Authenticating With CDSSO

The SSO mechanism described in Single Sign-On and Cross-Domain Single Sign-On can be used when IG and AM are running in the same domain. When IG and AM are running in different domains, AM cookies are not visible to IG because of the same-origin policy.

CDSSO using the CrossDomainSingleSignOnFilter, provides a mechanism to push tokens issued by AM to IG running in a different domain.

The following sequence diagram shows the flow of information between IG, AM, and the sample app during CDSSO. In this example, AM is running on am.example.com, and IG is running on ig.ext.com.

Flow of Information for CDSSO
Flow of Information for CDSSO

  • The browser sends an unauthenticated request to access the sample app.

  • IG intercepts the request, and redirects the browser to AM for authentication.

  • AM authenticates the user and creates a CDSSO token.

  • AM responds to a successful authentication with an HTML autosubmit form containing the issued token.

  • The browser loads the HTML and autosubmit form parameters to the IG callback URL for the redirect endpoint.

  • IG checks the nonce found inside the CDSSO token to confirm that the callback comes from an authentication initiated by IG. IG then constructs a cookie, and fulfills it with a cookie name, path, and domain, using the CrossDomainSingleSignOnFilter property authCookie. The domain must match that set in the AM J2EE agent.

  • IG redirects the request back to the original URI, with the cookie, and the browser follows the redirect back to IG.

  • IG validates the token it gets from the cookie. It adds the AM session info to the request, and stores the SSO token and CDSSO token in the contexts for use by downstream filters and handlers.

  • IG forwards the request to the sample app, and the sample app returns the requested resource to the browser.

Set Up CDSSO

This procedure gives an example of how to set up CDSSO, where AM on openam.example.com authenticates users that are processed by IG on openig.ext.com.

Before you start, prepare AM, IG, and the sample application as described in "Example Installation for This Guide".

  1. Set up AM:

    1. (For AM 6.5.x and earlier versions) Select Identities > demo, and set the demo user password to Ch4ng31t.

    2. Select Applications > Agents > Identity Gateway, add an agent with the following values:

      • Agent ID: ig_agent_cdsso

      • Password: password

      • Redirect URL for CDSSO: http://openig.ext.com:8080/home/cdsso/redirect

      The agent credentials are the only properties that are used by IG.

      1. Select Applications > Agents > Java (or J2EE).

      2. Add an agent with the following values:

        • Agent ID: ig_agent_cdsso

        • Agent URL: http://openig.ext.com:8080/agentapp

        • Server URL: http://openam.example.com:8088/openam

        • Password: password

      3. On the Global tab: Agent Configuration Change Notification: Deselect

        This option stops IG from being notified about agent configuration changes in AM, because they are not required by IG.

      4. On the SSO tab:

        • Cross Domain SSO: Deselect

        • CDSSO Redirect URI: /home/cdsso/redirect

    3. (For AM 6.5.3 and later versions) Select  Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:

      • http://openig.ext.com:8080/*

      • http://openig.ext.com:8080/*?*

    4. Select Configure > Global Services > Platform, and add example.com as an AM cookie domain.

      By default, AM sets host-based cookies. After authentication with AM, requests can be redirected to AM instead of to the resource.

  2. Set up IG:

    1. Set an environment variable for the IG agent password, and then restart IG: 

      $ export AGENT_SECRET_ID='cGFzc3dvcmQ='

      The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.

    2. Add the following route to IG, to serve .css and other static resources for the sample application: 

      $HOME/.openig/config/routes/static-resources.json
      %appdata%\OpenIG\config\routes\static-resources.json
      {
  "name" : "sampleapp_resources",
  "baseURI" : "http://app.example.com:8081",
  "condition": "${matches(request.uri.path,'^/css')}",
  "handler": "ReverseProxyHandler"
}

    3. Add the following route to IG: 

      $HOME/.openig/config/routes/cdsso.json
      %appdata%\OpenIG\config\routes\cdsso.json
      {
  "name": "cdsso",
  "baseURI": "http://app.example.com:8081",
  "condition": "${matches(request.uri.path, '^/home/cdsso')}",
  "heap": [
    {
      "name": "SystemAndEnvSecretStore-1",
      "type": "SystemAndEnvSecretStore"
    },
    {
      "name": "AmService-1",
      "type": "AmService",
      "config": {
        "url": "http://openam.example.com:8088/openam",
        "realm": "/",
        "version": "7",
        "agent": {
          "username": "ig_agent_cdsso",
          "passwordSecretId": "agent.secret.id"
        },
        "secretsProvider": "SystemAndEnvSecretStore-1",
        "sessionCache": {
          "enabled": false
        }
      }
    }
  ],
  "handler": {
    "type": "Chain",
    "config": {
      "filters": [
        {
          "name": "CrossDomainSingleSignOnFilter-1",
          "type": "CrossDomainSingleSignOnFilter",
          "config": {
            "redirectEndpoint": "/home/cdsso/redirect",
            "authCookie": {
              "path": "/home",
              "name": "ig-token-cookie"
            },
            "amService": "AmService-1",
            "verificationSecretId": "verify",
            "secretsProvider": {
              "type": "JwkSetSecretStore",
              "config": {
                "jwkUrl": "http://openam.example.com:8088/openam/oauth2/connect/jwk_uri"
              }
            }
          }
        }
      ],
      "handler": "ReverseProxyHandler"
    }
  }
}

      Notice the following features of the route:

      • The route matches requests to /home/cdsso.

      • The agent password for AmService is provided by a SystemAndEnvSecretStore in the heap.

      • The property verificationSecretId is configured with a value. If this property is not configured, the filter does not verify the signature of signed access_tokens.

      • The JwkSetSecretStore specifies the URL to a JWK set on AM, that contains signing keys identified by a kid.

        The JwkSetSecretStore verifies the signature of the token when the value of a kid in the JWK set matches a kid in the the signed access_token.

        If the JWT doesn't have a kid, or if the JWK set doesn't contain a key with the same value, the JwkSetSecretStore looks for valid secrets with the same purpose as the value of verificationSecretId.

  3. Test the setup:

    1. If you are logged in to AM, log out and clear any cookies.

    2. Go to http://openig.ext.com:8080/home/cdsso.

      The CrossDomainSingleSignOnFilter redirects the request to AM for authentication.

    3. Log in to AM as user demo, password Ch4ng31t.

      When you have authenticated, AM calls /home/cdsso/redirect, and includes the CDSSO token.

      The CrossDomainSingleSignOnFilter then passes the request to sample app, which returns the profile page.

Read a different version of :