5 Replies Latest reply on Mar 29, 2005 3:41 PM by dafisker

    JAAS-based Single Sign-On for JBoss 3.2.6

    Gianluca Brigandi Newbie

      JOSSO - Java Open Single Sign-On - is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication.

      JOSSO uses Web Services technology for asserting user identity, allowing the integration of non-Java applications (i.e: PHP, Microsoft ASP, etc.) to the Single Sign-On Service using the SOAP protocol.

      JOSSO main features include :

      * 100% Java
      * JAAS-based Transparent Single Sign-On across multiple applications and hosts.
      * Built-in with a Pluggable Framework to allow the implementation of multiple authentication schemes and stores.
      * Runs in JBoss 3.2.6 application server.
      * Runs in Jakarta Tomcat 5.0.27+ .
      * Provides Identity information to web applications and EJBs through the standard Servlet and EJB Security API respectively.
      * Comes with a Reverse Proxy component that can be used to create n-tier Single Sign-On configurations.
      * LDAP support for storing user information and credentials.
      * Database support for storing user information and credentials.
      * XML support for storing user information and credentials.
      * Avalability of a Jakarta Tomcat + JOSSO 1.1 bundle.
      * Client API for PHP. This allows to build SSO-enabled PHP applications.
      * Standard Based: JAAS, Web Services/SOAP, EJB, Struts, Servlet/JSP.
      * Commercial-Friendly. Released under the BSD License.

      JOSSO Home Page: http://www.josso.org

      Download JOSSO 1.1 from :http://sourceforge.net/project/showfiles.php?group_id=116854

        • 1. Re: JAAS-based Single Sign-On for JBoss 3.2.6
          peter neville Newbie

          Does it use SAML assertions , if so this could be very useful?

          • 2. Re: JAAS-based Single Sign-On for JBoss 3.2.6
            Gianluca Brigandi Newbie

            Not yet. The problem is that anyone using SAML must apply for a royalty-free license to RSA.

            Check this : http://www.rsasecurity.com/node.asp?id=2530

            This is not good for open source product. We plan although to support SAML in JOSSO in the near future.

            • 3. Re: JAAS-based Single Sign-On for JBoss 3.2.6
              Jimmy Wilson Apprentice

              JBoss comes with the ability to support SSO with some minor configuration changes I thought. Could you help me understand what JOSSO brings to the table?

              • 4. Re: JAAS-based Single Sign-On for JBoss 3.2.6
                Gianluca Brigandi Newbie

                Yes of course, I'll try to name the most important ones :

                1. Josso comes with a custom framework for implementing new authentication schemes (username/password, strong authentication, etc.), new stores (LDAP, etc.), Session stores (memory, database, etc.) among other things.
                SSO in JOSSO is a "business" itself, not just a Container plugin.

                2. Josso is a distributed SSO, which basically splits the SSO infrastructure in a client and server component. All your authentication schemes, stores, etc. are implemented in a potentially remote SSO service component, invoked by thin clients using a lightweight protocol like SOAP.
                In JBoss, all SSO functionality resides in one single component coupled with Catalina.

                3. You can have transparent single sign-on across multiple hosts and web applications, not only for web applications running in the same host.
                JBoss SSO does not support this.

                4. The authentication process is centralized. This means that the mechanisms and resources used to authenticate the user are hidden from the SSO clients by the SSO service. The SSO clients only need to know about a Single Sign-On Session created on user authentication against the SSO service.
                By only updating the SSO service configuration, you can change how partner web applications authenticate their users, security policies, etc.
                Also, all auditing logic and related information is in one place.

                5. JOSSO is a platform neutral SSO, supporting Java and non-Java SSO clients. Right now PHP is supported. This means that you can share a user session between a PHP and a Java application.

                6. JOSSO provides security context, not only to protected web resources, but to public ones.
                JBoss only provides security context to protected web resources.

                7. With JOSSO there is no need to access a protected resources to allow the user authenticate itself.
                In JBoss the user must access a protected resource for the authentication procedure to work.

                8. Custom user properties (ie. email, phone, etc.) can be attached to the Principal in a declarative fashion.
                This is not supported in JBoss.

                I hope you get a chance to evaluate JOSSO and let us know about your opinion.

                Regards,
                Gianluca.

                • 5. Re: JAAS-based Single Sign-On for JBoss 3.2.6
                  dafisker Newbie

                  > We plan although to support SAML in JOSSO in the near future.

                  Is there a specific timeframe on when SAML will be supported in JOSSO?