JBoss Federated SSO - Federation Server Setup
What is a Federation Server ?
A Federation Server is a key infrastructure component for securely propagating the SSO token across partner applications that make up a Single Sign On Federation.
Quite clearly the Federation Server adds the "Federated" in a "Federated Single Sign On" system.
Without a Federation Server it is not possible to Federate with sites located outside your domain. This strictly limits the real benefits of a Single Sign On system.
Without cross domain Federation, systems cannot allow Federated Single Sign On between business partners that are located in a different security domain than yours.
A Federation Server is extremely useful in integrating Single Sign On between your sites and thirdparty ASP services like SalesForce.com and 401K.com that also support the SAML standard for Single Sign On.
Even though the primary responsibility of the Federation Server is to propagate a Federation Token/SSO Token (a login assertion) to other sites in the Federation, its responsibilities are being expanded to handle Federated Account Provisioning.
With Federated Account Provisioning, the partner sites no longer have to share the same Identity Store to keep the Identity data in sync. Each partner can have their own Identity Store and the information can be synchronized via the Federation Server.
Federated Account Provisioning is on the roadmap for the GA release of JBoss Federated SSO - JBSSO-13.
Note: for partner sites located within the same security domain like (www.xyz.com,www.marketing.xyz.com etc), you don't need the Federation Server for SSO token propagation. However, if the two sites use separate identity stores, the Federation server is needed to keep the two identity stores in sync. On the other hand if partners sites are as follows (www.xyz.com, www.marketing.xyz.com, www.salesforce.com), you need the Federation Server to propagate SSO tokens to salesforce.com.\
Installing the Federation Server
To install the Federation Server for a particular domain you need to drop the jboss-federation-server.ear file into the deploy directory of the JBoss Server.\
Configuring the Federation Server
The jboss-federation-server.ear file consists of jboss-federation-server.sar file. Inside the sar file there is /conf/server.cfg.xml file that is used to configure the server.
Here is a sample server.cfg.xml file:
<?xml version='1.0' encoding='ISO-8859-1'?> <jboss-sso> <!-- partners configuration of the federation server... --> <federation-server> <partners> <partner domain="jboss.com" server="http://www.jboss.com/federate"></partner> <partner domain="jboss.org" server="http://www.jboss.org/federate"></partner> </partners> </federation-server> </jboss-sso>
Each <partner> declaration denotes a partner website in the federation that this Federation Server should propagate the token to.
domain denotes the security domain of the partner site
server denotes the URL address of the Federation Server located in the partner's security domain
Each security domain where partner sites are present must run an instance of the Federation Server. Then the Federation Servers between the security domains communicate with each other to exchange SSO Token assertions.\
Usability Limitation of Cross Domain Federated SSO
One annoyance with Cross Domain SSO is that links to partner sites in a different domain cannot be linked directly. They must be linked to the current site's Federation Server and then the Federation Server propgates the token and brings up the partner site's resource in a "Logged In/Logged Out state".
For instance: say I am trying to link to http://www.xyz.com/products/index from http://www.abc.org. Then on http://www.abc.org the link would be http://www.abc.org/federate?target=http://www.xyz.com/products/index. If its linked directly the SSO token will not be propagated to http://www.xyz.com and the user will have to login again on http://www.xyz.com
Note: This is no longer a limitation in the framework starting from the 1.0CR1 release. This only affects the 1.0Beta release.
From 1.0CR1 release onwards, even cross domain SSO links can be regular links without using the format /federate?target=. For details on this issue please
look at the following JIRA issue http://jira.jboss.com/jira/browse/JBSSO-18