Single Sign-On in O3

O3's Single sign-on is performed through the use of CAS.

This functionality is enabled by default as a Tomcat Valve inside the JBoss. This valve intercepts the login and manages it through CAS.

This Valve is defined in the file <O3>/jboss/server/default/deploy/jbossweb-tomcat55.sar/server.xml

<!-- CAS SSO -->
<Valve className="com.ideasoft.sso.cas.tomcat.CASSingleSignOnValve"
    debug="0"
    filteredApps="/o3process,/o3portal,/o3planner,/liferay"/>

SSO between a web application (X) and O3 using tickets

What follows is an example of how to implement the SSO mechanism to prevent the system to request multiple logins in the same session

Details about the implementation:

• SSO based on tickets is used.
• Ticket must be generated by the application where the user logs in, and stored in a database.
  The only requirement about the database is that it should be accesible by the O3 Sesrver through a JDBC driver.
• Users must be defined in both applications (X and O3).
  Depending on the user repository configured for X, it might be possible to integrate it with O3's repository (i.e. LDAP), avoiding the duplication of users in two separate repositories.

How does this SSO mechanism work?

1. User logs into application X. When the user wishes to swith to O3 Portal, a new ticket is generated and stored in the database. (following are more details about the database schema to use).
2. When the application X provides a link to O3 Portal, this link should contain the ticket a part of the URL
3. O3 receives the ticket, queries the database to validate it and retrieve the username
4. O3 then eliminates the ticket from the database as soon as the user is validated.

Database

A table named SSO_TICKETS should exist with the following fields:

Expiration

The field Ticket_TS is used to validate the ticket. The data in this field is used by O3 to make sure that the ticket has not been created for more than the predefined lifetime for the tickets. The expiration time is defined with a parameter.

Characteristics of the ticket

The ticket can be any text but the following is advisable:

• The ticket should be unique, generally the time of the machine is used as part of the ticket to ensure that it is not repeted
• The ticket should be hard to generate, i.e. it should not be a sequential number that would allow a process to "guess" a valid value

There is a Java Class that could help generating this ticket. This class is java.rmi.server.UID

Configuración de SSO según la propuesta planteada.

Se debe de configurar una válvula que es la encargada de correr la lógica de verificación del ticket.
Para esto se debe de tener en cuenta los siguientes puntos:

• El siguiente código se agrega en el archivo jboss\server\default\deploy\jbossweb-tomcat55.sar\server.xml (ponerlo bajo el ejemplo de CAS SSO).

<Valve className="com.ideasoft.sso.cas.tomcat.DBSingleSignOnValve"
	debug="0"
	filteredApps="/o3portal"
	httpRedirect=http://www.ideasoft.biz
	httpRedirectError=http://www.ideasoft.biz
	dsName="java:/SSODS"
	expirationSeconds="86400"
	tableName="SSO_TICKETS">
</Valve>

• Se debe de sustituir el jar jboss\server\default\deploy\jbossweb-tomcat55.sar\is_sso_tomcat.jar por el adjunto.

• Ejemplo dataSource para una base Hypersonic (jboss\server\default\deploy\gserver\appX-hsql-ds.xml).

<?xml version="1.0" encoding="UTF-8"?>

<!-- ==================================================================== -->
<!--  Datasource config for Hypersonic SQL                                -->
<!-- ==================================================================== -->

<datasources>
	<local-tx-datasource>
		<jndi-name>SSODS</jndi-name>
		<connection-url>jdbc:hsqldb:hsql://localhost:1701</connection-url>
		<driver-class>org.hsqldb.jdbcDriver</driver-class>
		<user-name>sa</user-name>
		<password/>
		<!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
		<metadata>
			<type-mapping>Hypersonic SQL</type-mapping>
		</metadata>
	</local-tx-datasource>
</datasources>

En caso de que se trate de otra Base de Datos se debe de copiar el jar del driver en O3/jboss/server/default/lib y configurar el datasource con la url, driverClass, usuario y password adecuados.

• Script de creación de la tabla para Hypersonic.

create table SSO_TICKETS(Ticket Varchar(100) NOT NULL
	,Ticket_TS TIMESTAMP NOT NULL
	,UserName Varchar(50) NOT NULL
	,CONSTRAINT PK_SSO_TICKETS PRIMARY KEY(Ticket))

Problemas con CAS ejecutando detrás de un firewall

Cuando se utiliza O3 Portal detrás de un firewall puede ocurrir que luego de la pantalla de login aparezca una pantalla en blanco, esto es causado por un problema en el módulo de validación de CAS, que ocurre cuando el servidor no se puede conectar a si mismo con el nombre de host ingresado por el usuario en la URL del navegador.
Es decir que esto ocurre si el usuario accede a 'http://www.company.com/o3portal' y el servidor O3 no puede acceder al host www.company.com en el puerto 80.

Este problema se resuelve cambiando la declaración de la válvula de Tomcat por:

<!-- CAS SSO -->
<Valve className="com.ideasoft.sso.cas.tomcat.CASSingleSignOnValve"
    debug="0"
    casValidate="http://localhost:8080/cas/proxyValidate"
    filteredApps="/o3process,/o3portal,/o3planner,/liferay"/>

donde 8080 debe ser reemplazado por el puerto en el que está ejecutando Tomcat.

La válvula de Tomcat se encuentra definida en el archivo: <O3>/jboss/server/default/deploy/jbossweb-tomcat55.sar/server.xml