I am having an Rest Web Services application and Admin web application,
Rest web services will be interacted with mobile , where are Admin web application will be used for maintaining purpose.
for both webservice application and amin web application the credentails are same.
so i need josso to provide single sign on for this.
Can you please help how to star configure. I have gone through Josso site where there was a basic info. can any one please help me out if u have any doc to configure .Thank you
I have a similar application setup where one web application provides Rest Services as well as user-facing web application. As far as I know, JOSSO will provide you with user-facing SSO authentication and is not intended to work with rest services.
Instead what I have done is define the URLs of my rest services in the deployment descriptor (web.xml) under a web-resource-collection that will be ignored under JOSSO configuration. Then I defined a separate filter to handle the rest authentication separately. More specifically:
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>public-resources</web-resource-name>
<url-pattern>/restservices/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
josso-agent-config.xml
<configuration>
<agent:agent-configuration>
<agent:partner-apps>
<agent:partner-app id="myapplication-sp" vhost="10.1.8.11" context="/myappcontext" ignore-web-resource-collections="public-resources"/>
</agent:partner-apps>
</agent:agent-configuration>
</configuration>
With this I was able to use JOSSO to secure most of my web application and ignore the rest services I have. I used a custom authentication filter for my rest services (Spring).
Hope this helps!
Related
I am having a Web Application running on tomcat and hosted on amazon, I want to add it as an SAML Service Provider which allows single sign on(SSO) in onelogin(https://www.onelogin.com/)
I have a free trial account in one login, and In Add App section I can see many applications like salesforce,aws and all but how can I add my own application there ?
I clicked on Suggest an App and and gave my application URL. Is there anyway I can add my own application as an SP in onelogin ?
You can use the SAML Test Connector. It works with any generic SAML Service Provider.
If you also need to add SAML support to your tomcat application, you should know that Tomcat does not have a SAML SP provider implementation itself, so you will need to add SAML support to the java application. For that you can use:
OIOSAML
spring security
java-saml
shibboleth (It requires also Apache).
We are looking forward to implement ADFS to implement SSO across our organization for various set of web applications such as (SAP, Siebel, Custom java based, Asp.net etc.).
I understand based on my research that ADFS can be used to achieve SSO for third party applications using SAML. It can act as an identity provider for third party applications. Please correct me if I am wrong.
Can we use the ADFS to implement cookie based SSO for the various internal web based apps which I mentioned above?? (For Ex: CA Siteminder, ORacle Access manager can work with almost every internal web based application)
In other words: we have one application using apache webserver, one using IIS webserver, one using IHS webserver; can ADFS be used to achieve Single sign on with all these applications??? If yes, How ???
Thanks in Advance...!!
Ashish
ADFS implements SSO via federation using either WS-Fed or SAML 2.0.
If these applications can support these protocols, then yes just federate these products with ADFS and you will get SSO.
e.g. SalesForce SSO with ADFS.
For Java you need a SAML stack e.g. Spring Security.
For ASP.NET, use OWIN or WIF.
I want to make my website pages password protected.I make the website using restful webservices in java using jersey.So can any one tell me how to protect my web pages using apache shiro.Any one have implemented example to securing a website using apache shiro if yes than plz share the example.I shall be thankful :)
For protecting your webservices using shiro you can use following template files and can customize with your own requirements. Include the jars or add to pom as required.
Add these to web.xml
<filter>
<filter-name>Shiro</filter-name>
<filter-class>
org.apache.shiro.web.servlet.IniShiroFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>Shiro</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Now for shiro.ini to be place in WEB-INF (I am using basic Authentication with username and roles in shiro.ini which you can use from database etc as per your need, Assuming that /rest is the url for jersey rest services)
[main]
[urls]
/rest/** = noSessionCreation,authcBasic
/**= anon
[users]
admin=admin
Following excellent article talks about SSO connection between one web application to wso2 IS through SAML2.0.
http://wso2.org/library/articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server
My requirement is to connect multiple web applications through SSO with the wso2 IS. Can anyone give me some light on this how can I do that?
In another words if I login to any one of those webapp I can navigate to other webapps by clicking on the links available on the first webapp without relogin.
Yes. This is possible with WSO2 IS..You can refer this for more information where you can find IS as the IDP for all the webapps...
I'm trying to figure out (if it's possible) how to integrate the JBoss GateIn Portal app with PicketLink-STS to generate a security token (i.e. SAML Assertion) that can be used to implement "Single Sign On" (thus talk to backside EJB services that require authentication).
There is decent documentation on how to configure JBoss 5.1 with EJB services and have them protected by PicketLink-STS for authentication with a security token (implemented via security domains and login config modules).
However, it's not clear how to get the JBoss 5.1/GateIn portal application to integrate with PicketLink-STS, so that the portlets can obtain a security token (for the logged in user) than can then be passed to the backside EJB services that are validated against the PicketLink-STS for authentication?
Wonder if this is possible or a dead-end road.
I'm no expert on GateIn, but, I show my results after some research .
First I based on version 3.4 of GateIn is the last for JBoss 5.
To configure Gatein authentication SAML token-based, must be enabled SSO autentication, the integration GateIn with SAML2 use JBoss project Picketlink Federation.
SAML SSO authentication is based on circle of trust between SP and IDP. This can be done by following the steps described in this link: Chapter 6. Authentication and Identity - SAML
The resources required can be downloaded from the following url:
GateIn SSO: https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging/1.1.2-Beta02/sso-packaging-1.1.2-Beta02.zip
idp-sig (STS and more examples): https://repository.jboss.org/nexus/service/local/repositories/releases/content/org/picketlink/quickstarts/picketlink-quickstarts/2.1.1.Final/picketlink-quickstarts-2.1.1.Final-webapps-jboss-as5.zip
The STS configuration is a part of the Identity Provider and this can be edited as described in the following documentation: SecurityToken Service Configuration (PicketLinkSTS Element)
After you have completed all the steps to enable authentication based SAML tokens (working correctly), you must add the following filter to GateIn (like SAML2LogoutFilter):
<filter>
<filter-name>PicketlinkSTSIntegrationFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.PicketlinkSTSIntegrationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>PicketlinkSTSIntegrationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This filter set org.picketlink.identity.federation.core.wstrust.SamlCredential into org.jboss.security.client.SecurityClient, which enables to propagate authentication from SAML2 ticket into underlying EJB or WS calls.
See also:
SAML EJB Integration with PicketLink STS
SAML WS Integration with PicketLink STS
I hope this help.