I need to set up JBOSS EAP6 WebApp to integrate with Siteminder with IDP initiated SAML2 artifact binding.The current integration is using Form based header authentication. Siteminder is onPrem and JBOSS/App is in AWS. I have little visibility to the siteminder set up or it's requirement to integrate to JBOSS. I have a clarity on setting up the ServiceProvider in JBOSS for SSO and Single Log out with post binding.
My question are:
1. To integrate with an OnPrem Siteminder IDM, what components other than JBOSS and it's configurations are to be present in the server hosting JBOSS?
Something like a siteminder agent to be run in the server?
From a purely JBOSS perspective ,where does the JBOSS set up boundary starts?
I went through the net and could not find a conclusive list of components required to meet this integration.
2. Artifact binding is not supported by JBOSS EAP 6 per doc, so I must ask the IDM team to support SSO with post binding, correct?
Thank you in advance for your help.
You need to implemented your own JAAS security module. There is information on JBoss and CA websites on how to do this. This module will provide the authenication (user) and authorization (roles) to the applications deployed on JBoss. When developing I suggest setting the log level of org.jboss.security to trace.
It is picketlink that needs to be configured.Github has [examples][1]
[1]: https://github.com/jboss-developer/jboss-picketlink-quickstarts .
There is no need of siteminder agent if SP set up alone in the scope.
Also IDM team has to be requested to stick to POST Binding.
This covers the questions I asked.
Related
We are a Java shop and use maven. Our app is on wildfly 18. Does anyone have any experiences on migrating a wildfly app to OIDC? We were given a security library that we can use to make OIDC calls to, but it requires a config file co-located with this library. Do we need to use a module for this? If so, do we need a particular section filled out in our standalone.xml?
You asked about Wildfly 18. This one for sure needs add-on modules, such as those provided by the keycloak project (https://www.keycloak.org/downloads).
Since Wildfly 25 the OpenID Connect functionality was added to the Wildfly releases, and since then the addon modules are no longer required. In fact, they should no longer get installed as they seem to break Wildfly.
See also
Secure WebApp in Wildfly 25 using OpenID Connect (OIDC) without installing a Keycloak client adapter
https://docs.wildfly.org/25/WildFly_Elytron_Security.html#validating-jwt-tokens
https://www.youtube.com/watch?v=2gQO4_7Z5CI
I am having a Web Application running on tomcat and hosted on amazon, I want to add it as an SAML Service Provider which allows single sign on(SSO) in onelogin(https://www.onelogin.com/)
I have a free trial account in one login, and In Add App section I can see many applications like salesforce,aws and all but how can I add my own application there ?
I clicked on Suggest an App and and gave my application URL. Is there anyway I can add my own application as an SP in onelogin ?
You can use the SAML Test Connector. It works with any generic SAML Service Provider.
If you also need to add SAML support to your tomcat application, you should know that Tomcat does not have a SAML SP provider implementation itself, so you will need to add SAML support to the java application. For that you can use:
OIOSAML
spring security
java-saml
shibboleth (It requires also Apache).
On the Bluemix Liberty feature list, it says Spnego-1.0 is supported. Does anyone have any Bluemix documentation (not plain Liberty, because this would mean I installed the Liberty server on my own enterprise domain) on how to even begin to use this? It seems to me that if SPN are locked down to a domain name, how would this even work for an app running on a domain such as this: "www.ng.bluemix.net"?
Does this mean there is a requirement to have Bluemix infrastructure installed onto our enterprise infrastructure to even begin thinking about Spnego?
SPNEGO makes sense if you're trying to achieve SSO between say a Microsoft Desk Top and say a WASaaS (WAS or Liberty) running a web app in a Softlayer VM behind a private firewall, then a SPNEGO solution would work. In a more public setting, OpenID Connect should be considered as an option.
If SPNEGO really needs to be used, see the Liberty documentation. You can then customize a Liberty server.xml file in Bluemix to get this to work. To use a custom Liberty server.xml file, see the info noted under standalone applications.
I want to use SSO jbpm 6.2 via CAS server 4.0.0 (and cas is running on tomcat) but i don't know how to do it. I searched on google but i can't find how to config wildfly of jbpm 6.2 with CAS server.
Please help me, thank you for your help !
I have no expirience with CAS but this tutorial helped me set up jbpm 6.1 with WSO2 Identity Manager.
http://riyazmsm.blogspot.mx/2014/05/jbpm-60-sso-integration-with-wso2.html
It might not be the same but this can put you on the right track since CAS can also handle SAML. Wildfly uses picketlink to handle security federation, reading the docs will be helpful on your journey.
I have to give my recommendations for an architecture for SSO using Site Minder.
We have few J2EE applications. These J2EE applications are designed to work when http headers have information after authentication by SSO provider. We have kept our applications SSO provider agnostic. This means we only rely on headers from SSO provider. This worked well with RSA as the SSO provider.
Now there is another architecture proposed with SiteMinder. The way request will flow is
SiteMinder with IIS -> Apache Reverse Proxy -> Tomcat Application -> Backend Applications.
To break down we will have
a) SiteMinder with IIS (public facing site)
b) Apache Reverse Proxy ( For routing)
c) Tomcat Application (For routing and a logic for site access based on time)
d) Backend applications
The reason for bringing the new architecture is that all back end applications have code for site access. The site can be down for some time, which is controlled by a property file.
I find this architecture wrong. I do not understand why Apache Reverse Proxy is requried. I would still go with simple architecture with flow as
a) SiteMinder with IIS doing the routing -> Backend Applications(accessing a common service to check whether site can be accessed or not)
Am I missing something?
The Apache reverse proxy would make it easier to load balance between multiple IIS instances. As far as I know to do something similar on IIS you would need to use the ARR (application request routing) module which won't be optimised to work with Tomcat etc.
However, the SiteMinder with IIS does seem an added overhead in your architecture. The Apache reverse proxy also supports SiteMinder agents. Why don't you push for setting up the SiteMinder agent on the Apache proxy and remove IIS completely from the picture. I can think of the following benefits:
Remove one extra layer from the architecture
Remove an extra network hop
Clean up the stack. Apache + Tomcat is very standard in enterprises while IIS + Apache + Tomcat definitely isn't.
Hope this helps
I don't see either the rationale behind the second architecture. The first scenario is a much more common deployment of Siteminder.
Be aware that this kind of architecture potentially opens vulnerabilities (logon bypass notably). See my answer on this question. Those remarks are true for both architectures.