10 Replies Latest reply on Jul 1, 2008 1:39 PM by Alan Feng

    JBoss federated SSO setup

    Alan Feng Novice

      Hi,

      I'm trying out the JBoss SSO and got stuck with cross domain SSO setup. I wonder if anyone can point out what I was doing wrong.

      I am running two JBoss instances on the local box, with JBoss config name "sso-site1" and "sso-site2". For sso-site2, I've changed all the ports it uses by prefixing them with a 1 so they are in the 10000-19999 range. I am accessing the two sites using www.ssosite1.com:8080 and www.ssosite2.com:18080 after updating the Windows host file.

      I also dropped the jboss-sso.sar and jboss-federation-server-exploded.ear to the deploy directory of both sites.

      I then deployed ssoapp1 and ssoapp2 to sso-site1 and sso-site2, respectively. Below are the settings of various files. For ssoapp1, it uses "site1" in various places as mentioned below. For ssoapp2, it uses "site2" wherever "site1" is used in ssoapp1.

      jboss-sso.sar/conf/sso.cfg.xml

       <login>
       <provider id="si:myconmpany:site1:login" class="org.jboss.security.idm.demo.DemoLoginProvider"/>
       </login>
      
       <sso-processor>
       <processor class="org.jboss.security.saml.JBossSingleSignOn">
       <property name="trustServer">http://www.ssosite1.com:8080/federate/trust</property>
       </processor>
       </sso-processor>
      
      



      JBoss conf/login-config.xml
       <application-policy name="ssodemo-site1">
       <authentication>
       <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="required">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
       <module-option name="provider">si:myconmpany:site1:login</module-option>
       </login-module>
       </authentication>
       </application-policy>
      



      jboss-federation-server.sar/conf/server.cfg.xml
       <federation-server>
       <partners>
       <partner domain="ssodemo-site1" server="http://www.ssosite1.com:8080/federate"/>
       <partner domain="ssodemo-site2" server="http://www.ssosite2.com:18080/federate"/>
       </partners>
       </federation-server>
      



      WEB-INF/Context.xml
      <Context>
       <!-- a federation routing valve -->
       <Valve className="org.jboss.security.valve.SSOFederationRouter" />
       <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/ssoapp1/close_session.jsp" />
      
       <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="ssodemo:site1" />
      
       <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="BASIC" provider="si:mycompany:site1:login" />
      </Context>
      



      WEB-INF/jboss-web.xml
       <security-domain>java:/jaas/ssodemo-site1</security-domain>
      



      WEB-INF/web.xml
       <security-constraint>
       <display-name>protected resources</display-name>
       <web-resource-collection>
       <web-resource-name>protected contents</web-resource-name>
       <url-pattern>/protected/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>Authenticated</role-name>
       </auth-constraint>
       </security-constraint>
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>SSO Authentication App1 @ Site1</realm-name>
       </login-config>
       <security-role>
       <role-name>Authenticated</role-name>
       </security-role>
      



      I think I've connected all the dots. The login worked okay. Once login, I can see the SAML token in the cookie. However, when I click a link to jump from site1 to site2 (or vise versa), the SAML token is not restored and therefore, I am getting the login prompt again.

      Any idea what is missing?

      Thanks in advance.

        • 1. Re: JBoss federated SSO setup
          Mauricio Salatino Master

          did you uncomment the https configuration in your server.xml in web.deployer??
          you need that in order to user ssl in the federation server comunications...
          Let me know if you can do that.. and if it works for you..

          • 2. Re: JBoss federated SSO setup
            Alan Feng Novice

            First, thanks for the reply.

            I don't have the https enabled. Is it a requirement? I don't remember seeing it in the SSO wiki pages.

            I'll give it a try anyway.

            • 3. Re: JBoss federated SSO setup
              Alan Feng Novice

              So I enabled the HTTPS on both sites. Now the jboss-federation-server.sar/conf/server.cfg.xml file looks like this:

               <federation-server>
               <partners>
               <partner domain="ssodemo-site1" server="https://www.ssosite1.com:8443/federate"/>
               <partner domain="ssodemo-site2" server="https://www.ssosite2.com:18443/federate"/>
               </partners>
               </federation-server>
              


              However, I still don't get the cross-domain SSO :(

              Should I see anything from the log regarding federation servers exchange the token? I don't see anything in the log right now.



