TIA.