About this guide
Welcome to One Identity Single Sign-on for Java. This guide is intended for developers of Single Sign-on for Java solutions for integrated SSO applications who have a good knowledge of Java programming and a sound understanding of how Active Directory works.
|
|
Note: The term "Unix" is used informally in the Single Sign-on for Java documentation to denote any operating system that closely resembles the trademarked system, UNIX. |
Overview
As the use of distributed systems increases, users need to access resources that are remotely located. Traditionally, as a user of these remote resources, you have had to sign-on to each one of them in turn. Often, each resource you sign- on to requires a different username, password and authentication technique — as if you don’t already have enough passwords and identities to remember!
The much more friendly alternative to these arrangements is a single sign-on (SSO) system. On the ideal system of this kind, you need only authenticate once, and then have your authenticated identity securely carried across the network to reach all the resources you need to access.
Two trends in system development have now come together to make this ideal feasible:
- the extended use of the Java Enterprise Edition, (Java EE) for development work; and
- the widespread availability of Microsoft’s Active Directory system for user authentication.
Java EE is a platform for developing Internet, intranet and extranet applications. It provides a standardized architecture that makes reuse possible. Many enterprises have deployed Java EE applications.
In addition, many enterprises are moving to support a standardized authentication infrastructure. In particular, Microsoft's Active Directory provides an environment based on Kerberos and LDAP, supplying Identity Management services including SSO, a centralized store for identity information.
It makes a lot of sense to reuse this infrastructure where possible.
Unfortunately, however, Java EE alone does not provide tight integration with Kerberos, nor with the infrastructure provided by Microsoft’s Active Directory which is already deployed or being deployed in many organizations.
That is where One Identity Single Sign-on for Java comes into the picture.
Single Sign-on for Java fills the gap between development platform and operating system security. It provides SSO and access management for Java EE applications using Active Directory as their identity store.
It delivers an enterprise-wide method of identification and authorization that can be administered in a consistent and transparent manner.
It allows you access to information systems for which you are authorized — and only those systems.
Introducing Single Sign-on for Java
This section introduces the concepts involved in Single Sign-on for Java and its associated protocols.
- Introduction to Single Sign-on for Java
- About Kerberos
- About Active Directory
- SPNEGO and Internet Explorer
- Kerberos delegation extensions
- How does Single Sign-on for Java work
- Example domain
Introduction to Single Sign-on for Java
Single Sign-on for Java provides a mechanism for integrating Java EE applications into a Single Sign-on infrastructure, based on Active Directory.
Once deployed, it can be integrated with your application environment so that it sits between clients registered in your Active Directory system and the Active-Directory-registered services they want to access.
Importantly, all of this occurs without your Java application code having to concern itself with the complex issues of access details and permissions.
Single Sign-on for Java becomes the mediator in the processes of handling web browser information requests directed at your Java application servers, and in the checking of user identity and access rights for these requests. This is possible even when the browser requests may require a complex series or a chain of server accesses — for example, when a web page on one server offers email despatch services directed to another server and, perhaps also requests information from a protected database on a third server.
Without a centralized Single Sign-on system, different applications may require a series of user/password exchanges before access is given. With Single Sign-on for Java, the authorization process is conducted as part of the web browsing process: only one initial sign-on is needed, even where quite complex server requests are involved.
Single Sign-on for Java allows Java EE applications to authenticate users using Kerberos. To do this, it supports the SPNEGO protocol. And it can support “delegated” credentials to access other Kerberized services within an enterprise domain, as in cases of “chained” access requests.
Active Directory features such as groups and Active Directory sites are supported in a Single Sign-on for Java-based system, and existing groups and sites can be integrated into it. By specifying which users belong to which Active Directory groups, and which Active Directory groups are allowed to access an application, you can apply granular management of access control for large numbers of users.
Single Sign-on for Java uses Active Directory sites to support replication and failover.
By using the Single Sign-on for Java solution you will be able to provide:
- End-to-end authentication between users and backend services
- Authorization of users by using Active Directory groups
- Integration of Java EE applications in an Active Directory/Kerberos-based SSO environment
- A cross-platform solution which supports most operating systems and Java application servers
as well as:
- Delegation of credentials to selected services (S4U2Proxy), and
- Secure credentials for clients signing on from non-Kerberos authentication processes (S4U2Self)
where these are supported by your Active Directory host (Windows Server 2003 and higher).