0 Replies Latest reply on May 28, 2009 10:35 AM by danjava2000

    SAML token propagation

    danjava2000
    danjava2000 May 28, 2009 10:35 AM

      Hi all,

      I am wondering how the SAML token is propagated between domains.

      When I log in the first server, I see clearly in the console that the SAML token has been generated and that it has been put on the trust server.

      Now, if I am trying to log on the second server, I see that the SSOTokenManager is looking for SAML token in the request or in a cookie. Since it is at neither place, the application is showing login page (which I don't want for sure).

      What I am doing wrong here? Do I need to add a specific parameter in the request ?

      Notice in the following code fragments that I implemented my own LoginProvider and LoginModule. But neither one is invoked when I hit for the first time the second server.

      I am using JBoss Federated SSO 1.0 CR1 on JBoss AS 4.0.2 with the following settings:

      On both servers I have the following setup:

      My SSO server config:

      <jboss-sso>
 <identity-management>
 <login>
 <provider id="si:intertrade:jboss-sso:database:login" class="com.intertrade.common.sso.DatabaseLoginProvider">
 <property name = "hashAlgorithm">SHA1</property>
 <property name = "hashEncoding">base64</property>
 <property name = "unauthenticatedIdentity">guest</property>
 <property name = "dsJndiName">java:/topcatDB</property>
 <property name = "principalsQuery">select user_password from USERS where USER_NAME = ?</property>
 <property name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</property>
 </provider>
 </login>
 </identity-management>


 <!-- sso processor for SingleSignOn, the default JBossSingleSignOn processor uses OpenSAML-1.0,
 the next version of this processor will use the latest SAML specification
 -->
 <sso-processor>
 <processor class="org.jboss.security.saml.JBossSingleSignOn">
 <property name="trustServer">https://scarlet.montreal.intertrade.com:8443/federate/trust</property>
 </processor>
 </sso-processor>
</jboss-sso>


      My JAAS login config: 
      <application-policy name = "topcat">
 <authentication>
 <login-module code="com.intertrade.common.sso.DatabaseLoginModule" flag = "required">
 <module-option name = "password-stacking">useFirstPass</module-option>
 <module-option name = "hashAlgorithm">SHA1</module-option>
 <module-option name = "hashEncoding">base64</module-option>
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 <module-option name = "dsJndiName">java:/topcatDB</module-option>
 <module-option name = "principalsQuery">select user_password from USERS where USER_NAME = ?</module-option>
 <module-option name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</module-option>
 <module-option name = "provider">si:intertrade:jboss-sso:database:login</module-option>
 </login-module>
 </authentication>
 </application-policy>


      Federated server setting:
      <jboss-sso>
 <federation-server>
 <partners>
 <partner domain="intertrade.com" server="https://scarlet.montreal.intertrade.com:8443/federate"/>
 <partner domain="tradelinks.net" server="https://localhost.tradelinks.net:8443/federate"/>
 </partners>
 </federation-server>
</jboss-sso>


      On server 1 (scarlet.montreal.intertrade.com), I have the following tomcat valve settings      : 
      <?xml version="1.0"?>
 <Context>
 <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /-->

 <!--
 logoutURL - URL for performing logout/signout function in your application
 -->
 <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/>

 <!--
 assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
 -->
 <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://scarlet.montreal.intertrade.com:8443/federate"/>

 <!--
 tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
 -->
 <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/>
 </Context>


      On server 2 (localhost.tradelinks.net), I have the following tomcat valve settings: 
      <?xml version="1.0"?>
 <Context>
 <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /-->

 <!--
 logoutURL - URL for performing logout/signout function in your application
 -->
 <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/>

 <!--
 assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
 -->
 <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://localhost.tradelinks.net:8443/federate"/>

 <!--
 tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
 -->
 <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/>
 </Context>



      • 526 Views
      • Tags: