SSO with Windows credentials on JOSSO server

Question

I’m currently trying to extend our SSO solution. My company uses a JOSSO server, which run on Tomcat, to enable a single sign-on for users. Now I want to use the users Windows credentials to automatically login to the JOSSO server. I've researched various means ie. Kerberos, Spnego and Windows Integrated Authentication but I have no clue how they work together.

Could anyone tell me which physical components I need and how they rough communicate with each other?

Answer 1

physical components and their working-together should be visible here:

http://www.josso.org/confluence/display/JOSSO1/Architecture+Overview

Since Kerberos is mixed with NTLM in Windows

https://en.wikipedia.org/wiki/NT_LAN_Manager#Availability_and_use_of_NTLM

Microsoft has added the NTLM hash to its implementation of the Kerberos protocol to improve inter-operability

it may not be obvious from the usage, which actual SSO technology runs underneath.

You should be happy with the following pages e.g.:

1. http://www.josso.org/confluence/display/JOSSO1/Windows+Authentication+Setup

Testing Windows Authentication Log-in to a Windows workstation associated with the Active Directory domain using the previously created account (i.e. user1). Open an Internet Explorer instance and access a JOSSO-protected resource URL. You should be granted access to the protected resource transparently without any prompt for username and password.

2. http://www.josso.org/confluence/display/JOSSO1/Setup+JOSSO+Agent+%28SP%29

Normally you will install an agent in each container that will host SSO partner applications. For example, if you have applications deployed on Tomcat and JBoss, you will have to install an agent in each container. Agents are part of the Service Provider (partner application) runtime environment.

3. e.g. (depending on your web container selected from previous page) http://www.josso.org/confluence/display/JOSSO1/Setup+JOSSO+Agent+-+Tomcat+6.0

Using this configuration you can set : The Gateway Login URL, where the Single Sign-On Agent will redirect the user on protected resource access request so that he can authenticate. The Gateway Logout URL, where the Single Sign-On Agent will redirect the user on logout request. The concrete Service Locator to be used to invoke the services of the Single Sign-On Gateway. The Single Sign-On partner applications This configuration file defines only one partner application associated with the /partnerapp web context. This means that the web application associated with the /partnerapp web context will be put behind the Single Sign-On. You can define other partner applications.