Saturday, December 8, 2012

Single Sign On across Web Applications and Web Services

Here the requirement is to have a single sign on across Web application and Web Services. In more detail once the user is  authenticated to access a WepApp he should not only be able to access other WepApps but those WebApps also should be able to access a set of back-end services with the logged in user's access rights with no further authentication. Here the back-end services can also be configured to authorize the user based on different user claims (E.g. email).


In the situation we can assume:
•  trust relation between Identity Server and Resource Server (ESB Proxy),
•  trust relation between Identity Server and Resource Client (Web App)
The communications are:

  1. User connect to the Web App with is the “Resource Client”
  2. WebApp finds out user is not authenticated and redirects to the SAML2 IdP.
  3. SAML2 Idp checks whether the user has an authenticated session - if not will prompt for credentials, once authenticated there ,user will be redirected back to WebApp (Resource Client)  with a SAML token, with the set of claims requested by the WebApp.
  4. Now, the WebApp (Resource Client) needs to access a back-end web service with the logged in user's access rights. WebApp process the “SAML assertion token” and creates the STSToken from which it calls the Proxy Service (Resource server).
  5. Proxy Service (Resource server) checks the “SAML assertion token” and allows access to the backend Web Service.
This is tested with;
•  WSO2 Identity Server 4.0.0
•  WSO2 Enterprise Service Bus 4.5.1
•  Apache Tomcat 7.0.25
•  Apache Subversion 1.6.12
•  Apache Maven 3.2.3
•  Java 1.6.0_26
Steps,

Step 1,

Download and deploy WSO2 IS 4.0.0 from http://wso2.org/products/identity-server/

Step 2
Download WSO2 ESB 4.5.1 from http://wso2.com/products/enterprise-service-bus/.
When deploying ESB change the port offsets by 1, by editing

<ESB_HOME>/repository/conf/carbon.xml file, and change the Offset element as follows
<Offset>1</Offset>


Step 3,

Download and deploy Apache Tomcat

Step 4,
Checkout https://svn.wso2.org/repos/wso2/people/suho/sso-webapp-ws sso-webapp-ws
This contains all the artifacts needed for this sample

Step 5,
Setup WSO2 IS for SSO for Web Apps
  1. Login to IS
  2. Click SAML SSO from the management console
  3. Add SSO details

    For the avis.com WebApp
    Issuer: http://localhost:8081/avis.com/consumer
    Assertion Consumer URL: http://localhost:8081/avis.com/consumer
    Check “Enable Attribute Profile” and add the following claims
              http://wso2.org/claims/givenname
              http://wso2.org/claims/emailaddress
    For the travelocity.com WebApp
    Issuer: http://localhost:8081/travelocity.com/consumer
    Assertion Consumer URL: http://localhost:8081/travelocity.com/consumer
    Check “Enable Attribute Profile” and add the following claims
              http://wso2.org/claims/givenname
              http://wso2.org/claims/emailaddress
    When successfully added you will get Consumer Index for each entry

    Now the SSO setup in the WSO2 IS is done.

Step 6,
Configuring the WebApps
  1. You can add these by editing the war file or edit in the src-dist and build that.
  2. Edit the WEB-INF/web.xml of each WebApp and add the appropriate “Consumer Index” returned by the WSO2IS as the param-value for AttributeConsumingServiceIndex.
  3. Edit the WEB-INF/classes/filepath.properties of each WebApp and add the appropriate
    properties. You can find all the necessary files in the resources directory.
    E.g.
    keystore.file=/<path>/sso-webapp-ws/resources/keystore/wso2carbon.jks
    repo.directory=/<path>/sso-webapp-ws/resources/repo
    bearerpolicy.file=/<path>/sso-webapp-ws/resources/bearer-policy.xml
    service.endpoint=http://localhost:8281/services/echoProxy

Step 7,
Add the proxy service
  1. Login to ESB
  2. Click on Add Proxy Service from the management console
  3. Create a Pass Through Proxy
  4. Add the proxy name and endpoint
    Proxy Service Name: echoProxy
    Target Endpoint: “Enter URL”
    Target URL: http://localhost:8281/services/echo
    And click “Create”

    Here the echo service (Endpoint service) is deployed on ESB by default

Step 8,
Add the policy to the registry to secure the Proxy Service

  1. Click on Registry from the ESB management console
  2. Navigate to /_system/config/repository and click on the repository
  3. Under “Entries” click on the add recourses to add policy file
  4. Now browse and add the bearer-policy.xml. This will be in the resources folder you
    checked out. Click “Add” to add the file.

Step 9,
Securing the proxy service
  1. Click on List under services from the ESB management console, and click on “Unsecured” link next to the echoProxy service entry.
  2. Select “yes”
  3. From the “Policy From Registry” section, click in Configuration registry to add policy from the cofig registry.
  4. Browse for the added “bearer-policy.xml” and click “OK”
  5. Click “Next”, then click on the “admin” and “wso2carbon.jks” checkboxes, select the private key store as “wso2carbon.jks” and click on “Finish” to Activate Security.
Step 10,
Deploy the webapps in Tomcat

Step 11,
  1. Enter following in the redirected page
    User Name: admin
    Password: admin

    With successful login you will be redirected to the home page, where the Web App will be call the proxy using the “SAML assertion token” received at the SSO login.
  2. With successful login at the Proxy Service you will get the following page
    Note: Here the Web Service Response will be as “Hi WSO2”
  3. If the login at the Proxy Service fails you will get the following page
    Note: Here the Web Service Response will be as “’Hi WSO2’ expected but, no response from the web service”

I would like to thank the WSO2 forks; Suresh AttanayakePrabath Siriwardena, & Balachandiran Ajanthan for helping me on this.