Jetspeed Single Sign On

Jetspeed-2 (J2) Single Sign-on (SSO) feature is a credential store implemented as a component. It uses J2 security implementation for storing credentials. A management portlet allows the editing of SSO sites and remote credentials. It supports Basic Authentication and Form Based authentication and supports cookies.

The SSO Management feature enables you to create "single sign-on" access, a permission-based access to applications and underlying tools, which provides an added layer of security and administarative control of Jetspeed-2 content. SSO Management enables the Users of Groups (several Users initially defined in the Group Management tab) to sign-on a single time for jetspeed-2 portal and specified sites and databases.

SSOProxy Portlet

As the name indicates the SSOProxy portlet is the proxy between the portal and authenticated sites. In the preferences a user defines the destination page which might need authentication itself or has links to authenticated pages (inside or outside the portal).The SSOProxy Portlet authenticates all SSO sites for the user before it goes to the destination URL defined in the preferences. The SSOProxy keeps a cache of of the proxy client so that the authentication only takes place the first time.

SSOReverseProxyIFrame Portlet

The SSOReverseProxyIFrame portlet leverages the Reverse Proxy Service component of Apache Portals Web Content Application. This portlet provides Single Sign-on site and credentials of the user to the Reverse Proxy Service component based on the navigated URLs. The Reverse Proxy Service component authenticates the site for the user automatically if the site is registered as a Single Sign-on site for the user in the Jetspeed-2 Single Sign-on credential store.

For example, if the following preferences are set,

Preference Name	Preference Value
SRC	http://localhost:8080/manager/list
PROXYREMOTEURL	http://localhost:8080/
PROXYLOCALPATH	${contextPath}/rproxy/localhost/

then the portlet tries to retrieve the registered SSO sites and SSO remote users information of the user by the SRC URL, 'http://localhost:8080/manager/list'.

If the user has the following SSO sites and SSO remote users information,

Site Name	Site URL	Site Realm	Remote Principal	Remote Credential
Tomcat Management	http://localhost:8080/manager/	Tomcat Manager Application	tomcat	tomcat

then the Reverse Proxy Service component can retrieve the above information from the portlet and it would try to authenticate by the provided credentials.

If there are multiple SSO sites which have similar URLs, then best URL-matched SSO sites and credentials would be chosen for authentication. For example, when the user has the following SSO sites and credentials registered,

No.	Site Name	Site URL	Site Realm	Remote Principal	Remote Credential	User Form Field	Password Form Field
1	My Root Website	http://localhost:8080/		user	user
2	My Basic Auth Website	http://localhost:8080/basic/	ExampleBasicAuthJSP	basic	basic
3	My Form Auth Website	http://localhost:8080/form/		form	form	user	pass

then the Reverse Proxy Service component will be provided best-matched SSO sites and credentials information like the following examples:

Requested URL	No.	Description
http://localhost:8080/	1	This requested URL is matched to the first SSO site URL only.
http://localhost:8080/index.html	1	This requested URL starts with the first SSO site URL and is matched to the first SSO site URL only.
http://localhost:8080/somewhere/index.html	1	This requested URL starts with the first SSO site URL and is matched to the first SSO site URL only.
http://localhost:8080/basic/	2, 1	This requested URL starts with the first and the second SSO site URLs. Because the second one is more well-matched, the second SSO site and credentials information would be used first for authentication.
http://localhost:8080/basic/index.html	2, 1	This requested URL starts with the first and the second SSO site URLs. Because the second one is more well-matched, the second SSO site and credentials information would be used first for authentication.
http://localhost:8080/form/	3	This requested URL starts with the first and the third SSO site URLs. The third one is more well-matched. However, unlike the basic authentication examples, the first one will never be used because the best-matched SSO site is configured to use form-based authentication. When the best-matched SSO site is configured to use form-based authentication, the Reverse Proxy Service component would use it only for authentication. The Reverse Proxy Service component would post username form field and password form field with the specified form field names only when the requested URL is equals to the URL of the SSO site. If the requested URL is changed by user's navigation in the IFrame, then it would not try posting the username and password form fields again.
http://localhost:8080/form/index.html	3	This requested URL starts with the first and the third SSO site URLs. The third one is more well-matched. However, unlike the basic authentication examples, the first one will never be used because the best-matched SSO site is configured to use form-based authentication. When the best-matched SSO site is configured to use form-based authentication, the Reverse Proxy Service component would use it only for authentication. The Reverse Proxy Service component would post username form field and password form field with the specified form field names only when the requested URL is equals to the URL of the SSO site. If the requested URL is changed by user's navigation in the IFrame, then it would not try posting the username and password form fields again.

SSO Provider service

The SSO Provider is a part of the jetspeed service framework and is available to any portlet and not just the SSOProxy Portlet. The component takes care of storing the sites and credentials and has an API to get content from a url.

SSO Management

The SSO management portlet helps to administer SSO credentials and assigning them to Portal Users.

The Portal Principal field may be populated by clicking on either the user icon or the group icon. A pop up window will display to allow you to select your user or group.