SAML Web Browser SSO on JBoss AS 7.0

Version 10

    Return to Cheatsheet for PicketLink and JBoss AS <<<

     

    This article will talk about achieving SAML v2 Web Browser SSO on JBoss AS7.0 and beyond. Ideally the recommendation is that you are running the latest version of JBoss AS7.

    How do I configure JBoss AS 7 for achieving SAML based SSO?

     

    1.  We need to configure the module for org.picketlink

     

    Unzip the attached picketlink-module.zip  under jboss-as-web-7.0.0.Final/modules/org directory.

     

    You should see something like:

     

    ~/jboss-as-web-7.0.0.Final/modules/org/picketlink/main$ ls
    module.xml                                       picketlink-fed-2.0.1.final.jar
    picketlink-bindings-2.0.1.final.jar              picketlink-fed-2.0.1.final.jar.index
    picketlink-bindings-2.0.1.final.jar.index        picketlink-trust-jbossws-2.0.1.final.jar
    picketlink-bindings-jboss-2.0.1.final.jar        picketlink-trust-jbossws-2.0.1.final.jar.index
    picketlink-bindings-jboss-2.0.1.final.jar.index
    

    NOTE:  The .index files are created when you start JBoss AS7.

     

    Also note that we are adding a new module under org.jboss.security called "xacml"

     

     

    2. Deploy the PicketLink web apps.

    They are attached as picketlink-webapps.zip

    Unzip it under ~/jboss-as-web-7.0.0.Final/standalone/deployments directory.

     

    You should see something like:

     

    ~/jboss-as-web-7.0.0.Final/standalone/deployments$ ls
    employee-post.war  idp.war                       sales-post.war
    employee.war     picketlink-sts.war              README.txt              sales.war
    

     

    3. Configure the necessary security domains in standalone.xml

     

    <subsystem xmlns="urn:jboss:domain:security:1.0">
                <security-domains>
                    <security-domain name="other" cache-type="default">
                        <authentication>
                            <login-module code="UsersRoles" flag="required"/>
                        </authentication>
                    </security-domain>
                    <security-domain name="jmx-console" cache-type="default">
                        <authentication>
                            <login-module code="UsersRoles" flag="required">
                                <module-option name="usersProperties" value="users.properties"/>
                                <module-option name="rolesProperties" value="roles.properties"/>
                            </login-module>
                        </authentication>
                    </security-domain>
                    <security-domain name="idp" cache-type="default">
                        <authentication>
                            <login-module code="UsersRoles" flag="required">
                                <module-option name="usersProperties" value="users.properties"/>
                                <module-option name="rolesProperties" value="roles.properties"/>
                            </login-module>
                        </authentication>
                    </security-domain>
                    <security-domain name="sp" cache-type="default">
                        <authentication>
                            <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
                        </authentication>
                    </security-domain>
                </security-domains>
            </subsystem>
    

     

    Note that we added the blocks for "jmx-console", "idp" and "sp"  in the security subsystem right after "other".

     

    4.  Start JBoss AS7.0

     

    ~/jboss-as-web-7.0.0.Final/bin$ ./standalone.sh 
    =========================================================================
    
      JBoss Bootstrap Environment
    
      JBOSS_HOME: /home/anil/jboss-as-web-7.0.0.Final
    
      JAVA: /opt/java/jdk1.6.0_23/bin/java
    
      JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.modules.system.pkgs=org.jboss.byteman
    
