JBoss Identity Federation: Sample Applications

Introduction

JBoss Identity Federation contains sample applications that show how JBID can be used to implement SAMLv2 Web Browser SSO. Starting with JBID version 1.0.0-beta1, three sets of applications are supplied: one for any generic web container, one for Tomcat and one for a JBoss AS 5.x server.

 

The difference between the apps for generic web container and Tomcat/JBossAS ones are that the generic web container do not involve the servlet spec container authentication.

 

Tomcat examples

 

The applications should work at least on a Tomcat 6.x server, running Java 1.6. If Java 1.5 is used, you should copy a JAXB 2.x implementation to the lib directory of Tomcat.

 

The sample IDP (IDentity Provider) applications can be deployed by copying their war files to Tomcat's lib folder:

 

web-rootPackageSigns Outgoing MessagesIgnores Incoming Signatures
/idpidp.warnoyes
/idp-sigidp-sig.waryesno
/idp-sig-no-validp-sig-no-val.waryesyes

 

They rely on the security context that has been set up in the application server. The realm should contain the following users and roles:

 

UsernameRoles
employeeEmployee
salesSales, Employee
managermanager, Sales, Employee

 

The file $TOMCAT_HOME/conf/tomcat-users.xml can be used to configure those users:

 

<tomcat-users>

  <role rolename="manager"/>

  <role rolename="Sales"/>

  <role rolename="Employee"/>

  <user password="manager" roles="manager,Employee,Sales" username="manager"/>

  <user password="sales" roles="Employee,Sales" username="sales"/>

  <user password="employee" roles="Employee" username="employee"/>

</tomcat-users>

 

The sample SP (Service Provider) applications should also be deployed:

 

web-rootPackageIDPOutgoing Message BindingAuthorized User Roles
/salessales.waridpHTTP RedirectSales
/sales-sigsales-sig.waridp-sigHTTP RedirectSales
/sales-post-sigsales-post-sig.waridp-sigHTTP PostSales
/employeeemployee.waridpHTTP RedirectEmployee

 

 

The following files need to be added to Tomcat's lib folder:

 

  • jboss-identity-bindings-<version>.jar
  • jboss-identity-fed-<version>.jar


After starting Tomcat, try to login in the different applications, using the different users, and experience the SSO behaviour.

 

 

 

JBoss AS 5.x examples

 

 

The JBoss AS 5.x examples consist of:

 

  • an identity provider, implemented as a JSP application that uses the JBID Tomcat valve, and
  • a Seam application that uses the Seam filter to connect to the IDP as a service provider.

 

They are packages as the file fed-example.ear, which should be copied to the deploy directory.

 

The following JBID files need to be copied to the lib folder of the application server:

 

  • jboss-identity-bindings-<version>.jar
  • jboss-identity-bindings-jboss-<version>.jar
  • jboss-identity-fed-<version>.jar

 

The IDP will use the default login module of JBoss, using a realm with the following users:

 

 

UsernameRoles
employeeEmployee
salesSales, Employee
managermanager, Sales, Employee

 

 

For this to work, you need to create a file defaultUsers.properties in the conf directory of your server instance:

 

employee=employee

sales=sales

manager=manager

 

You also need a defaultRoles.properties in the conf directory:

 

manager=manager,Sales,Employee

sales=Sales,Employee

employee=Employee

 

After starting JBoss, you can surf to the public page of the Seam application:

 

http://localhost:8080/seam-sp/PublicPage.seam

 

When clicking on a private page, you will be redirected to the IDP to login. After authentication, you will be redirected to the requested private page. It is also possible to start with a clean session and directly request a private page:

 

http://localhost:8080/seam-sp/PrivatePage1.seam

 


Generic Web Container Applications

There are two web applications that can be run on any servlet container.  The Web Apps are called idp-standalone.war and sales-standalone.war.   The applications support SAMLv2 HTTP POST Binding of the SAML2 Web Browser SSO Profile.