1 2 Previous Next 19 Replies Latest reply on Oct 6, 2015 10:27 AM by vamshi_appala

    WildFly support Single-Sign-On (SSO)?

    hai_feng

      Hi,everyone!

      I want to know that is WildFly support Single-Sign-On (SSO)? When I look for it from document,I can't find anything,it is blank.

      So I hope you can help me,I look forward to you can give me some advice or documents.

      Thanks!

        • 1. Re: WildFly support Single-Sign-On (SSO)?
          pferraro

          Yes, it does.

          To enable SSO for all contexts in a host, add <single-sign-on/> within the <host>...</host> element of the undertow subsystem configuration.  You'll need to either set the name of the host to match your domain name, or configure the domain attribute of the single-sign-on element appropriately.

          • 2. Re: WildFly support Single-Sign-On (SSO)?
            hai_feng

            I‘am very happy that you can reply me,thanks.

            But from following discussion:

            Re: Using SSO on WildFly 8.0.0.Final?

            it seem to be a problem on your's way.

            I have try the way following ducument test sso on JBoss As 7,and it works well.

            https://community.jboss.org/wiki/JBossAS711WebSSONon-Clustered

            When I test on WildFly,I modify "<sso domain="localhost" reauthenticate="false"/>" to"<single-sign-on domain="localhost"/>"

            and WildFly running well,but it can not make the right of sso, it is say that the sso can not work on WildFly.

            I found you had posted a issue about sso configuration on untertow as following:

            [WFLY-2404] Port SingleSignOn Valve to Undertow auth mechanism - JBoss Issue Tracker

            but I can't found the answer from your issue,can you tell me how can i do?

             

            Thanks!

            • 3. Re: WildFly support Single-Sign-On (SSO)?
              pferraro

              But from following discussion:

              Re: Using SSO on WildFly 8.0.0.Final?

              it seem to be a problem on your's way.

              That thread only mentions a feature request to allow the domain of the sso cookie to be undefined.  Currently, you need to either set the domain attribute of the single-sign-on element, or change the name attribute of the parent host element.  This doesn't make SSO unusable.

              it can not make the right of sso, it is say that the sso can not work on WildFly.

              What do you mean exactly?

               

              There is currently a blocker issue fixed recently that affected standalone applications that use programmatic authentication w/SSO, namely:

              [WFLY-2934] SSO and programmatic authentication - JBoss Issue Tracker

               

              To workaround this issue you can either:

              • Remove the org.wildfly.clustering.web.undertow module from your wildfly distribution
              • Make your web application <distributable/>
              • Build the latest from master
              • Wait until the 8.0.1 release, which should be out within the week.
              • 4. Re: WildFly support Single-Sign-On (SSO)?
                hai_feng

                Hi Paul

                Thanks for your reply firstly.

                  Currently, you need to either set the domain attribute of the single-sign-on element, or change the name attribute of the parent host element.  This doesn't make SSO unusable.

                According to JBoss AS 7.1.1 Web SSO (Non-Clustered),I configure the WildFly's standalone.xml as following:

                under the "security-domains" I add configuration:

                <security-domain name="sso" cache-type="default">

                                    <authentication>

                                        <login-module code="UsersRoles" flag="required">

                                            <module-option name="usersProperties" value="users.properties"/>

                                            <module-option name="rolesProperties" value="roles.properties"/>

                                        </login-module>

                                    </authentication>

                  </security-domain>

                and configure sso as following:

                <server name="default-server">

                                <http-listener name="default" socket-binding="http"/>

                                <host name="default-host" alias="localhost">

                                    <location name="/" handler="welcome-content"/>

                                    <filter-ref name="server-header"/>

                                    <filter-ref name="x-powered-by-header"/>

                                    <single-sign-on domain="localhost"/>

                                </host>

                </server>

                Aside from configuring the standalone.xml, you also have to configure the valve for each of the web application you are trying to SSO.  Every request will go through this valve and it will act according to what you specified in reauthenticate flag.

