Version 9

    JBoss Federated SSO - FAQs/Issues


    IMPORTANT NOTICE:  Please discontinue use of JBoss Federated SSO. You need to use JBoss Identity ( for your needs.



    Federation Server:


    When do I need to use a Federation Server?



    • The Federation Server provides the following functions within the Federated SSO ecosystem.



      • Propagating the SSO token between partner sites located in different security domains.



      • Providing a Trust Service that ensures whether a particular assertion is valid and the user should be automatically authenticated.



      • Providing Federated Account Provisioning between partner sites so that the partners are not forced to share the same data store. With this feature changes to Identity Stores on partner sites are synchronized with other partners in the Federation.



    So, if the partners are all located in the same security domain and share the same identity store, a Federation Server is not needed to propagate the SSO token across partner domains. However, the Trust Service is absolutely essential for the security of the system.


    Hence, for all Federated SSO setups, a Federation Server is required.


    Note: The Federated Account Provisioning in the Federation Server is not implemented yet. It is on the roadmap here: JBSSO-13.




    What is Federated Account Provisioning?



    • Federated Account Provisioning allows Federated partner sites to have their own independent identity store but at the same time keep the data in sync with other partners in the Federation. Some of the uses of Federated Provisioning are:


      • If a user registers on one of the web sites, the user is automatically registered on all the websites in the federation even though they may not necessarily share the same Identity Store


      • Same for password reset, updating user profile etc.\




    Identity Management Framework:


    I don't store my identity data in LDAP. Can I still use JBoss Federated SSO?


    • Absolutely. The Identity Management Framework consists of a way to plug-in LoginProviders to other Identity Stores including proprietary database oriented stores. All you have to do is provide an implementation of a LoginProvider and register it with the Identity Management Service. For details, please refer to: Steps to integrate the Identity Management Framework.\