    =========================================================================
    
    08:35:20,535 INFO  [org.jboss.modules] JBoss Modules version 1.0.1.GA
    08:35:21,978 INFO  [org.jboss.msc] JBoss MSC version 1.0.0.GA
    08:35:22,153 INFO  [org.jboss.as] JBoss AS 7.0.0.Final "Lightning" starting
    08:35:26,164 INFO  [org.jboss.as] creating http management service using network interface (management) port (9990) securePort (-1)
    08:35:26,205 INFO  [org.jboss.as.logging] Removing bootstrap log handlers
    08:35:26,346 INFO  [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying JDBC-compliant driver class org.h2.Driver (version 1.2)
    08:35:26,400 INFO  [org.jboss.as.clustering.infinispan.subsystem] (Controller Boot Thread) Activating Infinispan subsystem.
    08:35:26,715 INFO  [org.jboss.as.naming] (Controller Boot Thread) Activating Naming Subsystem
    08:35:26,752 INFO  [org.jboss.as.naming] (MSC service thread 1-2) Starting Naming Service 
    08:35:26,763 INFO  [org.jboss.as.osgi] (Controller Boot Thread) Activating OSGi Subsystem
    08:35:26,829 INFO  [org.jboss.as.security] (Controller Boot Thread) Activating Security Subsystem
    08:35:26,868 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 3.2.0.Beta2
    08:35:26,949 INFO  [org.xnio] (MSC service thread 1-1) XNIO Version 3.0.0.Beta3
    08:35:26,978 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO Implementation Version 3.0.0.Beta3
    08:35:27,702 INFO  [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-1) The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /opt/java/jdk1.6.0_23/jre/lib/i386/server:/opt/java/jdk1.6.0_23/jre/lib/i386:/opt/java/jdk1.6.0_23/jre/../lib/i386:/usr/lib64/qt-3.3/lib:/usr/lib64/qt-3.3/lib::/usr/java/packages/lib/i386:/lib:/usr/lib
    08:35:27,742 INFO  [org.jboss.as.jmx.JMXConnectorService] (MSC service thread 1-4) Starting remote JMX connector
    08:35:27,751 INFO  [org.jboss.as.ee] (Controller Boot Thread) Activating EE subsystem
    08:35:27,863 INFO  [org.jboss.as.remoting] (MSC service thread 1-2) Listening on /127.0.0.1:9999
    08:35:28,250 INFO  [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-3) Starting Coyote HTTP/1.1 on http--127.0.0.1-8080
    08:35:28,708 INFO  [org.jboss.as.connector] (MSC service thread 1-3) Starting JCA Subsystem (JBoss IronJacamar 1.0.0.CR2)
    08:35:29,059 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3) Bound data source [java:jboss/datasources/ExampleDS]
    08:35:29,705 INFO  [org.jboss.as.deployment] (MSC service thread 1-2) Started FileSystemDeploymentService for directory /home/anil/jboss-as-web-7.0.0.Final/standalone/deployments
    08:35:29,782 INFO  [org.jboss.as] (Controller Boot Thread) JBoss AS 7.0.0.Final "Lightning" started in 10435ms - Started 98 of 153 services (55 services are passive or on-demand)
    08:35:29,826 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-3) Starting deployment of "idp.war"
    08:35:29,826 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-2) Starting deployment of "picketlink-sts.war"
    08:35:29,826 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-4) Starting deployment of "sales.war"
    08:35:30,700 INFO  [org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator] (MSC service thread 1-1) BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    08:35:30,700 INFO  [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (MSC service thread 1-2) IDPWebBrowserSSOValve:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    08:35:30,756 INFO  [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (MSC service thread 1-2) Did not find picketlink-sts.xml. We will install default configuration
    08:35:30,807 INFO  [org.jboss.web] (MSC service thread 1-4) registering web context: /picketlink-sts
    08:35:30,820 INFO  [org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS] (MSC service thread 1-2) core-sts.xml configuration file loaded
    08:35:30,851 INFO  [org.jboss.web] (MSC service thread 1-1) registering web context: /sales
    08:35:30,851 INFO  [org.jboss.web] (MSC service thread 1-2) registering web context: /idp
    08:35:30,892 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "picketlink-sts.war"
    08:35:30,892 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "idp.war"
    08:35:30,892 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "sales.war"
    08:38:36,216 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-2) Starting deployment of "employee.war"
    08:38:36,267 INFO  [org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator] (MSC service thread 1-4) BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    08:38:36,275 INFO  [org.jboss.web] (MSC service thread 1-4) registering web context: /employee
    08:38:36,283 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 1) Deployed "employee.war"
    08:40:31,451 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-3) Starting deployment of "sales-post.war"
    08:40:31,504 INFO  [org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator] (MSC service thread 1-2) BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    08:40:31,514 INFO  [org.jboss.web] (MSC service thread 1-2) registering web context: /sales-post
    08:40:31,527 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 1) Deployed "sales-post.war"
    08:41:26,599 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-4) Starting deployment of "employee-post.war"
    08:41:26,663 INFO  [org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator] (MSC service thread 1-4) BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments
    08:41:26,677 INFO  [org.jboss.web] (MSC service thread 1-4) registering web context: /employee-post
    08:41:26,685 INFO  [org.jboss.as.server.controller] (DeploymentScanner-threads - 1) Deployed "employee-post.war"
    

