Chapter 15. Single Sign On (SSO)
15.1. About Single Sign On (SSO) for Web Applications
Single Sign On (SSO) allows authentication to one resource to implicitly authorize access to other resources.
Non-clustered SSO limits the sharing of authorization information to applications on the same virtual host. In addition, there is no resiliency in the event of a host failure. Clustered SSO data can be shared between applications in multiple virtual hosts, and is resilient to failover. In addition, clustered SSO is able to receive requests from a load balancer.
If a resource is unprotected, a user is not challenged to authenticate at all. If a user accesses a protected resource, the user is required to authenticate.
Limitations of SSO
- No propagation across third-party boundaries.
- SSO can only be used between applications deployed within JBoss EAP 6 containers.
- Container-managed authentication only.
- You must use container-managed authentication elements such as
<login-config>in your application's
- Requires cookies.
- SSO is maintained via browser cookies and URL rewriting is not supported.
- Realm and security-domain limitations
- Unless the
requireReauthenticationparameter is set to
true, all web applications configured for the same SSO valve must share the same Realm configuration in
web.xmland the same security domain.You can nest the Realm element inside the Host element or the surrounding Engine element, but not inside a context.xml element for one of the involved web applications.The
<security-domain>configured in the
jboss-web.xmlmust be consistent across all web applications.All security integrations must accept the same credentials (for instance, username and password).