              • 4. Re: JBoss federated SSO setup
                Sohil Shah Master

                 

                <Context>
                 <!-- a federation routing valve -->
                 <Valve className="org.jboss.security.valve.SSOFederationRouter" />
                 <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/ssoapp1/close_session.jsp" />
                
                 <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="ssodemo:site1" />
                
                 <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="BASIC" provider="si:mycompany:site1:login" />
                </Context>
                


                Are these valves setup on ssosite2.com as well? including the corresponding login module setup with BASIC authentication?

                I noticed the configuration you posted was on ssosite1.com, just making sure the client sso stack is setup on ssosite2.com as well

                Thanks


                • 5. Re: JBoss federated SSO setup
                  Sohil Shah Master

                  ah doh.......

                  I just noticed this

                  try this for jboss-federation-server.sar/conf/server.cfg.xml as configuration of federation servers on both ssosite1 and ssosite2

                  <federation-server>
                   <partners>
                   <partner domain="ssosite1.com" server="http://www.ssosite1.com:8080/federate"/>
                   <partner domain="ssosite2.com" server="http://www.ssosite2.com:18080/federate"/>
                   </partners>
                   </federation-server>
                  


                  Notice the change from ssodemo-site1 to ssosite1.com and ssodemo-site2 to ssosite2.com, The domain values should be real domain values.

                  See if this solves the problem

                  Thanks

                  • 6. Re: JBoss federated SSO setup
                    Alan Feng Novice

                    Thank you for the reply.

                    I changed the domain to ssosite1 and ssosite2, and all other locations (login-config.xml, jboss-web.xml, as the security domain names), but that didn't help.

                    Is that true the domain in the server.cfg.xml file should match the security domain associated with the web apps (which is what I did)?

                    And where should I start with debugging the problem myself while waiting for helps from forum?

                    Thanks,

                    • 7. Re: JBoss federated SSO setup
                      Sohil Shah Master

                      Just to be clear, the values in server.cfg.xml should be ssosite1.com and ssosite2.com and not just ssosite1, and ssosite2.

                      If that is in place, looks like you need to do some debugging on your end to see whats happening. Here are some tips for debugging

                      1/ Use the LiveHeaders or something like that to see the sequence of requests that happen when going from ssosite1 to ssosite2. Expected behavior would be, when hitting ssosite2, the SSOFederationRouter valve on ssosite2 must redirect back through ssosite1's federation server (redirect). This is based on the partner federation server value specified in server.cfg.xml file. Debug and see if this redirecting occurs to move the SAML token from one domain to another

                      2/ If from step1, you are seeing that the SAML token is in fact propagated from ssosite1 to ssosite2, then debug the SSOAutoLogin valve to see if the AutoLogin is actually getting processed correspondingly calling your LoginModule, and the login is actually occuring successfully.

                      The missing link is somewhere here

                      Hope this provides some clues

                      Thanks

                      • 8. Re: JBoss federated SSO setup
                        Sohil Shah Master

                         


                        Is that true the domain in the server.cfg.xml file should match the security domain associated with the web apps (which is what I did)?


                        The domain for server.cfg.xml has nothing to do with the security domain specified with the low level JAAS authentication/login module setup.

                        This value of domain in jboss-federation-server.sar/conf/server.cfg.xml must be the actual web domain at which the web application is hosted

                        Also part of debugging make sure the SAML token is issued at the domain level. Like for instance ssosite1.com or ssosite2.com depending on which application you log into

                        Thanks

                        • 9. Re: JBoss federated SSO setup
                          Mauricio Salatino Master

                          Maybe it's obvious but check your /etc/hosts.. and check how you are starting both JBoss configurations..

                          my /etc/hosts looks like:

                          127.0.0.1 localhost
                          127.0.1.1 node1.jboss.org
                          127.0.2.1 node2.jboss.com
                          
                          and when i run the two Jboss configuration:
                          ./run.sh -c defaultOrg -b node1.jboss.org
                          
                          and the other
                          
                          ./run.sh -c defaultCom -b node1.jboss.com
                          
                          this is the basic configurations.. but maybe some typo.. or something missing...
                          Hope it helps
                          
                          


                          • 10. Re: JBoss federated SSO setup
                            Alan Feng Novice

                             

                            "sohil.shah@jboss.com" wrote:
                            Just to be clear, the values in server.cfg.xml should be ssosite1.com and ssosite2.com and not just ssosite1, and ssosite2.


                            I think this did the trick. I did have only "ssosite1" as the domain name instead of "ssosite1.com". I changed it and it is now working! I saw the browser is redirected back to the previous site as you described.

                            It seems that I've covered all the pieces, the only problem prevented it from working is the incorrect domain values.

                            Thanks for all the helps!