     

    5. Access the sample web apps in browser tabs.   When asked to login,  use (user:  tomcat    and password:   tomcat)

    http://localhost:8080/sales/

    http://localhost:8080/employee/

    http://localhost:8080/sales-post/

    http://localhost:8080/employee-post/

     

    6. You should see the SSO in action.  The logout link is to global logout, which logs you at the IDP.

     

    Additional Settings:

    For JBoss AS 7.0.0.final only  (You should be using 7.0.1 and beyond)

    In standalone.xml, right after the extensions element at the top, configure a system property.

     

     

    <server name="xyz.home" xmlns="urn:jboss:domain:1.0">
        <extensions>
            <extension module="org.jboss.as.clustering.infinispan"/>
            <extension module="org.jboss.as.clustering.jgroups"/>
            <extension module="org.jboss.as.connector"/> 
            ....
            <extension module="org.torquebox.web"/>
        </extensions>
        <system-properties>
            <property name="org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR" value="false"/>
        </system-properties>
    
    

     

    PicketLink IDP

     

    The IDP web application provided by PicketLink is the Identity Provider. As a deployer, you should configure this web app to your organization/production use.

     

    Note that when you directly log into the IDP without going to a service provider application, the IDP thinks that is a SAML v1.1 interaction and once authenticated, takes you to a hosted section of the IDP. We provide a sample index dashboard page.  The links have to be of the format.  You are linking to the IDP with a TARGET.  The redirection will happen to the target with the additional query parameter, SAMLResponse that contains the SAML token.

     

     <br/>
    <a href="?TARGET=http%3A//localhost%3a8080/sales-saml11/">Sales</a>
    <br/>
    <a href="?TARGET=http%3A//localhost%3a8080/employee-saml11/">Employee</a>
    

    Troubleshooting:

    1. After authentication, the the webapp shows redirection failed.

    Configure the system property as shown in additional settings.

     

    2. I just cannot get it to work.

    You can see an instance of AS7.0 with the configuration, attached HERE

     

    How do I enable SSO for my web application?

    First ensure that you have META-INF/jboss-deployment-structure.xml  with:

     

    <jboss-deployment-structure>
    
      <deployment>
        <!-- Add picketlink module dependency -->
        <dependencies>
          <module name="org.picketlink" />
        </dependencies>
      </deployment>
    </jboss-deployment-structure>
    

     

    Then in the WEB-INF directory,  you will need a jboss-web.xml :

     

    <jboss-web>
      <security-domain>sp</security-domain>
      <valve>
         <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator</class-name>
       </valve>
    </jboss-web>
    

    This does SAML POST binding.  For the redirect binding, check the sales.war or employee.war settings.

     

    Of course, you need a WEB-INF/picketlink-idfed.xml

     

    <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">
     <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
     <ServiceURL>${employee-post.url::http://localhost:8080/employee-post/}</ServiceURL>
    </PicketLinkSP>
    

    The service URL should be the url of your webapp. You can set it as a system property and the default is shown when the system property is missing.

     

    Another file WEB-INF/picketlink-handlers.xml

     

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
    </Handlers>
    

     

    References