Saturday, March 30, 2013

SSO for Java or .Net Web based applications using Openam

  • Single Sign on for Java/J2ee based Web applications
  • Single sign on using  Spring Security SAML Extension and  Role based authentication using Spring Security 
  • Single sign on Java
  • Single sign on for JSF based web application.

Introduction: Single Sign On (SSO) for Web applications using OPENAM 

Why do we need SSO ?
Say a user is logged in to one application and clicks on a link to another application and in this case if you don't want the user to enter his userid/password again but based on some token you know that "Yes the person say" is already authenticated so he can access your second application.
Its like you log in to gmail and from there you can navigate to youtube or google+ or blogspot without entering password. This can be facilitated by an IDP and each time the request goes IDP know that yes "person" was authenticated already and his token id is "axxbv67745554wedxyXcDb".

OpenAM is and identity provider (and more) formerly known as OpenSSO was owned by Sun which was later taken over by oracle. However Forgerock has it own source code and its called OpenAM and maintains it . You can download and deploy openam as web based J2ee application on any application server like - Tomcat, Websphere , Jboss or Weblogic.

Before getting in to the details of why we need OpenAM lets know some terminologies.I will describe them in my own words as those technical jargon's took me a while to catch up.

IDP:(Identity provider) - A module/application that can authenticate and provide you a security token which can be used in singe sign on.
SP:(Service provider):  A system that allows users (Or principal) to authenticate against IDP.
E.g.: We have a JSF 2.0 web application that talks to openam.
Here our web application is SP, Openam is IDP and I am logging in to our webapp I am the principal (user).
Realm: A realm is the unit that used to organize configuration information. Authentication properties, authorization policies, data stores, subjects (including a user, a group of users, or a collection of protected resources) and other data can be defined within the realm.
Lets say your company has Active directory for authenticating user and you want to use that as data store that the IDP can finally use. In the realm you can to use this ActiveDirectory.

Circle of Trust: COT is a federation of any number of service providers (and at least one identity provider) with whom principals can transact in a secure and apparently seamless environment.
In lay man terms we add a list of IP addresses say the SP urls,IDP url all in to once circle of trust. If they are not in same COT openam doesn't allow us to send request.
Eg: Say your web application (SP) is at and your identity provider url is then you need to add both these urls to one circle of trust in OpenAM.

Realm and Circle of Trust. How are they connected ?
- This is what I think. 
Realm =>Can have many Data stores or Identity Stores.
COT =>Will have many host names or Ip address (ie. SPs, IDP)
When we create a new Circle of Trust you need to specify the realm name,.
COT ===> Is linked to Realm. 
 For sake of discussion lets call our sample circle of trust as "COT1" and realm as "Relam1"
COT1 = has (SP  and IDP -
Realm1 == Is configured to use Active Directory as Identity store for Authentication.
So by doing this we are telling hey if the request comes from SP ( use the IDP ( because they are in same Circle of Trust = COT1. Now the IDP sees that COT1 is linked to Realm1 and so it uses the Active directory checks the user credentials and does the Authentication.

We can have many circle of trusts linked to one realm.  Here is my visualization.

Fedlet: A client that we can generate using OpenAM. The client generated can be for a .Net or a Java based Fedlet. In Java the Fedlete can be used plugged into existing your web application  if your just doing Single sign on and not role based authorization. In my case I had to allow the user to sign in and also check in what groups the user is and based on that I had to block some pages so we had to use Spring saml extension to talk to IDP instead of Fedlet. At least for initial testing of OpenAM set up Fedlet was very useful.

SAML: Security Assertion Mark Language is an XML based data format that flows between IDP and SP when a principal is trying authentication and/or authorization. You dont need to worry about this as OpenAM generates this for you when it sends response and in your Web application if you are u

There could be a situation where you may have to integrate more than one IDP to your SP in that case you need to have another instance of OpenAM that can act like IDP proxy.
So your configuration will look like

SP (Your Java Web app or Generated Fedlet) <===> IDP Proxy (openam)   <=====>  (IDP1, IDP2.....)
IDPProxy is an OpenAM instance
IDP1, IDP2- Are Identity providers which can be OpenAM or any SAML2 Complaint IDPs.

I have seen in openam wiki where they have given an example to install 3 instances of openam so that one is IDP, other is Proxy and 3rd openam instance as SP. That is way complex.

For simple scenario you need just one openam instance which acts as IDP and generate a Fedlet and that will act as SP.For just SP you don't need another openam instance. Also consider using proxy only if you are integrating with more than one IDP so that the SP can talk to proxy and need not worry about multiple IDP's. Here your proxy is acting like a Facade and hides complexity of multiple IDP's

So for simple scenario it will look like
SP (Your Java Web app or Openam generated Fedlet client) <===> IDP (openam)

Here SP should be able to send and receive SAML requests/responses.

Here is link  for some sample saml request and responses.
Don't panic you will not create this xml OpenAM, Spring Saml extension or Fedlet does the job for you.

In the next article I will explain how to install OpenAM as IDP and how you can plugin Spring SAML extension and Spring Security to you web app to talk to OpenAM and trouble shooting.
Before I continue further I want to thank two people for there out standing support and help and answering all my stupid questions during our implementation of SSO  solution and integrating with Spring Saml extension along with Spring Security.
Vladmir Schafer: Author of Spring Saml Extension library
Peter Major and the entire OpenAM community.

I have a added new article on how to intgerate a Java based web applications with openam for single sign on . The application can be a JSP or Struts or JSF based web app.
All can use this tutorial.

If you like my articles or have any suggestions please leave a comment.