Login/Register
Single Sign On [SSO] across different domains using Java
Asked Answered
Solved javaauthenticationservletssingle-sign-onmultiple-domains
M

5

25

We are implementing Single Sign On [SSO] across multiple applications, which are hosted on different domains and different servers.

enter image description here

Now as shown in the picture, We are introducing a Authenticate Server which actually interacts with LDAP and authenticate the users. The applications, which will be used/talk to Authenticate Server are hosted across different Servers and domains.

for SSO, I can't use session variables, as there are different servers and different applications, different domains, a domain level cookie/session variable is not helpful.

I am looking a better solution which can be used for SSO across them. Any demonstrated implementation is existing? If so, please post it or point me in the right direction for this.

Mathre answered 8/8, 2013 at 8:25 Comment(2)
how about implementing a kerberos login?Kaif
There are many options for SSO with Java. I'm currently implementing an ADFS(Active Directory Federated Services) client using FedizHorsey
T
42

You can achieve this by having all your log-ins happen on the auth server. The other applications can communicate to the auth server through a back channel. The general principle is like this:

  1. User accesses application 1.
  2. Application 1 needs the user to sign on, so it sends a token to the auth server through the back channel. Application 1 then redirects the user to the log in page on the auth server with the token as a parameter on the request.
  3. User logs in to auth server. Auth server sets a cookie, flags the token as authenticated and associates the user details with it. Auth server then redirects user back to application 1.
  4. Application 1 gets request from user and calls auth server over back channel to check if the token is OK. Auth server response with user details.
  5. Application 1 now knows that the user is authorised and has some basic user details.

Now this is where the SSO bit comes in:

  1. User accesses application 2.
  2. Application 2 needs the user to sign on, so it sends a token to the auth server through the back channel. Application 2 then redirects the user to the login page on the auth server with the token as a parameter on the request.
  3. Auth server sees that there is a valid log in cookie, so it can tell that the user is already authenticated, and knows who they are. Auth server flags the token as authenticated and associates the user details with it. Auth server then redirects user back to application 2.
  4. Application 2 gets request from user and calls auth server over back channel to check if the token is OK. Auth server response with user details.
  5. Application 2 now knows that the user is authorised and has some basic user details.

There are some existing implementations of this method, for example CAS (Central Authentication Service). Note that CAS is supported out of the box in Spring Security. I would advise you look at using an existing implementation, as writing your own will be hard. I have simplified things in my answer and there is a lot of potential for introducing security holes if you're new to this.

Tb answered 8/8, 2013 at 9:26 Comment(3)
Seems like I understood the flow now and looks good. As you mentioned about security holes, yes, I am first time working on SSO and I will be working solely. So could you point out if you or anyone has developed with proper security so that I can follow similar design approach.Mathre
@Reddy - I've created sites that have SSO using CAS and Spring security. I've never rolled my own SSO implementation, nor would I ever attempt to.Tb
How application 2 get the token? what is the sharing method?Unlikely
F
3

I will recommend you check out OAuth. It is a good Authenticaiton and Authorization protocol used by several large organizations including facebook, google, windows live and others. It may have an initial learning curve, but it is a production grade solution.

It also has libraries for Java, Ruby, PHP and a range of other programming languages.

For example, the following server side implementations are available for Java.

  • Apache Amber (draft 22)
  • Spring Security for OAuth
  • Apis Authorization Server (v2-31)
  • Restlet Framework (draft 30)
  • Apache CXF

Following client side Java libraries are also available:

  • Apache Amber (draft 22)
  • Spring Social
  • Spring Security for OAuth
  • Restlet Framework (draft 30)

Please refer here for more details:

Fogbound answered 16/8, 2013 at 14:40 Comment(1)
"OAuth 2.0 is not an authentication protocol." oauth.net/articles/authenticationCahilly
B
1

The bigger question is how you are implementing single sign on. Many open source and even proprietary (IBM Tivoli) offerings worth their salt offer cross domain single sign on capability. This would be the easiest and best way to implement cross domain sso. You can configure the LDAP server you use in the sso server you choose.

Taking for instance open sso, here is an article to configure cross domain single sign on http://docs.oracle.com/cd/E19681-01/820-5816/aeabl/index.html

To configure LDAP in open sso, http://docs.oracle.com/cd/E19316-01/820-3886/ghtmw/index.html

Reference on the issue is presented in a neat diagram here http://docs.oracle.com/cd/E19575-01/820-3746/gipjl/index.html

Depending on which offering you use, you can configure cross domain single sign on.

With this, your diagram will look like this, with the auth server being your utility to interact with sso server of your choice.

Having an auth server that communicates with sso is a sound architecture principle. I would suggest making calls to authenticate as REst end points which could be called via http from different applications.

Cross Domain single sign on

Botvinnik answered 14/8, 2013 at 21:56 Comment(0)
B
0

You cannot use Rest Service .

You could use what i call a Refferer Url Authentication Say you have a Authentication application running on www.AAAA.com In the applications , where you want to authenticate , you could have a filter which looks for a authenticated cookie in its domain else redirect to www.AAAA.com for authentication

On Successfull authentication , you could pass the user profile information as encrypted GET / POST data back to the application

Bailment answered 8/8, 2013 at 8:39 Comment(3)
I am planning on REST/WebService. My Concerns are 1. how do I know user is already logged in? If I have common domain, session variables can be used for that to maintain data. but if we use multiple domains, how do I know whether user already logged in or not For Second approach, do you have any working tutorial for such filter, this is what I was thinking, however I am not sure about filter which can do that.Mathre
how? Assume first time user opened app1 in domain1 and it will contact Auth server, which will loggin into system and return back some message to app1 server. now user opened app2 in domain2, now how can app2 check whether user is already logged in, and it shouldn't show any login form since he's already logged from app1.Mathre
Yep i understand. I have updated my answer. I dont have the code for the filter handy , its just a simple filter which would intecept all the requests , check if authenticated else redirect to authenticator applicationBailment
G
-1

Since I have built a Java application, I have been looking for an SSO solution for it. I found a free Java SAML Connector using which you can achieve SSO in java based applications built using any java framework.

Here's the link to it - https://plugins.miniorange.com/java-single-sign-on-sso-connector

Gregoire answered 20/1, 2020 at 10:26 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.