External authentication example using SSOCircle

Version 3

    Introduction

     

    PicketLink has a Seam module that enables developers to connect their Seam applications to external identity providers. SAMLv2 as well as OpenID based providers are supported. There is a sample application called seam-sp, which can be used to play around with a very simple Seam application that enables users to login at an OpenID or SAML identity provider.

     

    This article describes how to use the seam-sp application to connect with SSOCircle (http://www.ssocircle.com). SSOCircle is a free SAML identity provider, based on Sun's open source identity management suite OpenSSO (http://www.opensso.org). It provides us with a very nice way of testing a SAML-based service provider without having to install a SAML identity provider. Here's how you do it.

     

     

    Signing on using your SSOCircle account

     

    First you need to create an account at SSOCircle. From the main page, click "login" followed by "new user". Enter details, confirm usage conditions, wait for mail and activate using the link in the mail.

     

    Deploy the seam-sp sample application (provided as a war file as an attachments to this article) to your application server. It has been tested with a JBoss AS 5.1.0.GA server running on JDK6. For other servers or Java runtimes it some customization may be needed. It is part of version 1.0.2 of PicketLink. You could unpack the war file and the jar file with the sources to turn the black box into a white one.

     

    After starting the application server, direct your browser to "http://localhost:8080/seam-sp/PublicPage.seam". You see the following page:

     

    publicpage.tiff

    Now click on the link to view private page 2. You're redirected to a page that is secured by a login-required attribute in the pages.xml. You're redirected to the login-view-id specified in pages.xml, which is the page Login.xhtml:

     

     

    login page.tiff

    Choose to login using idp.ssocircle.com. You're redirected to the SSOCircle site for logging in:

     

    ssocircle_logon_screen.tiff

    Login using the credentials of your SSOCircle account. You'll be directed back to the private page you requested:

     

    privatepage2.tiff

     

    Notice that SSOCircle provided a persistent NameID. This NameID is unique to the combination of your account at SSOCircle and the service provider where you login, and it allows for anonymous sign on.

     

    Logging out locally and globally

     

    Now try "Local logout". This results in a redirect back to the public page. You're not logged on any more in the seam-sp application. So, if you then try to access one of the private pages, you are redirected to the login page, where you can select again that you'd like to login using SSOCircle. You'll notice that after selecting SSOCircle, you'll be redirected immediately to the requested private page. That is because you are still logged in at SSOCircle. You could also try single logout. In that case, you're logged out not only from the seam-sp application, but from the SSOCircle application as well, so you need to sign on again at the SSOCircle site.

     

     

    Logging in without identity provider discovery

     

    The seam-sp application contains another service provider, that is configured with SSOCircle as the one and only identity provider. In that case, you won't be asked to choose an identity provider because there is only one. In order to use that service provider, you need to link the hostname "saml.picketling.org" to "127.0.0.1" in your "etc/hosts" file (if you've got a Unix machine - I hope you do). If you surf to "http://saml.picketlink.org:8080/seam-sp/PublicPage.seam" and then access a private page, you'll see you're logged in with another NameID:

    saml-sp-private-page.tiff

     

    That is because you're using another service provider now (entity ID "http://saml.picketlink.org:8080/seam-sp" instead of "http://localhost:8080/seam-sp"). You'll see that you have two federations now when you look under "My Federations" in the SSOCircle console:

     

    my_federations.tiff

    You can now close your browser, login using the "http://localhost:8080/seam-sp" service provider, and then experience that you don't have to login again when using the "http://saml.picketlink.org:8080/seam-sp" service provider. You will also experience that when you're logged in with both service providers, a single logout will log you out from both service providers and from the SSOCircle site.

     

    A final note about SP metadata at SSOCircle

     

    At SSOCircle, you can upload your own SP metadata (using the "My SP Metadata" menu item in the console). However, for each entity ID, only one SSOCircle account holder can upload SP metadata. The metadata for the entity providers mentioned in this article has been uploaded by the writer of this article. So if you want to connect your own service providers to SSOCircle, you should use other entity IDs. In the seam-sp sample application, the entity ID of each service provider can be modified by changing the serviceProviderEntityId attribute of the SamlConfig element.