Hi all, I am wondering how the SAML token is propagated between domains.
When I log in the first server, I see clearly in the console that the SAML token has been generated and that it has been put on the trust server. Now, if I am trying to log on the second server, I see that the SSOTokenManager is looking for SAML token in the request or in a cookie. Since it is at neither place, the application is showing login page (which I don't want for sure). What I am doing wrong here? Do I need to add a specific parameter in the request ? Notice in the following code fragments that I implemented my own LoginProvider and LoginModule. But neither one is invoked when I hit for the first time the second server. I am using JBoss Federated SSO 1.0 CR1 on JBoss AS 4.0.2 with the following settings: On both servers I have the following setup: My SSO server config: | <jboss-sso> | <identity-management> | <login> | <provider id="si:intertrade:jboss-sso:database:login" class="com.intertrade.common.sso.DatabaseLoginProvider"> | <property name = "hashAlgorithm">SHA1</property> | <property name = "hashEncoding">base64</property> | <property name = "unauthenticatedIdentity">guest</property> | <property name = "dsJndiName">java:/topcatDB</property> | <property name = "principalsQuery">select user_password from USERS where USER_NAME = ?</property> | <property name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</property> | </provider> | </login> | </identity-management> | | | <!-- sso processor for SingleSignOn, the default JBossSingleSignOn processor uses OpenSAML-1.0, | the next version of this processor will use the latest SAML specification | --> | <sso-processor> | <processor class="org.jboss.security.saml.JBossSingleSignOn"> | <property name="trustServer">https://scarlet.montreal.intertrade.com:8443/federate/trust</property> | </processor> | </sso-processor> | </jboss-sso> | My JAAS login config: | <application-policy name = "topcat"> | <authentication> | <login-module code="com.intertrade.common.sso.DatabaseLoginModule" flag = "required"> | <module-option name = "password-stacking">useFirstPass</module-option> | <module-option name = "hashAlgorithm">SHA1</module-option> | <module-option name = "hashEncoding">base64</module-option> | <module-option name = "unauthenticatedIdentity">guest</module-option> | <module-option name = "dsJndiName">java:/topcatDB</module-option> | <module-option name = "principalsQuery">select user_password from USERS where USER_NAME = ?</module-option> | <module-option name = "rolesQuery">select name, 'Roles' from roles a, users b, users_roles c where b.user_name = ? and c.user_id = b.user_id and a.role_id = c.role_id</module-option> | <module-option name = "provider">si:intertrade:jboss-sso:database:login</module-option> | </login-module> | </authentication> | </application-policy> Federated server setting:<jboss-sso> | <federation-server> | <partners> | <partner domain="intertrade.com" server="https://scarlet.montreal.intertrade.com:8443/federate"/> | <partner domain="tradelinks.net" server="https://localhost.tradelinks.net:8443/federate"/> | </partners> | </federation-server> | </jboss-sso> | On server 1 (scarlet.montreal.intertrade.com), I have the following tomcat valve settings: | <?xml version="1.0"?> | <Context> | <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /--> | | <!-- | logoutURL - URL for performing logout/signout function in your application | --> | <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/> | | <!-- | assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites | --> | <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://scarlet.montreal.intertrade.com:8443/federate"/> | | <!-- | tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT | --> | <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/> | </Context> | On server 2 (localhost.tradelinks.net), I have the following tomcat valve settings: | <?xml version="1.0"?> | <Context> | <!--Valve className="org.jboss.security.valve.SSOFederationRouter" /--> | | <!-- | logoutURL - URL for performing logout/signout function in your application | --> | <Valve className="org.jboss.security.valve.SSOAutoLogout" logoutURL="/login/logout.jsp"/> | | <!-- | assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites | --> | <Valve className="org.jboss.security.valve.SSOTokenManager" assertingParty="https://localhost.tradelinks.net:8443/federate"/> | | <!-- | tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT | --> | <Valve className="org.jboss.security.valve.SSOAutoLogin" authType="FORM" provider="si:intertrade:jboss-sso:database:login"/> | </Context> | View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233930#4233930 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4233930 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
