4 Replies Latest reply on Dec 4, 2009 8:00 PM by Anil Saldanha

    ADFS JBossWS and friends

    Andrew Oliver Master

      I'm going to ask this as if it were a user question. Anil told me to post it here :-) Mainly I'm proposing a scenario.

      The basic requirement

      IE/Flash ----SOAP----JBoss----SOAP----AnotherJBoss---SOAP---NOTJBOSS

      ActiveDirectory

      The present solution (https://jira.jboss.org/jira/browse/JBAS-2681):

      Microsoft Certificate Server
      Fixed LDAPExtLoginModule to let me authorize only and use the principal from the cert
      SSL Cert authentication

      That gets us step 1.
      Step 2 is how does JBoss call AnotherJBoss passing the credentials

      Present solution involves NOT calling the same port (because I have to NOT do client cert re-authentication) and passing WS-Security info, using another login module that says "if JBoss said he's authenticated then he must be authenticated". Basically ID and origination IP is the credential.

      So how do I get a real single sign on session from client call one server and share that session up to another and possible another NOT JBoss server? What software, standards, configuration is involved? How would one put such a thing together.

      Ideally the client would:
      * only use SSL Authentication anywhere once (Because cross authentication is a bear)
      * be able to authorize (get his groups and/or roles) in a convenient manner.