Chapter 13. Java Open Single Sign-on

13.1. Authenticating Java Open Single Sign-on
13.2. Java Open Single Sign-on Version 1.8
13.2.1. Setting up Java Open Single Sign-on Server
13.2.2. Setting up Java Open Single Sign-on Client
13.3. Java Open Single Sign-on Version 2.2
13.3.1. Setting up Java Open Single Sign-on Server
13.3.2. Setting up Java Open Single Sign-on Client
Java Open Single Sign-on (JOSSO) is an open-source single sign-on solution based on Java EE. It allows multiple web servers or web applications to authenticate users with a credential store. Detailed information about JOSSO can bhttp://docbuilder.usersys.redhat.com/16459/remarks/#Configure_Salesforce_Domaine found at http://www.josso.org.
JOSSO integration with the portal requires an Apache Tomcat server instance to host JOSSO. The portal communicates with the JOSSO server through a SSO plug-in.
Setting up the integration consists of two steps:
  • Setting up the JOSSO server
  • Setting up the portal to use the JOSSO server
These two steps differ depending on the chosen version of JOSSO, as described in Section 13.2, “Java Open Single Sign-on Version 1.8” and Section 13.3, “Java Open Single Sign-on Version 2.2”. After completing the procedures described in either section, all links redirecting to user authentication pages will redirect to the JOSSO centralized authentication form.
Report a bug

13.1. Authenticating Java Open Single Sign-on

The login workflow for JOSSO is quite similar to that used for CAS authentication.
When a user clicks to sign into a portal, they are redirected to the JOSSO login screen, where they supply the appropriate credentials. They are then redirected (with access authorization) back to the portal.
The JOSSOAgent component performs a validation of the authorization ticket with the JOSSO server via a back channel after the InitiateLoginFilter has delegated the josso_assertion_id request to it. The JOSSO agent and JOSSO server communicate via web services.
After a successful validation, the user identity is successfully established and the user is logged into the requested Portal.
On logout, JOSSOLogoutFilter performs a logout on both the Portal and the JOSSO server (similar to the process for CAS).
While the authentication plug-in (which is able to send REST requests to the portal, receive the response, and authenticate the user on the JOSSO side) is supported, this support is only for JOSSO 1.8 (not JOSSO 2.2 as at this release).
In this section, it is assumed that the portal is running on JBoss Enterprise Application Platform 6 using localhost:8080 and that the JOSSO server is running on Tomcat, using localhost:8888.

Note

There are differences between various JOSSO minor versions (especially between JOSSO versions 1.8.1 and 1.8.2). Instructions are slightly different between various versions. This is described in procedures as required.

See Also:

Report a bug

13.2. Java Open Single Sign-on Version 1.8

JOSSO can be downloaded from http://sourceforge.net/projects/josso/files/. Use any 1.8.z version in a package that embeds Apache Tomcat. Once downloaded, extract the package into what will be called JOSSO_HOME in this example.
Report a bug

13.2.1. Setting up Java Open Single Sign-on Server

This section describes how to set up the JOSSO server to authenticate against the portal using the REST authentication plug-in.

Note

In this example, the JOSSO server is installed on Tomcat.

Procedure 13.1. Java Open Single Sign-on setup

  1. Copy the contents of the JPP_DIST/gatein-sso/josso/josso-2.2/plugin/ directory into the JOSSO_HOME directory. Among the files that will be copied, the following ones are the most important:

    Note

    It is recommended to use the SSO authentication plug-in with JOSSO.
    • JOSSO_HOME/lib/josso-gateway-config.xml
      The original file is being replaced. Create a backup of the file before adding the new file.
    • JOSSO_HOME/lib/josso-gateway-gatein-stores.xml
      This file is not present in the original JOSSO_HOME download.
    • JOSSO_HOME/webapps/josso/WEB-INF/classes/gatein.properties
      This file is not present in the original JOSSO_HOME download. You have to edit the file and change the host and port to match the portal instance. The values are used by the authentication plug-in when sending REST requests over HTTP.
  2. Edit JOSSO_HOME/conf/server.xml and replace the 8080 port to 8888 to change the default Tomcat port and avoid a conflict with the default portal port (for testing purposes).

    Port Conflicts

    If the portal is running on the same machine as Tomcat, other ports need to be changed in addition to 8080 to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from 8005 to 8805, and AJP port from 8009 to 8809.
  3. Tomcat allows access to http://localhost:8888/josso/signon/login.do. If you are using the SSO Authentication plug-in, the login will not be available as the portal platform must be configured to use the instance.
    JOSSO Login Page

    Figure 13.1. JOSSO Login Page

See Also:

Report a bug

13.2.2. Setting up Java Open Single Sign-on Client

To enable JOSSO on the client side you have to modify the configuration properties file JPP_HOME/standalone/configuration/gatein/configuration.properties.
  1. Set SSO properties
    Set the values of #SSO as per the SSO configuration properties:

