SAML token propagation
danjava2000 May 28, 2009 10:35 AMHi all,
I am wondering how the SAML token is propagated between domains.
When I log in the first server, I see clearly in the console that the SAML token has been generated and that it has been put on the trust server.
Now, if I am trying to log on the second server, I see that the SSOTokenManager is looking for SAML token in the request or in a cookie. Since it is at neither place, the application is showing login page (which I don't want for sure).
What I am doing wrong here? Do I need to add a specific parameter in the request ?
Notice in the following code fragments that I implemented my own LoginProvider and LoginModule. But neither one is invoked when I hit for the first time the second server.
I am using JBoss Federated SSO 1.0 CR1 on JBoss AS 4.0.2 with the following settings:
On both servers I have the following setup:
My SSO server config:
<jboss-sso> <identity-management> <login> <provider id="si:intertrade:jboss-sso:database:login" class="com.intertrade.common.sso.DatabaseLoginProvider"> <property name = "hashAlgorithm">SHA1</property> <property name = "hashEncoding">base64</property> <property name = "unauthenticatedIdentity">guest</property> <property name = "dsJndiName">java:/topcatDB</property> <property name = "principalsQuery">select user_password from USERS where USER_NAME = ?</property> <property name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</property> </provider> </login> </identity-management> <!-- sso processor for SingleSignOn, the default JBossSingleSignOn processor uses OpenSAML-1.0, the next version of this processor will use the latest SAML specification --> <sso-processor> <processor class="org.jboss.security.saml.JBossSingleSignOn"> <property name="trustServer">https://scarlet.montreal.intertrade.com:8443/federate/trust</property> </processor> </sso-processor> </jboss-sso>
My JAAS login config:
<application-policy name = "topcat"> <authentication> <login-module code="com.intertrade.common.sso.DatabaseLoginModule" flag = "required"> <module-option name = "password-stacking">useFirstPass</module-option> <module-option name = "hashAlgorithm">SHA1</module-option> <module-option name = "hashEncoding">base64</module-option> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/topcatDB</module-option> <module-option name = "principalsQuery">select user_password from USERS where USER_NAME = ?</module-option> <module-option name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</module-option> <module-option name = "provider">si:intertrade:jboss-sso:database:login</module-option> </login-module> </authentication> </application-policy>
Federated server setting:
<jboss-sso> <federation-server> <partners> <partner domain="intertrade.com" server="https://scarlet.montreal.intertrade.com:8443/federate"/> <partner domain="tradelinks.net" server="https://localhost.tradelinks.net:8443/federate"/> </partners> </federation-server> </jboss-sso>
On server 1 (scarlet.montreal.intertrade.com), I have the following tomcat valve settings:
<?xml version="1.0"?> <Context> <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /--> <!-- logoutURL - URL for performing logout/signout function in your application --> <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/> <!-- assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites --> <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://scarlet.montreal.intertrade.com:8443/federate"/> <!-- tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT --> <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/> </Context>
On server 2 (localhost.tradelinks.net), I have the following tomcat valve settings:
<?xml version="1.0"?> <Context> <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /--> <!-- logoutURL - URL for performing logout/signout function in your application --> <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/> <!-- assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites --> <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://localhost.tradelinks.net:8443/federate"/> <!-- tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT --> <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/> </Context>