HOW DOES SSO WORKS THEROTICALLY
Step 1 > Client issues the first request in the session (no user/password/whatsoever)
Step 2 >Server reads this and says 'I don't know who you are, bring me some identification information' (technically it sends some header)
Step 3 >Browser once got such a response issues a connection to the AD server (it includes Kerberos server implementation) and obtains some identification information
Step 4 > Browser issues a request to your web server a ticket (identification information in security jargon) to the web server.
Step 5 > Web server reads and parses this ticket, talks by itself to the kerberos server and ensures that the ticket is valid and correct.
Step 6 > Web Server allows the client to connect, the username is accessible from the request, you can store it on HttpSession if you want.
usually the web-server part is application specific and as such it is implemented with the help of java web filter + some configurations may be required on the application server side .
although We can implement this stuff by ourself, we'll probably prefer to use some thirdparties.(like OPENSSO , CAS etc)
The things become complicated when you're using a lot of web servers for your application, trying to set up cross domain authentication and so forth.
I would recommend you to take a look on CAS
Its basic idea is to delegate the authentication related stuff (that involves working with kerberos or whatsoever) to the dedicated server, so instead of talking directly to the kerberos server your web server redirects the user to the cas server and it manages the authentication by itself.
Technically you drop a couple of jars with web filter implementation, define your filter, deploy and set up the CAS server with the details of the available kerberos server and it should work :)
implementing CAS at java applications
https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1
more to read >
https://wiki.jasig.org/display/CASUM/Home
http://blogs.xtivia.com/home/-/blogs/configuring-liferay-6-1-ee-as-saml-identity-provider-and-service-provider?p_p_auth=RyQYHIH7
Step 1 > Client issues the first request in the session (no user/password/whatsoever)
Step 2 >Server reads this and says 'I don't know who you are, bring me some identification information' (technically it sends some header)
Step 3 >Browser once got such a response issues a connection to the AD server (it includes Kerberos server implementation) and obtains some identification information
Step 4 > Browser issues a request to your web server a ticket (identification information in security jargon) to the web server.
Step 5 > Web server reads and parses this ticket, talks by itself to the kerberos server and ensures that the ticket is valid and correct.
Step 6 > Web Server allows the client to connect, the username is accessible from the request, you can store it on HttpSession if you want.
usually the web-server part is application specific and as such it is implemented with the help of java web filter + some configurations may be required on the application server side .
although We can implement this stuff by ourself, we'll probably prefer to use some thirdparties.(like OPENSSO , CAS etc)
The things become complicated when you're using a lot of web servers for your application, trying to set up cross domain authentication and so forth.
I would recommend you to take a look on CAS
Its basic idea is to delegate the authentication related stuff (that involves working with kerberos or whatsoever) to the dedicated server, so instead of talking directly to the kerberos server your web server redirects the user to the cas server and it manages the authentication by itself.
Technically you drop a couple of jars with web filter implementation, define your filter, deploy and set up the CAS server with the details of the available kerberos server and it should work :)
implementing CAS at java applications
https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1
more to read >
https://wiki.jasig.org/display/CASUM/Home
http://blogs.xtivia.com/home/-/blogs/configuring-liferay-6-1-ee-as-saml-identity-provider-and-service-provider?p_p_auth=RyQYHIH7
