JOSSO Architecture : Overview

JOSSO, or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized, platform neutral, user authentication and authorization.

JOSSO addresses web single sign-on based on these concepts

• Pluggable framework: It provides a component-oriented infrastructure that supports creating and combining multiple authentication scheme, credential, and session stores. For example, supporting certificate-based authentication is only a matter of implementing an authentication scheme component and referencing it from the JOSSO configuration.
• Transparent integration: Partner web applications integrating to the single sign-on don't need any dependency with a proprietary API. JOSSO handles the whole authentication flow, leaving the identity of the user accessible to web applications and EJB components through the Servlet and EJB APIs, respectively.
• Corss-domain/Cross-organization SSO: It allows users to enter security credentials once and have identity propagated across different domains and organizations.
• Cross-platform: It allows for the integration of Java and non-Java applications, such as PHP or Microsoft ASP applications. It uses the standard SOAP over HTTP as the standard communication layer to deliver this cross-platform feature.

• Commitment to open standards: The security infrastructure is based on JAAS, web services/SOAP, EJB, servlet/JSP and Struts standards.

JOSSO comprises three main elements

• SSO Gateway: This represents the SSO server or Identity Provider and provides authentication services to users who need authentication with partner applications.
• SSO Agent: This represents the client of the SSO Gateway to which authentication requests are delegated on user protected resource access, managing the whole user authentication flow. The SSO Agent validates SSO sessions and obtains associated user information against the SSO Gateway web services using the SOAP protocol.
• Partner application: This represents a web application or Service Provider that uses SSO Gateway services to authenticate users.

Authentication Flow

The flow of a web application integrated to single sign-on through JOSSO is the following:

1. The user requests a protected resource from a partner application.
2. The SSO Agent protecting the partner application intercepts the request and, since it is unidentified, redirects the user to the single sign-on form on the SSO Gateway.
3. The user enters his/her credentials, which, depending on the selected authentication scheme, they may request either a user/password pair or a X.509 Client Certificate.
4. The SSO Gateway processes the form submission, loads the user's credentials from the configured stores (e.g., LDAP, database) and checks their validity.
5. If the credentials are valid, the user is authenticated and an SSO session token is generated and saved for his/her session in the session store. The user is then redirected back to the protected resource originally requested.
6. The SSO Agent protecting the partner application intercepts the request, and using the SSO Gateway JAAS Login module, checks the validity of the session and obtains the authenticated subject from the SSO Gateway using SOAP.
7. The SSO Gateway picks up the session identifier supplied from the session store and obtains the associated user information from the identity store.
8. The SSO Agent introduces the authenticated subject returned by the SSO Gateway web service in the HTTP request and handles it to the target web application.
9. The web application processes the HTTP request and eventually uses the getUserPrincipal() and isUserInRole() standard calls on the HttpServletRequest instance to obtain the identity of the authenticated user to perform additional security assertions.