Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

Create the main body of the policy XML file

Place all your policy definitions inside <policy> tags:


<!-- Define your policy entries inside the element -->


Define security constraints

For each set of resources identified, you need to define a <security-constraint> that maps these resources to the roles you wish to allow access.

For example:



<web-resource-name>Customer files</web-resource-name>


Resources that may be accessed by customers








You can define one or more security constraints, and they can map to multiple resources and roles.

Note: If you previously had defined security constraints in your deployment descriptor, you can copy these directly in the policy file.

Define roles

You have two options for defining roles:

  • Set the idm.access.groupsAsRoles option in the SSO Servlet/Filter configuration. For each role in a security constraint you should ensure there is a group defined in Active Directory of the same name.
  • Define one or more <role> elements that map the roles you have specified to Active Directory groups/principals.

Either option can be used, however we recommend defining the roles directly in the policy file if you are using programmatic security. See Single Sign-on for Java authorization. This allows group membership to be resolved by querying Active Directory at load time rather than at run time.

If you are using the idm.access.groupsAsRoles option, we recommend defining Domain Local groups specific to your application in the same domain as the application server.

To define a role mapping to Active Directory groups using the role element, do the following:

<role name="Customer">


<group name="My Application Customers"/>



Note: Group names are case-sensitive.

More examples are given for the role element on Examples.

Set the deployment descriptor parameters

Edit the deployment descriptor (web.xml) file using either a standard text editor, or a tool supplied by your application server vendor. Add the following parameters to your SSO Servlet/Filter configuration:





Where policy.xml is replaced with the name of your policy file.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating