Hi,

Has anyone implemented, or does anyone have ideas on how to implement, SSO for a Java fat client launched via Java Web Start? For thin client SSO I'm using PicketLink on JBoss 6 AS. The identity store is Active Directory. I've setup SPNEGO and Integrated Windows Authentication for the thin client, so I need to use Active Directory and SPNEGO for the JWS client as well.

The desired result I'm going for is that if a user logs into a Windows machine that authenticates against the Active Directory, then they won't have to re-authenticate when they run the fat client, because the app will be smart enough to recognize that the user has already logged in (by the presence of a Kerberos ticket in the cache on the machine). But if they're logged into an environment that hasn't already authenticated against my Active Directory they'll be required to enter their credentials, which will be checked against Active Directory. Then once they authenticate they can launch the fat client as many times as they want without having to re-enter their credentials. So using SPNEGO (I think I'm right on throwing that word out here), unauthenticated users would enter their credentials, then they would authenticate, and then the Kerberos ticket would be tossed onto their machine so that they didn't have to re-authenticate as they launched the same, or other, fat clients via JWS.

I've found a few forum discussions on doing this type of thing with CAS and other make-shift ways that involve either scraping a web page for ticket information (http://forum.springsource.org/showthread.php?t=13983), or dynamically created the JNLP file in a fashion that requires the user to authenticate before they can access the JNLP (http://forums.oracle.com/forums/thread.jspa?messageID=2152256), but neither of those seem great. The first doesn't work well because I'm not using CAS (I'm using PicketLink). And the second doesn't seem like the best solution because it would be nice if the user was still able to launch the application from a shortcut created for an already downloaded JNLP file.

I'm having a difficult time finding documentation for PicketLink, especially in this area. The user guide doesn't address it, and I haven't found any posts in this forum that discuss this matter either.

I'm assuming I really have 2 options here:

1. Kerberize my fat client such that it gets the ticket from the cache on the client machine, then use that to communicate with Active Directory. In this case I wouldn't integrate with PicketLink at all. It's been troublesome to find good documentation on how to use standard Java libraries (I'm using Java 6) to grab the ticket in the cache from the operating system. And even if I could grab that ticket, what do I do from there? I think all of this logic must already be in PicketLink since it's able to handle this situation, so it would certainly make life easier if PicketLink had a web interface or something to integrate fat clients into the picture.
2. Integrate my fat client with PicketLink somehow. This is my preferred method, since I imagine most of the heavy lifting would already be done for me by PicketLink. And, if a user had already authenticated against one of the thin clients they wouldn't have to re-authenticate when they launch the JWS client(s) because both lead them down the same authentication path.

As I make progress on a solution I'll update this post, since forums has been one of the best sources of information and it's always nice to find the solution in an understandable format down at the bottom to wrap the post up!

And thanks in advance for anyone that can help shed some light for me!

Scott