SSO, or Single Signon, is a way for organizations to centralize their identity management and authentication needs in a consolidated, single solution across multiple applications in the enterprise. There are quite a few solutions available to enterprise to implement SSO with. Jetspeed classifies SSO in two categories:
The first, Jetspeed SSO, is a rather simpler solution for enterprise applications who do not need the complexity of a robust identity management SSO solution. In this case, Jetspeed provides a credential store for user credentials. Jetspeed can store encrypted credentials for users or groups of users to external sites. The second solution requires a third party open source project or product. In this case, Jetspeed integrates with an external SSO solution. These external solutions can often a single-signon solution for an organization, or even a federation of organizations.
Jetspeed SSO uses Jetspeed and Java security to implement a set of services and portlets for storing credentials. A management administrative portlet allows the editing of SSO sites and remote credentials. Jetspeed SSO comes with a secure IFrame and Web Content set of portlets. These portlets allow you to secure access to external sites. Authentication suport includes:
preemptive, so no distinction is made there.
<preference> <name>sso.type</name> <value>basic | url | form</value> </preference> <preference> <name>sso.url.Principal</name> <value>sso-principal</value> </preference> <preference> <name>sso.url.Credential</name> <value>sso-credential</value> </preference> <preference> <name>SRC</name> <value>http://www.nytimes.com</value> </preference> <preference> <name>sso.type</name> <value>form</value> </preference> <preference> <name>sso.form.Action</name> <value>http://www.nytimes.com/auth/login</value> </preference> <preference> <name>sso.form.Principal</name> <value>USERID</value> </preference> <preference> <name>sso.form.Credential</name> <value>PASSWORD</value> </preference> <preference> <name>sso.form.Args</name> <value>Submit2=Log In;OP=;OQ=;is_continue=false</value> </preference>
To enable an identity management service, such as Site Minder, or Shibbboleth (see below), there are some general guidelines for integrating your SSO solution with Jetspeed. remove the Login Portlet from the custom build and delegate authentication to the authentication provider. Upon successful authentication, redirect to the portal.
<filter> <filter-name>PortalFilter</filter-name> <filter-class>org.apache.jetspeed.login.filter.PortalFilter</filter-class> </filter> <filter-mapping> <filter-name>PortalFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
<login-config> <auth-method>FORM</auth-method> <realm-name>Jetspeed</realm-name> <form-login-config> <form-login-page>/login/login</form-login-page> <form-error-page>/login/error</form-error-page> </form-login-config> </login-config>
Jetspeed comes with a Shibboleth filter for performing Single Sign-on (SSO) with Shibboleth and the Jetspeed Portal. Shibboleth's Service Provider provides HTTP request headers. The filter reads and interprets the Shibboleth headers as single sign-on tokens. Shibboleth can also be configured to provide various user attributes that can be passed onto the portal. Refer to your Shibboleth documentation for more details. The Jetspeed Shiboleth filter is configured in the Jetspeed web.xml:
<filter> <filter-name>ShibbolethPortalFilter</filter-name> <filter-class>org.apache.jetspeed.security.impl.shibboleth.ShibbolethPortalFilter </filter-class> </filter>
If there are no Shibboleth headers present, Jetspeed will not authenticate the user. If there are Shibboleth tokens on the HTTP request, Jetspeed will use them and automatically authenticate users, bypassing Jetspeed's internal authentication and login mechanisms.
To configure Jetspeed to use Shibboleth headers, there is a Spring configuration file found under WEB-INF/assembly/alternate/shibboleth.xml:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd"> <bean id="org.apache.jetspeed.security.shibboleth.ShibbolethConfiguration" class="org.apache.jetspeed.security.impl.shibboleth.ShibbolethConfiguration"> <!-- map of common jetspeed-security principals to shibboleth headers --> <constructor-arg index='0'> <map> <entry key='username'> <value>shib-person-commonname</value> </entry> </map> </constructor-arg> <!-- Always authenticate against Jetspeed (should be false if your jetspeed db != authentication users) --> <constructor-arg index='1'> <value type="boolean">true</value> </constructor-arg> <constructor-arg index='2'> <ref bean="PortalConfiguration" /> </constructor-arg> </bean> </beans>
The first constructor argument is a map of common jetspeed security names. Currently we only support mapping the username
from a Shibboleth principal. It is configured to map to the Shibboleth header/attribute named sub-person-commonname
.
The second constructor turns on or off Jetspeed authentication. Turn this off if you simply want to trust Shibboleth or if you don't have passwords available in constructor-arg one.