                 

                <?xml version="1.0" encoding="UTF-8"?> 

                <jboss-web> 

                    <security-domain>sso</security-domain> 

                          <valve> 

                        <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name> 

                    </valve> 

                </jboss-web> 


                Examples

                Attach are two wars you can deploy and the standalone.xml.  The web apps are derived from the quickstarts of picketlink so you might see some reference regarding it.

                1. Copy the standalone.xml to your WildFly standalone configuration
                2. Deploy the two wars
                3. Open http://localhost:8080/sso1 (login page)
                4. In another tab, open http://localhost:8080/sso2 (login page)
                5. Login with user: tomcat password: tomcat for sso1  (You should see welcome if you login successfully)
                6. Refresh page in step 4 and you should NOT see the login page but the welcome page instead.

                I test successfully on JBoss As 7,but when i test on WildFly there is no Phenomenon when i refresh sso2 login page.

                There is currently a blocker issue fixed recently that affected standalone applications that use programmatic authentication w/SSO, namely:

                [WFLY-2934] SSO and programmatic authentication - JBoss Issue Tracker

                To workaround this issue you can either:

                • Remove the org.wildfly.clustering.web.undertow module from your wildfly distribution
                • Make your web application <distributable/>
                • Build the latest from master
                • Wait until the 8.0.1 release, which should be out within the week.

                According to your suggestion:

                first,I build the latest WildFly from master,make the same configuration on it,and it doesn't work also;second,I make my web application <distributable/>,it doesn't work;thrid,I remove the org.wildfly.clustering.web.undertow module from your wildfly distribution,but when i start WildFly,there is a ERROR as following:

                JBAS014775:    New missing/unsatisfied dependencies:

                service jboss.undertow.server.default-server.default-host.single-sign-on.manager.factory (missing) dependents: [service jboss.undertow.server.default-server.default-host.single-sign-on.manager]

                 

                This is my question,please help!

                Thanks!

                • 5. Re: WildFly support Single-Sign-On (SSO)?
                  ctomc

                  Why are you mixing AS 7.1 SSO configuration with WildFly one?

                   

                  Only thing they have in common is name "SSO" noting else...

                   

                  Also for testing Paul's fix I would recommend using nightly build that already has fix in it you can grab it from: WildFly nightly builds available

                  • 6. Re: WildFly support Single-Sign-On (SSO)?
                    hai_feng

                    Hi,Tomz

                    I don't know what you mean,please exactly.I used nightly build WildFly to test SSO,I am logining sso1.war successfully,but when i refresh sso2.war,it can't skip the login page.In the sso1.war and sso2.war,I just configure the jboss-web.xml as following:

                    sso1:

                    <jboss-web>

                    <security-domain>sso</security-domain>

                      <context-root>sso1</context-root>

                    </jboss-web>

                    sso2:

                    <jboss-web>

                    <security-domain>sso</security-domain>

                      <context-root>sso2</context-root>

                    </jboss-web>

                     

                    is it right about my configuration?or please tell me the way to test sso on WildFly.

                    Thanks a lot!

                    • 7. Re: WildFly support Single-Sign-On (SSO)?
                      alexandre.nikolov

                      I want to add something to this discussion.

                       

                      I just downloaded the latest nightly build.

                       

                      I have the following in standalone.xml:

                      ............

                                  <server name="default-server">

                                      <http-listener name="default" socket-binding="http"/>

                                      <host name="default-host" alias="localhost">

                                          <location name="/" handler="welcome-content"/>

                                          <filter-ref name="server-header"/>

                                          <filter-ref name="x-powered-by-header"/>

                                          <single-sign-on domain="localhost" />

                                      </host>

                                  </server>

                      ...................

                      I deploy 2 applications - one using "FORM"  and the other "BASIC" authentication: app1 and app2

                       

                      Than I load app1: http://localhost:8080/app1/ - log-in for is displayed, user authenticated. Than I check the cookies created.

