WARConfiguration

JBoss Federated SSO - Configure your web application to activate Federated SSO\

 

 

Instructions for web applications using their own authentication mechanism

 

  • Step 1: Add the following context.xml under WEB-INF folder of your WAR file:

 

 

    •     <?xml version="1.0"?>
          <Context>
             <!-- 
                   logoutURL - URL for performing logout/signout function in your application
              -->        
             <Valve className="org.jboss.security.valve.PlainSSOAutoLogout" 
           logoutURL="{logoutURL of your application}"></Valve>
           
             <!-- 
                   assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
             -->
             <Valve className="org.jboss.security.valve.PlainSSOTokenManager" 
             assertingParty="{uniqueId to identify this web application in the federation}"></Valve>
         
             <!-- 
                tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
             -->
             <Valve className="org.jboss.security.valve.PlainSSOAutoLogin"></Valve>
         </Context>
      

 

 

  • Step 2: When the authentication usecase is executed within your web application via the login screen or some other mechanism, part of executing that process, when the login is successful, send a notification of this event to the SSO Engine using the following API call:

    • org.jboss.security.saml.SSOManager. processManualLoginNotification(HttpServletRequest request,String user)

 

  • Step 3 : When the SSOEngine performs an automatic login in response to a trusted SSOToken, it will send the following notification on your LoginProvider:

    • processSSOLoginNotification(LoginContext)

 

  Here, you can handle any web application environment necessary to setup an authenticated user session

 

 

Note: When using this manner of authentication, web applications will be able to get the Principal logged in to the system using the following API call:

    • org.jboss.security.saml.SSOManager.getUserPrincipal(HttpServletRequest)

 

 

 

Instructions for web applications using container provided JAAS based authentication mechanism

 

  • Add the following context.xml under WEB-INF folder of your WAR file:

 

 

    •     <?xml version="1.0"?>
          <Context>
             <!-- 
                   logoutURL - URL for performing logout/signout function in your application
              -->        
             <Valve className="org.jboss.security.valve.SSOAutoLogout" 
           logoutURL="{logoutURL of your application}"></Valve>
           
             <!-- 
                   assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
             -->
             <Valve className="org.jboss.security.valve.SSOTokenManager" 
             assertingParty="{uniqueId to identify this web application in the federation}"></Valve>
         
             <!-- 
                tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
             -->
             <Valve className="org.jboss.security.valve.SSOAutoLogin" 
             authType="FORM"></Valve>
         </Context>
      

 

 

  • Setup the JAAS module configuration for your web application:

 

    • The Identity Management Framework ships with a built-in JAAS module that helps with username and password based authentication. It is known as org.jboss.security.idm.UsernameAndPasswordLoginModule. This module is designed to integrate with the LoginProvider integrated in the SSO system.

 

    • It is however very likely, that the authentication related logic encapsulated in your application is different than the authentication logic provided by the built-in JAAS module. In that case, we would recommed either extending this LoginModule and overriding the logic with the logic that applies to your application, or write your own JAAS login module and integrate it into the application server.

 

    • Very Important Note: If you plugin your own LoginModule or override the built-in LoginModule, make sure the Identity data being extracted is consistent with the data being extracted by the LoginProvider. For this reason, since the LoginProvider is an abstraction to extract Identity Data, and has to be integrated with the SSO Engine, we would recommed that the JAAS login module, use the LoginProvider registered with the SSOEngine, for extracting Identity related data from the Identity Store

 

    • Here is a sample configuration for integrating the built-in org.jboss.security.idm.UsernameAndPasswordLoginModule with the JAAS authentication system

 

    • 
            <?xml version='1.0'?>
            <!DOCTYPE policy PUBLIC
            "-//JBoss//DTD JBOSS Security Config 3.0//EN"
            "http://www.jboss.org/j2ee/dtd/security_config.dtd">
            <!-- The JAAS login configuration file for your application -->
           <policy>
              <application-policy name="{your web application identifier}">       
               <authentication>
                 <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="required">
                  <module-option name="unauthenticatedIdentity">guest</module-option>                        
                  <module-option name="password-stacking">useFirstPass</module-option>           
                  <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>             
                </login-module>          
               </authentication>
              </application-policy>
            </policy>
      

 

 

  • For further details with configuring JAAS based authentication, please refer to the following : JAAS Setup Instructions
    \

 

 

FAQ

 

*There are a number of LoginProviders registered in the IdentityManagement Service. How will my web application's SSO system use the proper LoginProvider?

 

  • Here are the two configuration steps for your web application to make sure the proper LoginProvider is used for your web application.

 

 

  • Make sure the context.xml under WEB-INF folder of your WAR file is configured as follows:

 

 

    •     <?xml version="1.0"?>
          <Context>
             <!-- 
                   logoutURL - URL for performing logout/signout function in your application
              -->        
             <Valve className="org.jboss.security.valve.SSOAutoLogout" 
           logoutURL="{logoutURL of your application}"></Valve>
           
             <!-- 
                   assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
             -->
             <Valve className="org.jboss.security.valve.SSOTokenManager" 
             assertingParty="{uniqueId to identify this web application in the federation}"></Valve>
         
             <!-- 
                tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
             -->
             <Valve className="org.jboss.security.valve.SSOAutoLogin" 
             authType="FORM" provider="{uniqueId of the LoginProvider registered with the IdentityManager}"></Valve>
         </Context>
      
    • Notice: the provider attribute of the SSOAutoLogin valve configuration

 

 

 

  • If using JAAS as the authentication mechanism: Setup the JAAS module configuration for your web application with the following configuration:

 

    • 
            <?xml version='1.0'?>
            <!DOCTYPE policy PUBLIC
            "-//JBoss//DTD JBOSS Security Config 3.0//EN"
            "http://www.jboss.org/j2ee/dtd/security_config.dtd">
            <!-- The JAAS login configuration file for your application -->
           <policy>
              <application-policy name="{your web application identifier}">       
               <authentication>
                 <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="required">
                  <module-option name="unauthenticatedIdentity">guest</module-option>                        
                  <module-option name="password-stacking">useFirstPass</module-option>           
                  <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
                  <module-option name="provider">{uniqueId of the LoginProvider registered with the IdentityManager}</module-option>             
                </login-module>          
               </authentication>
              </application-policy>
            </policy>
      
    • Notice: the provider module-option of the org.jboss.security.idm.UsernameAndPasswordLoginModule configuration