    Example 13.1. SSO configuration.properties

    #SSO
gatein.sso.enabled=true
gatein.sso.callback.enabled=${gatein.sso.enabled}
gatein.sso.login.module.enabled=${gatein.sso.enabled}
gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule
gatein.sso.josso.agent.config.file=sso/josso/1.8/josso-agent-config.xml
gatein.sso.josso.properties.file=file:${jboss.home.dir}/standalone/configuration/gatein/configuration.properties
gatein.sso.josso.host=localhost:8888
gatein.sso.josso.base.url=http://${gatein.sso.josso.host}/josso/signon
gatein.sso.server.url=${gatein.sso.josso.base.url}/login.do
gatein.sso.portal.url=http://localhost:8080
gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter
gatein.sso.filter.logout.url=${gatein.sso.josso.base.url}/logout.do
gatein.sso.filter.login.sso.url=${gatein.sso.server.url}?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@@/initiatessologin
    Set JOSSO properties.
    • Value of Logout filter: org.gatein.sso.agent.filter.JOSSOLogoutFilter.
    • Location of JOSSO servergatein.sso.josso.host.
    • Change the url gatein.sso.portal.url to access the portal on any URL other than

      localhost:8080

      .
    • The location of the Agent configuration file gatein.sso.josso.agent.config.file is relative to classpath. Therefore the agent file location is located at JPP_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/sso/josso/1.8/josso-agent-config.xml.
      In most of the cases this file is does not need any properties to be setup.
  2. JOSSO has some specific dependencies, which differ between various versions. The original org.gatein.sso SSO module must be replaced with one appropriate for your version of JOSSO. The alternate modules are available in the JOSSO download.
    1. Delete the JPP_HOME/modules/org/gatein/sso directory.
    2. Copy the SSO_HOME/josso/gatein-josso-<version>/modules/org/gatein/sso directory into JPP_HOME/modules/org/gatein/.
From now on, all links redirecting to the user authentication pages will redirect to the JOSSO centralized authentication form. If you set Authentication plug-in for JOSSO, you can login with portal credentials (for example, john/gtn) on the JOSSO side.
Report a bug

13.3. Java Open Single Sign-on Version 2.2

JOSSO 2.2 takes a different approach to SSO than JOSSO 1.8. It is designed to allow users to create their own SSO environment by modeling it in a flash web application called atricore-console.
Report a bug

13.3.1. Setting up Java Open Single Sign-on Server

Prerequisites

Procedure 13.2. Java Single Sign-on setup

  1. Login to the portal with the username/password combination; admin/admin.
  2. Create a new, empty Identity appliance with the following properties:

    Table 13.1. 

    Setting Value
    Name MYFIRSTIA
    Realm name com.mycompany.myrealm
    Appliance location http://server.local.network:8081
  3. Create a new Identity provider named AcmeIDP (use the default settings).
  4. Create an Identity vault called IDPUsers and connect it with AcmeIDP via Identity lookup connection.
  5. Create a Service provider called SP1 but let the hosts to be on

    server.local.network:8081

    .
  6. Create an Identity vault called SP1Users and wire it with SP1 via Identity lookup connection.
  7. Create empty temporary directory /tmp/tomcat7.
    Create new execution environment of type Tomcat with the following parameters in the atricore console.

    Table 13.2. Parameters for creating a new execution environment in the atricore console

    Setting Value
    Name SP1EE
    Version 7.0.x
    Target host Local
    Install home /tmp/tomcat7 (the /tmp/tomcat7 directory must exist, but it can be empty).
  8. Wire SP1 and SP1EE via an Activation connection.

    Note

    All parameters of the connection can keep their default values, with the exception of the Partner application location parameter, whose value needs to be changed to http://localhost:8080/portal.
  9. Wire SP1 and AcmeIDP via Federated connection.
  10. Click Save.
  11. Go to the Identity appliance life cycle management tab and go through life cycle of Identity appliance (SavedStagedDeployedStarted) as suggested in the quickstart.
  12. Go to the Account & Entitlement management tab and create users. Users must be created this way because REST callbacks to the Portal are not supported in this release.
    This example will create the following user/password accounts: john/password, root/password and demo/password.
Report a bug

13.3.2. Setting up Java Open Single Sign-on Client

Prerequisites:

Prerequisites

  1. Set the properties in the SSO configuration fileJPP_HOME/standalone/configuration/gatein/configuration.properties

    Example 13.2. SSO file properties

    # SSO
gatein.sso.enabled=true
gatein.sso.callback.enabled=${gatein.sso.enabled}
gatein.sso.login.module.enabled=${gatein.sso.enabled}
gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule
gatein.sso.filter.initiatelogin.enabled=false
gatein.sso.filter.initiatelogin.josso2.enabled=true
gatein.sso.josso.agent.config.file=sso/josso/2.2/josso-agent-config.xml
gatein.sso.josso.properties.file=file:${jboss.home.dir}/standalone/configuration/gatein/configuration.properties
gatein.sso.portal.url=http://localhost:8080
gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter
gatein.sso.filter.logout.url=
gatein.sso.josso.host=server.local.network:8081
gatein.sso.server.url=http://${gatein.sso.josso.host}
gatein.sso.josso.identityApplianceId=MYFIRSTIA
gatein.sso.josso.partnerAppId=SP1
gatein.sso.josso.partnerAppPoint=SP1EE
gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/IDBUS/${gatein.sso.josso.identityApplianceId}/${gatein.sso.josso.partnerAppPoint}/JOSSO/SSO/REDIR?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@@/josso_security_check&josso_partnerapp_id=${gatein.sso.josso.partnerAppId}

    Note

    The property gatein.sso.filter.logout.url is empty because the logout URL will be obtained from the JOSSO agent configuration set in file JPP_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/sso/josso/2.2/josso-agent-config.xml.
  2. Update the SSO module in JBoss Enterprise Application Platform 6:
    1. Delete the JPP_HOME/modules/org/gatein/sso directory.
    2. Copy the SSO_HOME/josso/gatein-josso-182/modules/org/gatein/sso into JPP_HOME/modules/org/gatein/ directory.
  3. Test the configuration:
    1. Start the Portal.
    2. Access http://localhost:8080/portal and click Sign in. You will be redirected to the JOSSO instance, but you will need to login with the username and password created via the JOSSO console (for example john/password) as REST callbacks are not supported.
    After a successful login to JOSSO, you will be redirected to the portal authenticated as john.
Report a bug