                      There are 2 cookies:

                      JSESSIONID with domain:localhost, path:/app1 and some vale

                      JSESSIONIDSSO with domain:localhost and path:/app1/

                       

                      Than I open app2 in a new browser tab. Log-in screen appears - I expected to see the app loading without asking for log-in. I enter the same user details and it authenticates and creates the following cookies:

                      JSESSIONID with domain:localhost, path:/app2 and some vale

                      JSESSIONIDSSO with domain:localhost and path:/app2/


                      Now I perform second experiment:

                      Open app1 and authenticate. I get the expected 2 cookies:

                      JSESSIONID with domain:localhost, path:/app1 and some vale

                      JSESSIONIDSSO with domain:localhost and path:/app1/


                      Now I edit JSESSIONIDSSO and change it's path to "/", leave the domain unchanged

                      After the change I open app2 and this time it loads without showing a log-in screen.

                      This time it creates only one new cookie - the JSESSIONID cookie.

                       

                      I did the same experiment but deploying the applications to Glassfish 3.1.2 and Glassfish 4

                      Glassfish does not set "path"property on the SSO cookie. So probably the problem is in the path set on the SSO cookie. Without the path it works as expected.

                      • 8. Re: WildFly support Single-Sign-On (SSO)?
                        ctomc

                        This is all fixed in  https://github.com/wildfly/wildfly/pull/6080 which is not merged yet.

                        • 9. Re: WildFly support Single-Sign-On (SSO)?
                          kobe_fans

                          Hi , Alexandre

                          Can you give me your app1 and app2 and the whole configuration of standalone.xml , Recently I also study the SSO but cause some problem .

                          You can give me a package , contact me with IT_JAVA_BOY@163.com
                          Thanks a lot !

                          --liuzhihong

                          • 10. Re: WildFly support Single-Sign-On (SSO)?
                            ctomc

                            Guys, we just release 8.1.0.CR1 over the weekend that has fixes for SSO in.

                            • 11. Re: WildFly support Single-Sign-On (SSO)?
                              alexandre.nikolov

                              Thanks a million! Will give it a try.

                               

                              Regards,

                              Aleksandar Nikolov

                               

                              Mon, 14 Apr 2014 16:32:06 +0300, Tomaz Cerar <do-not-reply@jboss.com>:

                              JBoss Community

                              WildFly support Single-Sign-On (SSO)?

                              reply from Tomaz Cerar in WildFly - View the full discussion

                               

                              Guys, we just release 8.1.0.CR1 over the weekend that has fixes for SSO 

                              in.>Reply to this message by going to CommunityStart a new discussion in 

                              WildFly at CommunityFollowing WildFly support Single-Sign-On (SSO)? in 

                              these streams: Inbox

                               

                               

                               

                               

                               

                               

                              --

                              Създадено с Opera Mail: http://www.opera.com/mail/

                              • 12. Re: WildFly support Single-Sign-On (SSO)?
                                hai_feng

                                Hello Tomaz

                                Can't you tell me how to test it or give me some demo to test the SSO on WildFly?

                                Thanks!

                                • 13. Re: Re: WildFly support Single-Sign-On (SSO)?
                                  alexandre.nikolov

                                  With thw 8.1.0.CR1 my set-up works as expected.

                                  Here is my set-up:

                                  - in standalone.xml I have the following:

                                  <subsystem xmlns="urn:jboss:domain:undertow:1.1">

                                  .............

                                      <host name="default-host" alias="localhost">

                                            <location name="/" handler="welcome-content"/>

                                            <filter-ref name="server-header"/>

                                            <filter-ref name="x-powered-by-header"/>

                                            <single-sign-on path="/"/>

                                      </host>

                                  </server>

                                  ................................

                                  </subsystem>

                                  The difference this time is in the "path" attribute.
                                  - I used the same 2 applications from my previous post - these are just 2 empty web applications I created using NetBeans' Maven Template. The only thing I changed on the generated code is to add security constraints.

                                  I load application app1 and authenticate. Than I load in a different browser tab app2 - this time it does not require authentication.
                                  When you inspect the created cookies you should see 1 unique cookie per application with name JSESSIONID and path "/app1" and "/app2". And 1 cookie with name JSESSIONIDSSO and the same content for both apps and path "/"
                                  • 14. Re: WildFly support Single-Sign-On (SSO)?
                                    hai_feng

                                    Thanks Alexandre

                                    I test successfully!

                                    1 2 Previous Next