portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roger Ruttimann <roger...@apache.org>
Subject [J2] Proposal Single Sign-on feature
Date Fri, 24 Sep 2004 22:21:01 GMT
The following proposal describes how J2 handles single sign-on (SSO). I 
gathered ideas from several people and the proposal below came together 
with input from Randy Watler and David Taylor.

Introduction
----------------
Since a user is logged in into the portal he/she should never be asked 
to login again to see any content. Web portlets or IFrame portlets which 
refer to external (to the Web Portal) sites might be only visible after 
a login (if the target site requires authentication). This behavior can 
be annoying especially if the portal integrates  different applications 
that all require authentication.

Proposal
------------
The J2 framework will be extended with a component (SSOCredentials) that 
does a lookup in the database to find credentials for a site (url) and a 
jetspeed user. The credentials could be assigned to a user, group or a 
role (Priority needs to be defined like User, Group, Role or better 
order should be customizable).

For the first implementation two modes will be supported:

Username/password (HTTP Post)
--> Portlets (IFrame, Webpage) will call into SSOCredentials with the 
site (url) and the principal. The returned credentials can be used to 
add them as parameters to the URL

Basic Authentication (HTTP Basic Authentication)
--> Since many sites use Basic Authentication another API updates the 
request so that it uses BasicAuthentication with the credentials 
returned by the lookup (site, principal).

At a later stage the SSOCredential API could be extended with 
certificates and cookie based authentication.

Implementation
--------------------
The credentials for the site can be entered in two ways:

--> If a user tries to access a secured site (lookup in SSOCredentials 
API fails) a dialog will pop up and ask if the credentials for that site 
should be stored in the SSO credentials table. For any future requests 
the credentials will be found by the lookup.

--> Using the SSO Admin portlet. This is necessary for assigning 
credentials to groups and roles and to update or clean credentials.

Planning
------------
I plan to start working on the SSO implementation a.s.a.p.

Any comments/suggestions are highly appreciated.
Roger









---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message