[Opensource] Single sign on

pierre.damas at damas.be pierre.damas at damas.be
Thu Dec 4 08:25:00 PST 2003 

Have a look at the CAS (Central Authentication Service) of Yale University.

http://www.yale.edu/tp/auth/

Basically, it is a web application with a logon page to which your
application redirects (on HTTPS) the user browser if he has no session and
no token.
This Authentication service authentifies the user (with a PasswordHandler
that you can develop yourself to suit your needs), then redirects (on
authentication success) to the initial application url, providing as
parameter a one-time token containing no user identity information.  Your
application, if the user has no session and a token, connects via HTTPS to
the CAS server, and asks whose token it is.  The application server provides
the userid, and invalidates the token so that it cannot be reused.  So the
window of possibility of replaying the authentication is very short (<5 sec)
(After that time, the CAS invalidates the token anyway).

The Authentication Service also creates an SSO cookie, which is a secure
(only sent on HTTPS), session (dies when user closes his browser) server
(only sent to the CAS server) cookie.  If this cookie is present when the
application redirects the browser to the CAS, the CAS bypasses the login
page presentation and directly redirects to the application with the token -
so automatic single sign-on for the user.

The CAS comes with several CAS "clients", the most interesting for you being
a filter to put in your web.xml with some configuration URLs.  Works nicely.

The hardest configuration part is to get or create a certificate for SSL on
the CAS server, and to ensure that the calling application trusts that
certificate (make sure that its Certification Authority is in the keystore
of your application, or import the certificate itself to trust it).

And of course, it is Open Source.

Pierre A.

P.S. Amongst the other clients, there is an ISAPI filter (that I have not
checked yet), and an Apache module, allowing to use your single sign-on on
other server technologies or with static restricted sites.  There is also
examples for other web technologies (asp, perl, python) so that you can have
a real single sign-on at your customer's site (at least for all web
applications, not only Java webapps)

----- Original Message ----- 
From: "larry hamel" <expresso at codeguild.com>
To: <opensource at jcorporate.com>
Sent: Monday, December 01, 2003 6:19 AM
Subject: Re: [Opensource] Single sign on


>
> can you say a bit more?
>
> do you have an LDAP directory or a DB that can be accessed by all systems
which need sign on?
>
> larry
>
> At 10:48 AM 11/30/2003, you wrote:
> >Hi Everybody,
> >
> >   I am looking for somebody that has implemented single sign
> >preferrably with Expresso. I am thinking about taking that route in some
> >Expresso code that I am about to undertake, and I have some questions
> >about the design and what are the gotchas that I have to watch out for.
> >Thanks in advance.
> >
> >-Tino
> >
> >_______________________________________________
> >Opensource mailing list
> >Opensource at jcorporate.com
> >http://mail.jcorporate.com/mailman/listinfo/opensource
> >Archives: http://mail.jcorporate.com/pipermail/opensource/
>
> _______________________________________________
> Opensource mailing list
> Opensource at jcorporate.com
> http://mail.jcorporate.com/mailman/listinfo/opensource
> Archives: http://mail.jcorporate.com/pipermail/opensource/

More information about the Opensource mailing list