Reputation: 8815
Single sign-on ActiveDirectory and Java EE
Scenario:
- We sell Java EE (JBoss+SpringSecurity) software to large corporations which mostly use ActiveDirectory
- Our Java EE (JBoss) software can be hooked up to ActiveDirectory, however it requires Roles addition into ActiveDirectory i.e. cn=esp_administrator,cn=Roles,o=company,o=com
- As per my understanding, JBoss will need an account to "bind" to ActiveDirectory to do the search i.e. cn=admin,cn=Users,o=company,o=com
- Users still need to login to our Java EE application manually (not single sign-on)
- Say our Java EE app
http://javaee-webappand one of the company portal is athttp://intranet-portalsay using Atlassian Jira
How can I implement single sign on with this setup?
One thing comes to mind is to read cookies from http://intranet-portal, but this only works if our Java EE webapp is a sub-domain of http://intranet-portal, i.e http://intranet-portal/javaee-webapp
I've read the following QA
Transparent user session over several sites (single sign-on + single sign-off)
I don't think the customers want us to install Shibboleth IDProvider just for single sign on.
Other than a "Remember me" option, what other choice do I have?
Upvotes: 0
Views: 2359
Answers (1)
Reputation: 122739
You could indeed use Shibboleth (or perhaps OpenSSO). This can be quite complex and will need to be deployed for all the websites (Service Providers) that will be under the scope of this SSO. It's specifically designed for SSO authentication and authorization that do not necessarily belong to the same site. If your customers want SSO in an environment that's not too tightly coupled, they'll need this sort of technology. (Note that the most difficult part of implementing Shibboleth isn't so much the installation of the SP or IdP software, but rather establishing the policies around attribute release and authorization: more about administration and politics than a technical problem).
If the client machines from which your customers are going to connect are also under their control (for example, if they're all Windows desktops that the company can configure), you could look at SPNEGO. This can be made to work from Windows/Linux/OSX clients using IE/Firefox (at least), but you'd need to configure the clients to point to the Active Directory server (as a Kerberos KDC). This may be confusing if users have to do it on their own machine.
While the SPNEGO solution may be easier if you can control the configuration of the client machines, the Shibboleth/OpenSSO solution will be more flexible in that respect (and the Shibboleth IdP could use SPNEGO as an authentication mechanism, if you want it all).
Upvotes: 1
Related Questions
- How to implement Single Sign On using Spring and Active Directory
- implement Single Sign On using Spring and Active Directory
- Spring Boot Microsoft AD Authentication
- How to authenticate user against Active Directory from java?
- Creating Java EE application with SAML & ADFS for Single Sign On
- Single sign-on not working in Spring web app
- Spring MVC application authenticating to Active Directory
- java web app jsp - active directory and tomcat SSO
- Tomcat, HTTP authentication, and Active Directory
- Single sign-on in Java EE