-
1. Re: JBoss cluster SSO with PicketLink
anil.saldhana Jul 2, 2010 12:57 PM (in response to dbschofield)The right thing to do is have IDPs in each of the clusters and who deal with the trusted delegation of identities happening cross-clusters.
-
2. Re: JBoss cluster SSO with PicketLink
anil.saldhana Jul 2, 2010 12:58 PM (in response to anil.saldhana)Meant each of the clusters have their own STS.
But the trusted delegation across clusters(which will act as realms) needs us to implement ws-federation support.
-
3. Re: JBoss cluster SSO with PicketLink
dbschofield Aug 16, 2010 12:06 PM (in response to anil.saldhana)
Anil, thank you for your response. Would you mind detailing a little more of the specifics on how you see WS-Federation being implemented to solve this problem?I'm not sure we are on the same page in regards to the scope of the problem. I am specifically interested in the case where two JBoss clusters are in the same security realm. Ping Identity has a solution for this exact problem which I think will help clarify what I am asking for.
http://www.pingidentity.com/blogs/pingtalk/index.cfm/2007/07/11/OpenToken-Session-Management
-
4. Re: JBoss cluster SSO with PicketLink
anil.saldhana Aug 16, 2010 2:24 PM (in response to dbschofield)Ben, the security realm does not necessarily mean corporate boundaries. A single JBoss cluster can be thought of to be of one security domain with its own STS. There would be a STS - STS relationship among the individual clusters. This is where ws-federation would come in handy as it deals with sts - sts relationship.
-
5. Re: JBoss cluster SSO with PicketLink
dbschofield Aug 16, 2010 3:39 PM (in response to anil.saldhana)Thanks Anil, I will take a closer look at using a STS in each cluster.
I would like to get your thoughts on Ping Identity's OpenToken. It appears to be a good fit for JBoss and provides a feature that many of JBoss's competitors already provide. Wondering if you see a reason why it would not be a good idea to implement something similar to achieve cross cluster SSO?
-
6. Re: JBoss cluster SSO with PicketLink
anil.saldhana Aug 16, 2010 5:24 PM (in response to dbschofield)Ben, I can understand the reasoning behind the opentoken. It does exactly what ws-fed can do at a lighter scale.
Here is the ws-fed spec.
http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html
I am sure ws-fed may seem heavier but it is the standards approach.