-
1. Re: Identity/Access Management/SSO UseCases
guidomuelleraventis Dec 27, 2005 1:50 PM (in response to anil.saldhana)I have an external authentication through Apache using the spnego protocol (automatic authentication with Kerberos of a user that uses Internet Explorer inside an Active Directory Domain). I need to create the user principal using the REMOTE_USER http request header supplied by apache.
-
2. Re: Identity/Access Management/SSO UseCases
david.l.small Jan 11, 2006 3:07 PM (in response to anil.saldhana)Our team's main need is really an enhancement to jBoss's existing SSO, that is to handle SSO across multiple hosts on the same domain. A simple example would be abc.sample.com and xyz.sample.com. I understand that JOSSO is capable of this, but it does not appear that it works with 4.0.3 as of yet. Plus, a built in solution would be preferrable to configuring a third party.
Aside from that, you existing modules handle all our needs. -
3. Re: Identity/Access Management/SSO UseCases
brian.stansberry Jan 11, 2006 4:42 PM (in response to anil.saldhana)To allow your use case of abc.sample.com and xyz.sample.com requires a simple change to Tomcat's AuthenticatorBase class -- the addition of an "ssoCookieDomain" property that if set would override the current "/" domain with "sample.com". This property would best be set in the SingleSignOn valve class, but it's AuthenticatorBase that issues the cookie, so that class would have to be changed as well to access it.
Submitting a patch for that to Tomcat is on my to-do list; if anyone in the community wants to do it that would be most appreciated :). -
4. Re: Identity/Access Management/SSO UseCases
david.l.small Jan 13, 2006 8:32 AM (in response to anil.saldhana)Brian, if there is a way I can help, I'd be more than happy to do so.
-
5. Re: Identity/Access Management/SSO UseCases
anil.saldhana Jan 13, 2006 12:11 PM (in response to anil.saldhana)General Question for everyone:
What Identity Management solutions do you currently use? Siteminder? -
6. Re: Identity/Access Management/SSO UseCases
brian.stansberry Jan 13, 2006 12:23 PM (in response to anil.saldhana)"david.l.small" wrote:
Brian, if there is a way I can help, I'd be more than happy to do so.
Thanks much for the offer!
Just checked the Tomcat code and it looks like the needed patch was implemented in 5.5.13. (See http://issues.apache.org/bugzilla/show_bug.cgi?id=34724). 5.5.12 is the last stable TC release, so it's what's integrated in JBoss. Typically a JBoss release includes the latest stable release from TC, so the next JBoss version after TC issues another stable release should have this functionality.
If you want to discuss any more about the details of this, let's open another thread so we don't hijack Anil's :-) -
7. Re: Identity/Access Management/SSO UseCases
david.l.small Jan 15, 2006 8:13 AM (in response to anil.saldhana)Brian, this is great news. I'll keep a lookout for the next jBoss release.
Anil, sorry for hijacking your thread. I have used SiteMinder and I can safely say that I MUCH prefer jBoss's authenitcation/authorization mechanism. It is simple to configure (without all the SiteMinder policy files) and simple to setup authorization with built-in J2EE configuration. -
8. Re: Identity/Access Management/SSO UseCases
anil.saldhana Jan 15, 2006 1:54 PM (in response to anil.saldhana)David, no question of hijacking the thread.
True ubiquitous comprehensive authorization framework is difficult to achieve. Policy based architecture is just one way towards that goal. Most probably we will go the XACML way.
Given this, I am interested in seeing what 3rd party software JBoss users used for IDM. Siteminder was just an example. -
9. Re: Identity/Access Management/SSO UseCases
kannan Feb 25, 2006 5:57 AM (in response to anil.saldhana)Hello:
We had come across multipe times for the need for session sharing among multiple web apps (usually modules of the same app in separeate wars in same ear). If this feature is present as a configurable item, then it will be very useful.
thanks and regards,
-- Kannan. -
10. Re: Identity/Access Management/SSO UseCases
j2ee_junkie Feb 25, 2006 10:05 AM (in response to anil.saldhana)Dear gang,
I have recently completed some work in this area that may be of interest. In my environment, users can be authenticated (in the web domain) by the presence of a specific cookie generated by an centralized authentication web application (i.e. the IDP). I had no involvement in development of this IDP. My only concern was to develop a way to allow us to use it to authenticate users so our applications do not have the security risks associated with authentication. Once user has authenticated and cookie has been validated, we have an internal authorization realm that can authorize user.
In order to use this service, I ...
a.) created a custom Tomcat Authenticator
b) extended the JBossSecurityMgrRealm
and
c.) developed custom LoginModules that either authenticated to cookie, or authorized the user.
If anyone is interested in more detail let me know. Also, I would like to be considered for any help needed in this area. In the mean time I will start looking into what has already been done.
thanks, cgriffith -
11. Re: Identity/Access Management/SSO UseCases
brian.stansberry Feb 25, 2006 11:42 PM (in response to anil.saldhana)There's an open JIRA task for adding a sharable session type: see http://jira.jboss.com/jira/browse/JBAS-1909
-
12. Re: Identity/Access Management/SSO UseCases
brian.stansberry Feb 26, 2006 10:23 PM (in response to anil.saldhana)Re: the feature request to add a sharable session type, Chris informed me the JIRA issue I referenced wasn't public (thanks, Chris!). I've created a new public JIRA issue for the same thing: http://jira.jboss.com/jira/browse/JBAS-2861 .
-
13. Re: Identity/Access Management/SSO UseCases
joris77 May 10, 2006 11:50 AM (in response to anil.saldhana)Hi,
What we need at our site is an interceptor intercepts requests to multiple web applications. This in combination with the SSO feature of tomcat so that we don't have to build a login screen for every application we deploy.
I have the assignment to build this component for our department because as far as I know this is not possible right now. Any idea on how to do this or anyone who is working on the same issue?
Joris Wijlens -
14. Re: Identity/Access Management/SSO UseCases
rdoraisamy Sep 7, 2006 2:45 AM (in response to anil.saldhana)Did you consider using https://opensso.dev.java.net. It is a full fledged WebSSO project. It does have JBOSS agent for SSO and policy.