Recently I was involved with two Cross Domain Single Sign-On projects for Sun Learning Services with Mattt Stevens. First project was CDSSO with Hewitt Associates and second was with DDI World.
CDSSO with hewitt did not involve any load balancer. In part one I will comment on this setup. First some CDSSO talk...based on sundocs
CDSSO Intro
Conventional SSO works via HTTP cookies within a singleDNS domain. In such situations,
AccessManager and agent-protected resources reside in the sameDNS domain. When a user
successfully authenticates to AccessManager, an HTTP session cookie (also known as an SSO
token) will be set to the user's browser, with AccessManager's DNS domain as the cookie
domain. From this point on until the session terminates or expires, the browser will always present the SSO token to any server in the same DNS domain (for example AccessManager agents), based on the HTTP protocol. This allows AccessManager and the policy agents to reexamine the validity of the user session and identity, and then enforce security policies without re-authentication.
The SSO solution breaks down when the AccessManager and agents reside in different DNS
domains. For example, AccessManager and some agents may reside in www.sun.com while
some other agents reside in www.hewitt.com. During authentication to AccessManager, the
SSO token (HTTP cookie) will still be set to the browser with .sun.com as the cookie
domain. However, when the browser accesses agent-protected resources in www.hewitt.com,
it will not present the SSO token to the servers, as dictated by the HTTP protocol. To the Access Manager agents, no SSO token means the user is not authenticated. The agents will force the user to authenticate, which will then fall into a loop, since the AccessManager in the rightDNSdomain will see the browser does have a valid session SSO token. The AccessManager will redirect the browser back to the original requested resource in www.hewitt.com, thus leads to a non-stopping loop.
CDSSO Interactions
1. The user's browser attempts to access an Agent-protected resource in say Domain-2.
2. With CDSSO enabled on this Agent, the Agent will redirect the browser to the cdcservlet on the AccessManager. Without CDSSO enabled, the Agent will normally redirect the user to AccessManager login URL for user login.
3. The browser follows the redirection and accesses the cdcservlet on the AccessManager.
4. At this time, the cdcservlet will need to determine if the ssotoken is valid and that the cookie is for Domain-1. The cdcservlet forwards the request to AccessManager for token
validation.
5. AccessManager sends the response to the cdcservlet. If the ssotoken was found to be valid and a cookie present forDomain-1, then proceed to Step 11
6. Since the ssotoken is invalid or absent, the cdcservlet forwards the request to the Access Manager's Authentication Service. When this forwarding of the request is done, it does not involve the client browser. The request is forwarded to the servlet/jsp in the container.
7. The Authentication Service presents the user with the login form.
8. The user provides his credentials on the login page, clicks on the 'Submit' button. The
credentials use a POST action to the authentication module.
9. If authentication is successful, the Authentication Service sets the ssotoken cookie for the Domain-1. The Authentication Service then redirects the browser back to the cdcservlet.
10. The browser follows the redirection and accesses the cdcservlet on the AccessManager.
Now proceed to Step 4.
11. The CDC servlet retrieves the user's SSO Token forDomain-1, composes a Liberty-like
AuthNResponse message (LARES) with the SSOToken wrapped inside. The LARES
message is contained in a HTML FORMin the HTTP response page. The HTTP response
page also contains the directives to automatically post the form without the user interaction
to the Agent's sunwCDSSORedirect URI.
12. The browser, upon receiving the HTTP response, automatically posts the form to the
Agent's sunwCDSSORedirect URI.
13. The Agent intercepts this request. Since it is sunwCDSSORedirect URI (part of URL that is intercepted by the Agent) the Agent determines that it is a response from cdcservlet and processes the CDSSO response. The Agent validates the ProviderID in the CDSSO response, by comparing it with the registered Providers. If the provider validation fails, the user will be denied access to the protected resource. If the provider validation is successful, the Agentextracts the SSOToken and sets the cookie forDomain-2.Now the Agent retrieves the original requested URL for the protected resource and does a redirect to it.
14. The browser receives the new cookie.Now the browser has two ssotoken cookies, they only differ in their cookie domains. One is for Domain-1 and another is forDomain-2. The
browser follows the redirection to the protected resource, presenting the new SSO token.
15. The Agent intercepts the request for the protected resource, and requests AccessManager to
validate the ssotoken.
16. The AccessManager determines if the ssotoken is valid and the cookie is present for
Domain-1. The AccessManager sends it's response to the Agent. If the ssotoken was
evaluated to be invalid or absent, then proceed to Step 2.
17. Since the ssotoken was evaluated to be valid, the Agent next requests AccessManager for the
policy decision as pertaining to the protected resource.
18. The Agent receives the policy decision from AccessManager, and evaluates it to determine
if the user should be allowed or denied access to the protected resource. Based on the policy
evaluation, the Agent enforces the policy.
19. If the policy evaluation resulted in denying access for the user, the user will see a message to
that effect in the browser and not be able to access the protected resource. if the policy
evaluation resulted in allowing access to the user, the user will be shown the protected
resource.
Configuring the Web Policy Agent for CDSSO
CDSSO processing properties in the AMAgent.properties file:
com.sun.am.policy.agents.config.cdsso.enable=true
com.sun.am.policy.agents.config.cdcservlet.url = https://xxxx.sun.com/amserver/cdcservlet
com.sun.am.policy.agents.config.cookie.domain.list=.hewitt.com
The URL /amserver/cdcservlet points to the CDC servlet on the AccessManager. The AccessManager protocol, host and port are provided during the agent installation. The property cdcservlet.url is typically added by the agent installer.