0 Replies Latest reply on May 28, 2009 10:35 AM by danjava2000@gmail.com

    SAML token propagation

    danjava2000@gmail.com Newbie

      Hi all,

      I am wondering how the SAML token is propagated between domains.

      When I log in the first server, I see clearly in the console that the SAML token has been generated and that it has been put on the trust server.

      Now, if I am trying to log on the second server, I see that the SSOTokenManager is looking for SAML token in the request or in a cookie. Since it is at neither place, the application is showing login page (which I don't want for sure).

      What I am doing wrong here? Do I need to add a specific parameter in the request ?

      Notice in the following code fragments that I implemented my own LoginProvider and LoginModule. But neither one is invoked when I hit for the first time the second server.

      I am using JBoss Federated SSO 1.0 CR1 on JBoss AS 4.0.2 with the following settings:

      On both servers I have the following setup:

      My SSO server config:

      <jboss-sso>
       <identity-management>
       <login>
       <provider id="si:intertrade:jboss-sso:database:login" class="com.intertrade.common.sso.DatabaseLoginProvider">
       <property name = "hashAlgorithm">SHA1</property>
       <property name = "hashEncoding">base64</property>
       <property name = "unauthenticatedIdentity">guest</property>
       <property name = "dsJndiName">java:/topcatDB</property>
       <property name = "principalsQuery">select user_password from USERS where USER_NAME = ?</property>
       <property name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</property>
       </provider>
       </login>
       </identity-management>
      
      
       <!-- sso processor for SingleSignOn, the default JBossSingleSignOn processor uses OpenSAML-1.0,
       the next version of this processor will use the latest SAML specification
       -->
       <sso-processor>
       <processor class="org.jboss.security.saml.JBossSingleSignOn">
       <property name="trustServer">https://scarlet.montreal.intertrade.com:8443/federate/trust</property>
       </processor>
       </sso-processor>
      </jboss-sso>
      


      My JAAS login config:
      <application-policy name = "topcat">
       <authentication>
       <login-module code="com.intertrade.common.sso.DatabaseLoginModule" flag = "required">
       <module-option name = "password-stacking">useFirstPass</module-option>
       <module-option name = "hashAlgorithm">SHA1</module-option>
       <module-option name = "hashEncoding">base64</module-option>
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/topcatDB</module-option>
       <module-option name = "principalsQuery">select user_password from USERS where USER_NAME = ?</module-option>
       <module-option name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</module-option>
       <module-option name = "provider">si:intertrade:jboss-sso:database:login</module-option>
       </login-module>
       </authentication>
       </application-policy>


      Federated server setting:
      <jboss-sso>
       <federation-server>
       <partners>
       <partner domain="intertrade.com" server="https://scarlet.montreal.intertrade.com:8443/federate"/>
       <partner domain="tradelinks.net" server="https://localhost.tradelinks.net:8443/federate"/>
       </partners>
       </federation-server>
      </jboss-sso>
      


      On server 1 (scarlet.montreal.intertrade.com), I have the following tomcat valve settings
      :
      <?xml version="1.0"?>
       <Context>
       <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /-->
      
       <!--
       logoutURL - URL for performing logout/signout function in your application
       -->
       <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/>
      
       <!--
       assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
       -->
       <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://scarlet.montreal.intertrade.com:8443/federate"/>
      
       <!--
       tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
       -->
       <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/>
       </Context>
      


      On server 2 (localhost.tradelinks.net), I have the following tomcat valve settings:
      <?xml version="1.0"?>
       <Context>
       <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /-->
      
       <!--
       logoutURL - URL for performing logout/signout function in your application
       -->
       <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/>
      
       <!--
       assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
       -->
       <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://localhost.tradelinks.net:8443/federate"/>
      
       <!--
       tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
       -->
       <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/>
       </Context>