With the OpenID support, I've tried to make the security code SSO-friendly, meaning that all the functions you would need to implement an SSO login should be there. Have you looked at the OpenID component? I'll be more than happy to explain things, and of course, if we need some other functionality to make it work I can definitely add it because we would need it for our future SSO plans.
With Seam 2.0., what I call
Enterpriser SSO(which mean never ask password in application an rely on third party application to provide authentication) is the hell to implement... I took one week to extend (understand 'rewrite') the Identity Component to support it, mainly because Seam 2.0 assume that if the
passwordis not set, the user CAN't be authenticated ... (which if false).
After a short look at Seam 2.1 I think this kind of authentication will be more easy by the replacement of
password(String) ... by
Credential(what you want supported by your authenticator).
It is important to separate Identification (username ?) from autentification (is the user what it pretend to be) and authorization (which write a user have, provided by Jboss Rules (aka Drools)). The change between Seam 2.0 and 2.1 are a big step in this way.
With the current version of Seam it is easy to implement SSO, and you should not have to make any changes to Identity. I was able to easily implement OpenID with it. My initial evaluations of possible SSO integration leads me believe that we are in a good position moving forward, but if we are lacking in anything then we definitely can improve that part of Seam.
Thanks for your reply.
OpenID is very interesting and looks good but is more suited for Internet (consumer) facing sites/systems right? What about enterprise/internal systems?
For example, I work in a very large organization that uses Active Directory. One of the biggest issues currently our internal users have is that there are so many apps with so many different authentication credentials.
Since I am introducing apps based on Seam to the organization, I want to enable SSO from day one. the ntlm/jcifs seem to be the only article/info out there with regard to SSO on seam.
I am also confused/lack knowledge how the JBoss Negotiation project will impact seam. (we use the JBoss app server. So we are ok with a JBoss centric solution)
Getting back to OpenId, if we are to implement SSO around it, we will need to first setup a openid provider such as OpenID-LDAP. This would be an unnecessary overhead right?
Appreciate views from the community on how others maybe handling something like this. I am particularly interested in how to get seam to recognize that a user is authenticated from another source.
I am not sure how the shift to Credential in Seam 2.1 helps. Because within the Credential class, we will need to set the username/password. So aren't we back to square one? (unless of course I extend the identify class and implement my own..) I am trying to understand if there is a solution which can be implemented out of the box.
I thinks it's possible to extends/overwrite Credential, and write your authenticator as it support it.
I think there is no more check for 'password' to be a not-empty String in the Identity component.
Have you looked at the OpenID support to see how it is done there?
Yes I can extend it but as mentioned wanted to know if there is an 'out of the box' solution in seam.
As mentioned to David, I was looking at an 'out of the box' solution before I decided to look deeper. Let me have a look at how OpenID does it. Maybe without really using OpenID, I can maybe pick on the concepts in there.
Thanks for both of you for your insights.
We plan to support more SSO options directly in the future, but the market is so fragmented that it's hard to know exactly which SSO solutions to target. My goal in chosing OpenID first was to provide something that can be immediately useful to a lot of people and to make sure that we have all the support necessary for anyone to write an SSO integration component. My hope is that people in the community who use a specific SSO solution would use that support to write integration components that could be shared with others and possibly integrated into Seam later.
I'm more than happy to provide support to anyone who is trying to do that.
I agree with you 100%. I am just trying to get my head around what is the
industry standardwhen it comes to SSO. Even within JBoss, you get so many different stuff going on. Federated SSO, JBossNegotiation project for SPNEGO support etc.
I guess my confusion is compounded by the fact that I may not know the difference of all these different projects and what each is trying to achieve. So on my part, I need to read up more on this.
I believe OpenID was a must have feature in Seam and great that you guys put that in. But OpenID is more for web consumer facing apps. (at least at this point in time). How can we leverage what is already widely used in the enterprise. Active directory might be a big part of what the enterprise use currently.(I am guessing!!) Then you have other commercial products like siteminder, netegrity etc. And we all in the seam community want more Seam adoption in the enterprise right!!
So what would be great is if Seam at a basic level provides functionality where a developer can code indicating that the app has been authenticated externally. For example, if I could set the username on the Credentials object and then set a flag on the Identity object indicating that authentication is ok, then that would meet the basic and I guess simple use case that most enterprise apps might want. If there are other use cases more advanced to this, then we can extend and implement it (as is the case now.)
For my use case, ideally what I would like to have is to configure SSO with active directory as a service on the JBoss app server and have my multiple Seam apps running on that app server be able to hook up with that service and everything works fine.
For example at present I can configure a JAAS service in the JBoss app server and then refer to that service in seam by configuring it in the components.xml descriptor file. But how does the SSO work in this case with a seam app. Maybe this is already there and I need to read up a bit more. Appreciate if there are any pointers in this regard.
any one please provide the link to integrate opendID SSO to SEAM web application.
thanks in Advance