What is SSO?
SSO stands for Single Sign-On, basically users type their credentials only once to have access to all other sub-systems.
Major benefits of a SSO-based architecture may include:
- Centralized authentication servers: User management is only provided by a small number of systems, ideally just one.
- More secure infrastructure: Once a user has logged in, his identity is then propagate to others sub-systems by some token mechanisms without requiring passwords to be sent across the wire.
- Better user experience: Dealing with numerous passwords and having to type them frequently is time and energy consuming. A single password to remember increases user efficiency and reduces IT help desk costs.
What SSO has to do with JaasLounge?
JaasLounge provides SSO modules on various Java EE application servers around Kerberos-based architectures. Kerberos is a widely used authentication protocol natively implemented into Microsoft Active Directory. If your network includes Java EE servers and workstations authenticated against a Kerberos server (such as Microsoft Active Directory) and you need to propagate identity across your Java EE applications, keep reading.
Where does really JaasLounge SSO step in?
Let's consider the following network architecture containing:
- A Microsoft Active Directory server acting as the domain controller
- A workstation part of the Windows domain
- A Java EE application server with access-protected Web applications deployed
A simplified authentication scenario would be:
- The user logs on his workstation against Active Directory and opens a Windows session.
- The user launches an Web browser to access the Web application. Since the Web application is protected, the server asks the user to authenticate.
- The Web browser recognises the reply from the server and asks the kerberos server a ticket to forward to the application server as a proof of his identity. The Web browser gets the ticket and forwards it to the application server. The application server receives the ticket, opens it, gets the user identity and automatically logs the user in.
Setting up an architecture like this can be tricky, that's where JaasLounge comes in.
JaasLounge SSO provides:
- Java EE server security modules handling the Kerberos negotiation and Kerberos ticket decoding.
- Documentations helping you install the whole chain of authentication.
How does it work?
Technically, the SPNego protocol is used to send authentication data between the Web browser and the application server. The SPNego data sent contains either a Kerberos or a NTLM token depending of the network configuration. On the application server side, JaasLounge adds a vendor-specific Java plugin to handle the SPNego token negotiation and its decoding. Moreover, JaasLounge uses vendor-specific security APIs to log the user in with the token retrieved. Once JaasLounge SSO installed, the roles declared into your Web application's web.xml files are automatically mapped to the domain controller's groups. This means that Web applications only contain Java EE specifications compliant security descriptors.
- Web applications are more portable
- Handling security is simpler
Which Java EE Servers does JaasLounge SSO currently support?
JaasLounge provides Java EE server modules and documentation for:
- Oracle Application Server
- WebLogic Application Server
- Apache Tomcat
- IBM WebSphere