IdentityManagement

JBoss Federated SSO - Identity Management Framework

 

 

 

  • The Identity Management Framework allows you to integrate the various Single Sign On components of the overall framework to the actual Identity Store where the User Identity related information is stored.\

 

 

  • The Identity Management Framework consists of a flexible/pluggable Java API to connect to Identity Stores.\

 

 

  • Out-of-the-box this component comes with an LDAPIdentityProvider which connects to LDAP based repositories such as OpenLDAP, Red Hat Directory Server, OpenDS etc.

  The schemas supported by this provider are the standard inetOrgPerson for User Identities, and organizationalUnit for User Roles.\

 

 

  • We recognize that not all applications store their identity information in LDAP. In fact 80% of the applications have some kind of a proprietary database approach to storing identity data. Hence, this framework is made pluggable by design so that even these applications can become Federated SSO Enabled.\

 

 

 

Design Details:

 

 

 

  • The Identity Management Service focuses on managing an entity called a LoginProvider\

 

 

  • A LoginProvider is used by the components of the overall SSO system such as JAAS Login Modules, and SSOAutoLogin valve to access user login related information.

  This information is username, password, account active status, existence of a supplied username etc.

  Here is the LoginProvider interface that developers can implement and plug into the Identity Management Service.

 

    • 
         /*
      * JBoss, Home of Professional Open Source
      * Copyright 2005, JBoss Inc., and individual contributors as indicated
      * by the @authors tag. See the copyright.txt in the distribution for a
      * full listing of individual contributors.
      *
      * This is free software; you can redistribute it and/or modify it
      * under the terms of the GNU Lesser General Public License as
      * published by the Free Software Foundation; either version 2.1 of
      * the License, or (at your option) any later version.
      *
      * This software is distributed in the hope that it will be useful,
      * but WITHOUT ANY WARRANTY; without even the implied warranty of
      * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
      * Lesser General Public License for more details.
      *
      * You should have received a copy of the GNU Lesser General Public
      * License along with this software; if not, write to the Free
      * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
      * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
      */
      package org.jboss.security.idm;
      
      import java.security.Principal;
      import java.util.Collection;
      
      /**
       * 
       * @author Sohil Shah - sohil.shah@jboss.com - Sep 20, 2006
       *
       */
      public interface LoginProvider 
      {
          /**
           * id should be of the form: si:<a unique string such as vendor name, etc. eg. jboss>:<optional parameter>
           * @return
           * @throws IdentityException
           */
          public String getId() throws IdentityException;
          
          /**
           * 
           * @param principal
           * @return
           * @throws IdentityException
           */
          public Identity read(Principal principal) throws IdentityException;
          public Identity read(String username) throws IdentityException;
          
          /**
           * 
           * @param principal
           * @return
           * @throws IdentityException
           */
          public boolean exists(Principal principal) throws IdentityException;
          public boolean exists(String username) throws IdentityException;
          
          /**
           * 
           * @param principal
           * @param password
           * @return
           * @throws IdentityException
           */
          public boolean login(Principal principal,byte[] password) throws IdentityException;
          public boolean login(String username,byte[] password) throws IdentityException;
          
          /**
           * 
           * @return
           * @throws IdentityException
           */
          public Collection readAllRoles() throws IdentityException;
      }
      

      \

 

 

 

How do I plugin my custom LoginProvider into the Identity Management Service?:

 

 

  • Look at the following configuration in jboss-sso.sar/conf/sso.cfg.xml

 

 

    •    <!-- 
                identity management related configuration, this is the LDAP based module
                Technically, this can be a provider that can integrate with thirdparty identity systems like SiteMinder etc
           -->
           <identity-management>
                <login>
                     <provider id="si:jboss-sso:ldap:login" class="org.jboss.security.idm.ldap.LDAPIdentityProvider">
                          <property name="connectionURL">
                               jdbc:ldap://localhost:389/dc=jboss,dc=com?SEARCH_SCOPE:=subTreeScope&secure:=false&concat_atts:=true&size_limit:=10000000
                          </property>
                          <property name="username">cn=Admin,dc=jboss,dc=com</property>
                          <property name="password">jbossrocks</property>
                          <property name="identityOu">jbosssso</property>
                          <property name="roleOu">role</property>
                     </provider>
                </login>                     
           </identity-management>
      

 

 

  • Here you can register your own custom LoginProvider implementation with a unique id denoted by the 'id' attribute of <provider>.

 

  • You can register multiple providers under the <login> tag, and they will all be managed by the IdentityManagement Service.

 

  • You can specify <property> name/value pairs specfic to your custom provider.

 

  • The IdentityManager.findLoginProvider() call results in the first LoginProvider registered with the system. The order is decided based on the order in which they are declared in the sso.cfg.xml file.

 

  • To access your particular LoginProvider you can access it using IdentityManager.findProvider(unique providerId) call.\

 

 

*There are a number of LoginProviders registered in the IdentityManagement Service. How will my web application's SSO system use the proper LoginProvider?

 

  • Here are the two configuration steps for your web application to make sure the proper LoginProvider is used for your web application.

 

 

  • Make sure the context.xml under WEB-INF folder of your WAR file is configured as follows:

 

 

    •     <?xml version="1.0"?>
          <Context>
             <!-- 
                   logoutURL - URL for performing logout/signout function in your application
              -->        
             <Valve className="org.jboss.security.valve.SSOAutoLogout" 
           logoutURL="{logoutURL of your application}"></Valve>
           
             <!-- 
                   assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
             -->
             <Valve className="org.jboss.security.valve.SSOTokenManager" 
             assertingParty="{uniqueId to identify this web application in the federation}"></Valve>
         
             <!-- 
                tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
             -->
             <Valve className="org.jboss.security.valve.SSOAutoLogin" 
             authType="FORM" provider="{uniqueId of the LoginProvider registered with the IdentityManager}"></Valve>
         </Context>
      
    • Notice: the provider attribute of the SSOAutoLogin valve configuration

 

 

 

  • Setup the JAAS module configuration for your web application with the following configuration:

 

    • 
            <?xml version='1.0'?>
            <!DOCTYPE policy PUBLIC
            "-//JBoss//DTD JBOSS Security Config 3.0//EN"
            "http://www.jboss.org/j2ee/dtd/security_config.dtd">
            <!-- The JAAS login configuration file for your application -->
           <policy>
              <application-policy name="{your web application identifier}">       
               <authentication>
                 <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="required">
                  <module-option name="unauthenticatedIdentity">guest</module-option>                        
                  <module-option name="password-stacking">useFirstPass</module-option>           
                  <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
                  <module-option name="provider">{uniqueId of the LoginProvider registered with the IdentityManager}</module-option>             
                </login-module>          
               </authentication>
              </application-policy>
            </policy>
      
    • Notice: the provider module-option of the org.jboss.security.idm.UsernameAndPasswordLoginModule configuration