Does it use SAML assertions , if so this could be very useful?
Not yet. The problem is that anyone using SAML must apply for a royalty-free license to RSA.
Check this : http://www.rsasecurity.com/node.asp?id=2530
This is not good for open source product. We plan although to support SAML in JOSSO in the near future.
JBoss comes with the ability to support SSO with some minor configuration changes I thought. Could you help me understand what JOSSO brings to the table?
Yes of course, I'll try to name the most important ones :
1. Josso comes with a custom framework for implementing new authentication schemes (username/password, strong authentication, etc.), new stores (LDAP, etc.), Session stores (memory, database, etc.) among other things.
SSO in JOSSO is a "business" itself, not just a Container plugin.
2. Josso is a distributed SSO, which basically splits the SSO infrastructure in a client and server component. All your authentication schemes, stores, etc. are implemented in a potentially remote SSO service component, invoked by thin clients using a lightweight protocol like SOAP.
In JBoss, all SSO functionality resides in one single component coupled with Catalina.
3. You can have transparent single sign-on across multiple hosts and web applications, not only for web applications running in the same host.
JBoss SSO does not support this.
4. The authentication process is centralized. This means that the mechanisms and resources used to authenticate the user are hidden from the SSO clients by the SSO service. The SSO clients only need to know about a Single Sign-On Session created on user authentication against the SSO service.
By only updating the SSO service configuration, you can change how partner web applications authenticate their users, security policies, etc.
Also, all auditing logic and related information is in one place.
5. JOSSO is a platform neutral SSO, supporting Java and non-Java SSO clients. Right now PHP is supported. This means that you can share a user session between a PHP and a Java application.
6. JOSSO provides security context, not only to protected web resources, but to public ones.
JBoss only provides security context to protected web resources.
7. With JOSSO there is no need to access a protected resources to allow the user authenticate itself.
In JBoss the user must access a protected resource for the authentication procedure to work.
8. Custom user properties (ie. email, phone, etc.) can be attached to the Principal in a declarative fashion.
This is not supported in JBoss.
I hope you get a chance to evaluate JOSSO and let us know about your opinion.
> We plan although to support SAML in JOSSO in the near future.
Is there a specific timeframe on when SAML will be supported in JOSSO?