Arjun-

Here is the detailed documentation for the JBoss Federated SSO project http://labs.jboss.com/wiki/Jbosssso

As per your questions:

Q1) Is JBoss SX a pre requisite for JBoss SSO??

JBoss SX is not a requirement for JBoss SSO. It supports both JAAS based authentication mechanism as well as an custom authentication mechanism. The wiki has detailed information related to both approaches

3.1. Ability to attach a Web filter (Servlet 2.3 Sepc) in the 3rd part App which can be on any App/Web Server. The filter will communicat with the SSO server. This reduces integration cost.

With JBoss SSO, Single Sign On orchestration/Token management is provided out-of-the-box using Tomcat Valve approach. This mechanism takes care of all communication/secure exchanges between your web application and the SSO Federation Server. All your application needs to do is provide the web application integration discussed in the wiki. Hence, you don't need a Servlet Filter in your web application to communicate with the SSO Server

Do I have to recompile it for JDK1.4

The framework in its current codebase is fully compliant with JDK1.4. It should also run out-of-the-box in JDK5 as well

Is there a dependency on a specific JBoss App Server version or can we run it on a JBoss 3.2.7 also?

The JBoss AS versions supported are 4.0.4 and 4.0.5. Integration with newer versions is on the roadmap. Backporting for older versions is not

Can I run it on Tomcat?

No at the moment. It runs within the Tomcat integrated with the AS

Configure, SSO sessions time outs

Yes. This is the exact same as your Tomcat's http session timeout of your application. And if one application is logged out, the Federated Logout function performs corresponding logout in the other web applications as well

Attach a Bean(s) to a SSO session; so we can expose a serivce to request for information about that session without hitting the database

Not sure if I understand. Are you referring to the availability of an HttpSession for your web application here? Whats the usecase? Think of JBoss SSO as a black box layer on top of your web application for orchestrating Single Sign On between a group of Federated web applications. Hence, nothing changes for your web application functionality including your use of HttpSession etc

Configure things like Person can login once with credentials only, or can have multiple login-ins.

JBoss SSO does not dictate the application requirements for your login usecase. It comes into play (SSO orchestration) once an authentication is successfull and a Logged In Principal is established

SSO Sessions should extend or be normal Web Server sessiosn or if not then provide support for clustering, for session replication.

Web Server Sessions remain as is. Nothing changes here. Your web application is completely unaware of the presence of an SSO layer, and all facilities like HttpSession clustering/replication are available the same way before the SSO layer was integrated

Whats the underlysing principle behind the SSO? Like CAS is based ona Kerberosv5 based protocol.

Underlying principles for the approach is:

1/ De-centralized approach using a Federation of independent web applications that could possibly even live in completely different web domains.

2/ A standard based approach using SAML so that independent web applications like say your companies internal portal and your SAAS provider (like SalesForce) can exchange SSO Assertions and Trust Handshake securely

3/ One difference I have found with CAS, JOSSO etc is integration is not so flexible. Plus, it requires authentication UI to be shared by redirection to the central UI and back. With JBoss SSO, each web application is in full control of their authentication mechanism, authentication logic requirement, UI etc. Its only once a user is authenticated within the web application, the SSO orchestration starts. (No re-directing back and worth needed). Besides flexibility, the central UI apporach suffers from a scalability issue as well

Hope this helps

Thanks

Arjun-

.. Why would I run two instances of the server to test? To test shouldnt I be just deploying a random test WAR and have the "VALVE" configured. Any request to that application/WAR would require SSO. If I need to run SSO instances on each application server, whats the point?

You can certaily deploy all your wars that are part of the SSO Federation in the same instance of JBoss Server and have them all work just fine.

This example of deploying in a different instance is used to demonstrate that your applications can be deployed anywhere you like including in completely different physical servers in a completely different web domain.

In a nutshell, SSO between apps within the same server is trivial (In fact for this setup, you can probably just use the Tomcat SSO). Its when they can be completely location/domain independent, and then the framework truly shines ;)

Thanks

Antonio

do you know if JBoss SSO Federated 1.0 RC1 is compatible with JBossAS 4.2 and 4.3 ?

So far the release supports till 4.0.5. Higher versions will be supported soon.

Thanks