1 Reply Latest reply on Oct 3, 2014 9:04 AM by pcraveiro

SSO from Web App to Web Service

huo Sep 23, 2014 4:54 PM

We are working on an application with a multi-tiered architecture:

Browser talks to a Web App

Web App talks to a SOAP Web Service

Authentication is done via Active Directory

We want to implement SSO and we have the following requirements:

When a user is logged in into his Windows workstation, his login is used to SSO into the Web App.
When an application uses the Web Service it can use username/password as credentials.
When a Web App uses the Web Service the Web Service should be able to take advantage of the SSO mechanism of 1.

1. could be solved via JBoss Negotiation / SPNEGO

2. could be solved via Picketlink and an appropriate IDP

How about 3. How can we carry over the login information from SPNEGO to Picketlink.

What is the recommended way to ensure that all tiers of the application participate in the same SSO mechanism.

1. Re: SSO from Web App to Web Service

pcraveiro Oct 3, 2014 9:04 AM (in response to huo)

Hey Robert,

    I think PicketLink Federation can also help you in #3. It supports WS-Trust, providing a Security Token Service (STS) that you can use to issue/renew/cance/validate security tokens.

    PicketLink also provides some JAX-WS Handlers that you can use in your SOAP-based service to consume the SAML assertion previously issued by an IdP. In this case, the handler will validate it against the STS. If everything is fine, the user's security context is restored from the SAML assertion.

References:
https://developer.jboss.org/wiki/PicketLinkSTS-SAMLProfile
SAML WS Integration with PicketLink STS
PicketLink Security Token Service
PicketLink STS Login Modules
Actions