13 Replies Latest reply on Feb 11, 2020 10:46 AM by mark.banierink

WildFly11 - Single Sign on in a cluster

lagoria Nov 29, 2017 5:56 AM

I have a cluster with two nodes. Session is not replicated, but I would like the SSO to be so.

Both nodes have an entry like this

<single-sign-on path="/"/>

under undertown configuration.

Single sign on works when I switch from one node to the other. What is not working (and actually I am not sure it is supposed to work) is that SSO state is not preserved when one node fails.

In this case I am just redirected to the login page.

Is this a bug or I have misconfigured something?

AS is WF11, profile is standalone-full-ha.

1. Re: WildFly11 - Single Sign on in a cluster

mchoma Nov 29, 2017 6:14 AM (in response to lagoria)

And do you use Elytron for securing apps?
Actions
2. Re: WildFly11 - Single Sign on in a cluster

lagoria Nov 29, 2017 6:18 AM (in response to mchoma)

No, legacy system. Should I? I tried to migrate to Elytron and gave it up yesterday, but could definitely give a try again.
Actions
3. Re: WildFly11 - Single Sign on in a cluster

mchoma Nov 29, 2017 7:36 AM (in response to lagoria)

This question was to just find out whole picture.
It could behave differently based on which security solution is used.

I definitely encourage you to give a try to Elytron again - it is the future.
Actions
4. Re: WildFly11 - Single Sign on in a cluster

pferraro Nov 29, 2017 9:02 AM (in response to mchoma)

Undertow's SSO implementation relies on the session to store the SSO identifier so that destruction of the session of one application destroys the corresponding sessions for all other applications associated with that user. If the session is not replicated, this behavior won't work if the user's SSO spans applications on multiple nodes.

The elytron SSO implementation does not have this limitation.
Actions
5. Re: WildFly11 - Single Sign on in a cluster

lagoria Nov 29, 2017 10:13 AM (in response to pferraro)

Thank Paul. Now that I have been able to switch to Elyton, it seems I can't enable SSO.

I get this exception (same undertow configuration with legacy security didn't):

15:09:28,248 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 88) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'SSO' is not available in mechanisms [FORM] from the HttpAuthenticationFactory.
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'SSO' is not available in mechanisms [FORM] from the HttpAuthenticationFactory.
Actions
6. Re: WildFly11 - Single Sign on in a cluster

pferraro Nov 29, 2017 10:53 AM (in response to lagoria)

This should help: Web Single Sign-On - Latest WildFly Documentation - Project Documentation Editor
Actions
7. Re: WildFly11 - Single Sign on in a cluster

lagoria Nov 29, 2017 11:37 AM (in response to pferraro)

Thanks, I have followed the instructions and deploy is fine now.

SSO is not enabled, although. I don't see any JSESSIONIDSSO cookie in the browser.
This is the configuration in undertow/application-security:

{
    "outcome" => "success",
    "result" => {
        "enable-jacc" => false,
        "http-authentication-factory" => "wmt-http-auth",
        "override-deployment-config" => false,
        "referencing-deployments" => ["wmt.war"],
        "setting" => {"single-sign-on" => {
            "client-ssl-context" => undefined,
            "cookie-name" => "JSESSIONIDSSO",
            "credential-reference" => {"clear-text" => "secret"},
            "domain" => "localhost",
            "http-only" => false,
            "key-alias" => "localhost",
            "key-store" => "wmt-keystore",
            "path" => "/",
            "secure" => false
        }}
    }
}

Anything I could look to?
Actions
8. Re: WildFly11 - Single Sign on in a cluster

pferraro Dec 2, 2017 8:10 AM (in response to lagoria)
Have you created an application-security-domain in the undertow subsystem that uses this new "wmt-http-auth" http-authentication-factory?
Have you also enabled single sign-on for this application-security-domain?
Did you specify this <security-domain/> in your application's jboss-web.xml?
Actions
9. Re: WildFly11 - Single Sign on in a cluster

lagoria Dec 2, 2017 10:27 AM (in response to pferraro)

Yes. This is the profile I am using:

https://issues.jboss.org/secure/attachment/12428485/standalone-full-ha.xml

and this is jboss-web.xml content:

<jboss-web>
<security-domain>wmtauth</security-domain>
<context-root>/</context-root>
</jboss-web>
Actions
10. Re: WildFly11 - Single Sign on in a cluster

mchoma Dec 7, 2017 5:06 AM (in response to lagoria)

Does TRACE log reveals something interesting? Could you attach?

Enable TRACE at least for:
* org.wildfly.security
* org.wildfly.elytron
* io.undertow
Actions
11. Re: WildFly11 - Single Sign on in a cluster

lagoria Dec 7, 2017 6:50 AM (in response to mchoma)

I can't see anything about SSO:

2017-12-07 11:43:50,979 INFO [org.jboss.modules] (main) JBoss Modules version 1 - Pastebin.com

Anyway, if you want to reproduce just try the war I provided for [ELY-1455] DB query seen for each request using FORM mechanism. - JBoss Issue Tracker
Actions
12. Re: WildFly11 - Single Sign on in a cluster

mchoma Dec 7, 2017 7:17 AM (in response to lagoria)

pferraro pcraveiro Should SSO work in this case, when actually, FORM authentication is not used. Instead programmatic approach is used.
Actions
13. Re: WildFly11 - Single Sign on in a cluster

mark.banierink Feb 11, 2020 10:46 AM (in response to mchoma)

Hello, I'm experiencing the same issue. In the log it only states that authentication and authorization is all fine, but it doesn't set a JSESSIONIDSSO cookie. I have declared the application-security-domain and keystore properly: without SSO is all works and with SSO enabled, no exceptions are thrown. Do you have any suggestions?
Actions

Go to original post