3 Replies Latest reply on May 1, 2008 6:15 AM by Sohil Shah

    Trying to Connect JBoss SSO to Oracle Federation Server

    Brian Reynolds Newbie

      We're having a problem figuring out how to set up the POST authentication method in OIF for hooking up to JBoss. I can't find any configuration parameters in JBoss's SSO config files that allow me to set up the POST username and password, however OIF is asking for them in its configuration page.

      A university attempting to set up the Oracle Federation Server is trying to connect to our web site using SSO. We set up the JBoss Federation Server and test application in order to test basic SSO connectivity between OIF and Jboss SSO.

      JBoss uses SAML 1.1 I believe and so the university is in the OIF configuration page configuring our JBoss fed server as a SAML 1.1. entity.

      We gave the school our domain, federation server URL, and SSL certificate for setting up HTTPS between the federation servers. That seems like all we should need. However, the OIF server is asking for a username and password for use during the communication between the federation servers. In looking around on the web, it looks like that username and password are used for the POST method of token validation. I don't see anywhere in the JBoss configuration files where there's a place to set any username/password for use in token checking. Any help from the JBoss community would be helpful.

        • 1. Re: Trying to Connect JBoss SSO to Oracle Federation Server
          Sohil Shah Master

          breynolds-

          Can you briefly describe your setup. Here is what I am assuming you are trying to do, so correct me if I am wrong

          1/ You have a JBoss Federation setup in your school domain using the JBoss Federation Server

          2/ You have a university ("a partner") in a different domain whose Federation is running the Oracle Federation Server

          3/ And you want your SSO tokens propagated/processes/validated between the two Federations?

          If my assumption about this setup is correct, what you are looking for is the username and password that the OIF server will use to perform a "Trust Handshake" between the two servers to check if it can trust the SSO token it is receiving from your domain

          However, if you are using the CR1 release, the "Trust Handshake" of JBoss Federation Server is non-customizable making it not able to interoperate with non-JBoss Federation Servers.

          This feature to allow customization is still under development. I understand that interoperation between Federation Servers is an important feature and we have the base architecture to support it, but we still have to develop the feature to make it happen.

          In fact we have a open JIRA to support Microsoft Federation Server as well once this feature is developed. http://jira.jboss.com/jira/browse/JBSSO-9

          Thanks

          • 2. Re: Trying to Connect JBoss SSO to Oracle Federation Server
            Brian Reynolds Newbie

            Thanks for the response Sohil.

            Yes you've described it pretty well. We're a service provider, we just want the students to be able to log into their institution and then be able to get into our web application.

            If we don't have the ability to perform that trust handshake, does that mean we won't be able to connect those servers right now? So far they are not connecting and I'm wondering if that's the reason.

            • 3. Re: Trying to Connect JBoss SSO to Oracle Federation Server
              Sohil Shah Master

              breynolds-


              If we don't have the ability to perform that trust handshake, does that mean we won't be able to connect those servers right now? So far they are not connecting and I'm wondering if that's the reason.


              Yes in the CR1 release that you are using, this is the reason why they are not talking to each other.

              The next release will improve the "Trust Handshake" pluggability using the concept of a "Trust Plugin" which can then interoperate with other Federation Servers. The functionality is in fact implement on the svn trunk. http://anonsvn.jboss.org/repos/jboss-sso/dev/trunk/

              btw- do you know what is the purpose of the "username" and "password" that the Oracle Server needs to work with the JBoss Federation Server.

              1/ Is it used while "pushing" the token to the JBoss Federation Server (in which case its not needed and you can leave it blank)

              or

              2/ While making a "Trust handshake" callback to the JBoss Server when JBoss Server pushes the token over to the Oracle server

              Also, can you post the SAML token that is generated by the Oracle server and pushed to the JBoss Server?

              I apologize for all the questions, but I am very interested by this usecase, and Federation Server interoperability is key to the usefulness of SAML and de-centralized SSO

              Thanks