In this chapter, we will look at usage of JBoss Identity Federation to help you obtain a platform to implement federated identity based services (including centralized identity services and Single Sign-On (SSO) for applications).
This section will talk about the configuration information to support the SAML V2.0 based Web Single Sign On (SSO). The SAML profile that is implemented is the HTTP/Redirect binding with centralized identity services to enable web SSO for your applications.
Hub and Spoke Architecture for the SAML v2 based Web SSO
The architecture follows the Hub and Spoke architecture of Identity Management. An Identity Provider (IDP) acts as the central source (hub) for identity and role information to all the applications (Service Providers/SP). The spokes are the Service Providers (SP).
Note
The IDP and the SP can be a JBoss Application Server or a Tomcat instance. Please note that the instructions for Tomcat and JBAS are different.
Check list for configuring the IDP
- Configure the IDP as a secure web application.
- Configure the web.xml to either allow FORM or BASIC authentication.
- Configure the context.xml for IDP valves.
- Configure the jboss-idfed.xml for IDP configuration.
The IDP can be a JBoss Application Server or a Tomcat instance.
You need to configure a web application as the Identity provider.
The web application needs to have FORM or BASIC based security enabled in its web.xml. We recommend the use of FORM based web application security as it gives you the ability to customize the login page.
The web.xml needs to have a configuration such as the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>IDP</display-name>
<description>IDP</description>
<!-- Define a security constraint that gives unlimited access to images -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Images</web-resource-name>
<url-pattern>/images/*</url-pattern>
</web-resource-collection>
</security-constraint>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>IDP</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>IDP Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the IDP Application
</description>
<role-name>manager</role-name>
</security-role>
</web-app>
Note
Remember to configure the realm or login modules for your IDP as per the Tomcat or JBoss AS documentation on "securing your web application".
Tomcat Realm and JBoss AS SecurityCreate a context.xml file for configuring the valves for the IDP.
The context.xml file should look like:
<Context>
<Valve
className="org.jboss.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve"
/>
</Context>
Note
If the IDP is running in Apache Tomcat, then place the context.xml in META-INF of your IDP web application.
Note
If the IDP is running in JBoss Application Server, then place the context.xml in WEB-INF of your IDP web application.
Configure jboss-idfed.xml in WEB-INF of your IDP web application
<JBossIDP xmlns="urn:jboss:identity-federation:config:1.0" >
<IdentityURL>http://localhost:8080/idp</IdentityURL>
</JBossIDP>
In this configuration file, you are providing the URL of your IDP. This is the URL that gets added as the issuer in the outgoing SAML2 assertions to the Service Providers.
Check List for configuring the Service Provider.
- Configure the SP as a secure FORM authentication based web application.
- Configure the web.xml of the SP web application.
- Configure the context.xml for the SP valves.
- Configure the jboss-idfed.xml for the SP configuration.
- Perform additional steps if the SP is running on JBoss Application Server.
The SP can be a JBoss Application Server or a Tomcat instance.
You need to configure a web application as the Service Provider(SP).
The web application needs to have FORM based security enabled in its web.xml.
The web.xml needs to have a configuration such as the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Test SALES Application</display-name>
<description>
Just a Test SP
</description>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SALES Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Define a security constraint that gives unlimted access to freezone -->
<security-constraint>
<web-resource-collection>
<web-resource-name>freezone</web-resource-name>
<url-pattern>/freezone/*</url-pattern>
</web-resource-collection>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Tomcat SALES Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the SP Application
</description>
<role-name>manager</role-name>
</security-role>
</web-app>
Warning
The SP web application should be configured with FORM based authentication.
Create a context.xml file for configuring the valves for the SP.
The context.xml file should look like:
<Context>
<Valve
className="org.jboss.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator"
/>
</Context>
Note
If the SP is running in Apache Tomcat, then place the context.xml in META-INF of your SP web application.
Note
If the SP is running in JBoss Application Server, then place the context.xml in WEB-INF of your SP web application.
Configure jboss-idfed.xml in WEB-INF of your SP web application
<JBossSP xmlns="urn:jboss:identity-federation:config:1.0">
<IdentityURL>http://localhost:8080/idp</IdentityURL>
<ServiceURL>http://localhost:8080/sales</ServiceURL>
</JBossSP>
In this configuration file, we define the URLs for the service provider and the identity provider.
Configure a jboss-web.xml file in the WEB-INF directory of your SP web application.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web
PUBLIC "-//JBoss//DTD Web Application 2.4//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
<jboss-web>
<security-domain>java:/jaas/sp</security-domain>
</jboss-web>
Note
In this example, we have specified a security domain of "sp". You can use any security domain name of your choice as long as you configure the login module in the next step appropriately.
Configure the login module in conf/login-config.xml of your JBoss AS server configuration.
<application-policy name = "sp">
<authentication>
<login-module
code = "org.jboss.identity.federation.bindings.jboss.auth.SAML2LoginModule" />
</authentication>
</application-policy>