1 Reply Latest reply on Sep 14, 2011 2:46 PM by mitch.branting

    SSO using PicketLink STS, SAML and GateIn portal

    mitch.branting

      I'm fairly new to JBoss, GateIn portal, PicketLink and security in general, so been in a crash course learning how these all fit together.  We currently have some code that successfully uses JBoss 5.1.0 and the PicketLink 2.0.0.Final release.  The code communicates with the STS to get a SAML assertion (authenticates with LDAP) and talks to the web services/EJB's passing the SAML assertion (which are in the "sts" security domain using the SAML2STSLoginModule for authentication/verification) and LdapExtLoginModule for loading user roles.  This all seems to be working well.  This is what we call the "backend service jboss instance".

       

      We have another instance of JBoss running the GateIn portal (jboss 5.1.0 with GateIn 3.1.0 bundle).  This has been configured to authenticate with LDAP as well.  However, when the portlets communicate to the EJB services (running in the "backend service jboss instance"), they use hard-coded service usernames/passwords - which is not ideal.  We would like to remove these and enable "Single Sign On" capability to the portal by integrating it with PicketLink-STS (similiar to what is being done in the service JBoss instance).  This will allow the identity of the user to pass all the way down to the EJB services.

       

      I've read through the GateIn documentation on how to integrate some various 'Single Sign On" products (like OpenAM/SSO, JOSSO, CAS, etc), but not sure if that this is the correct path to follow (i.e. looking at implementing SSO with SAML assertions and PicketLink STS).  It seems more straight forward to configure GateIn to talk directly to PicketLink-STS (similiar to how GateIn is configured to authenticate with LDAP) and bypass the whole SSO product integration?  Is this possible?  And if so, would the SAML assertion that gets generated be available to the portlets running in GateIn in order to pass this to the EJB services running in the "backend jboss instance"?

        • 1. Re: SSO using PicketLink STS, SAML and GateIn portal
          mitch.branting

          Update:

          I noticed that PicketLink-STS is included as part of the enterprise portal platform download, so have asked Red Hat support to see if this is possible (assuming that PicketLink-STS was a supported product since it's part of the download).  They said that they have researched this issue and "does not look like it is possible with EPP 5.x". 

           

          They also said that "it has been confirmed that SAML based SSO has not been certified with JBoss Portal" and that PicketLink-STS is still a technology preview and is only shipped as an artifact of the JBoss Portal distribution.  Which is confirmed with the following link to the documenation:

           

          http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Release_Notes_5.1.0/Tech-previews.html#TP-PicketLink

           

          So, appears that are options are (taking in time constraints for the project):

               1) Abandon the gateIn portal in place of some static web pages (as we already have our ejb services using PicketLink-STS)

               2) Abandon PicketLink-STS, and use an SSO that is supported by GateIn (cons: big change for all our services, and wouldn't be SAML based)

           

          Hopefully this post is useful if another person is struggling and trying to go down this road.