Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Difference between revisions of "Stardust/Knowledge Base/Security/Single Sign-on/SSO and Secure Communication with Stardust using Kerberos"

(SSO and Secure Communication with Stardust using Kerberos Protocol)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Introduction  ==
 
== Introduction  ==
  
This article will explain how Kerberos can be used for SSO and secure communication with IPP. For details on how Kerberos protocol works and how to implement it in Java using JASS and GSS see the article [http://wiki.eclipse.org/extensions/FCKeditor/fckeditor/editor/Stardust/KnowledgeBase/Security/SSO/Implementing_SSO_using_JAAS_and_GSS_API_with_Apache_DS_and_Kerberos Implementing SSO using JAAS and GSS API with Apache DS ]and Kerberos and is must read to understand this article.  
+
This article will explain how Kerberos protocol can be used for SSO and secure communication with Stardust. For details on how Kerberos works and how to implement it in Java, see the article [[Stardust/Knowledge_Base/Security/Single_Sign-on/SSO_using_JAAS_and_GSS_API_with_Apache_DS_and_Kerberos|SSO using JAAS and GSS API with Apache DS and Kerberos]] . You must read this article on SSO to understand rest of the sections here. Also it is assumed that you already know the various ways Stardust offers to integrate with other systems.  
  
<br>
+
<br>  
  
== SSO and Secure Communication with IPP using Kerberos Protocol  ==
+
== SSO and Secure Communication with&nbsp;Stardust using Kerberos Protocol  ==
  
There can be many scenarios. Here I will explain how IPP can use Kerberos to authenticate users and propagate the Kerberos tokens to remote system and achieve the SSO and secure communication.<br>
+
There can be many scenarios where one can use Kerberos to implement SSO and/or secure communicaiton with other/remote systems. Here I will explain how&nbsp;Stardust can use Kerberos to authenticate users and propagate the Kerberos tokens to remote system&nbsp;to achieve SSO and/or secure communication.  
  
As we already know that with IPP we can use various different ways to integrate with other systems. The most common way is usage of WS Application type, Session Bean Application type, Spring Remoting etc. So for this article, consider that a user is already logged into IPP and we need to execute a service on other remote system on behalf of the logged in user. And we want user authentication data (not user id and password, but Kerberos token for already authenticated user) to be passed to the remote system. Also we want all the communication to be end to end secure between IPP and remote system. This means, we want SSO and secure communication here. <br>So you can follow the steps below to achieve SSO and secure communication;
+
<br>As we already know that with&nbsp;Stardust we can use various different ways to integrate with&nbsp;existing systems. The most common way is usage of WS Application type, Session Bean Application type, or Spring Remoting. For this article, consider that a user is already logged into&nbsp;Stardust application&nbsp;and we need to execute a service on other remote system on behalf of the logged in user. And we want user authentication data (not user id and password, but Kerberos token for already authenticated user) to be passed to the remote system. Also, we want all communication to be end to end secure between&nbsp;Stardust application and remote system. This means, we want SSO and secure communication here. <br>  
  
<br>1. Implement the custom login provider with JAAS and with JDK Krb5LoginModule login provider. Note that for details on setting up KDC and please refer the article&nbsp;[[Stardust/KnowledgeBase/Security/SSO/Implementing SSO using JAAS and GSS API with Apache DS and Kerberos|Implementing SSO using JAAS and GSS API with Apache DS]].<br>2. From step 1 you will have authenticated the user against KDC and got the initialized GSSContext for remote system communication. This is your SSO. <br>3. Now you can use GSSContext from step1 to get the Kerberos token (containing authentication data, and cryptographic keys) and send it to remote system for verification and establish session with it.<br>4. Once token sent by client (IPP in this case) is validated by server, both, IPP and remote system, will have established the secure session with cryptographic keys exchanged for secure remote communication. <br>5. After step 4, encrypted messages can be sent to each other (once or multiple times). Again for details on how to encrypt and decrypt the messages, see the article&nbsp;[[Stardust/KnowledgeBase/Security/SSO/Implementing SSO using JAAS and GSS API with Apache DS and Kerberos|Implementing SSO using JAAS and GSS API with Apache DS]].
+
So, you can follow the steps below to achieve SSO and secure communication;
 +
 
 +
1. Implement the Stardust custom login provider with JAAS and JDK Krb5LoginModule login module. For details on setting up KDC, refer to the article [[Stardust/Knowledge_Base/Security/Single_Sign-on/SSO_using_JAAS_and_GSS_API_with_Apache_DS_and_Kerberos|SSO using JAAS and GSS API with Apache DS and Kerberos]].  
 +
 
 +
2. From step 1, you will have authenticated the user against KDC and initialized GSSContext for remote system communication.  
 +
 
 +
3. Now, you can use initialized GSSContext&nbsp;to get the Kerberos token (containing authentication data, and cryptographic keys). Then, send it to the remote system for verification.  
 +
 
 +
4. Once token sent by client (Stardust application,&nbsp;in this case) is validated&nbsp;and accepted by server (remote system), they will have established the secure session with cryptographic keys exchanged for secure remote communication. Here,&nbsp;accepting the Kerberos token by remote system means accepting the user authentication. In other words, it is a SSO.
 +
 
 +
5. After step 4, encrypted messages can be sent to each other (once or multiple times) using wraper methods of GSSContext. Again for details on how to encrypt and decrypt the messages, see&nbsp;an article [[Stardust/Knowledge_Base/Security/Single_Sign-on/SSO_using_JAAS_and_GSS_API_with_Apache_DS_and_Kerberos|SSO using JAAS and GSS API with Apache DS]].  
 +
 
 +
<br>
 +
 
 +
'''Note that above steps do not assume anything about integration methodology used. It can be any communication protocol or technology, as long as it allows Kerberos token to be passed bewtween two systems.'''

Latest revision as of 05:49, 28 June 2013

Introduction

This article will explain how Kerberos protocol can be used for SSO and secure communication with Stardust. For details on how Kerberos works and how to implement it in Java, see the article SSO using JAAS and GSS API with Apache DS and Kerberos . You must read this article on SSO to understand rest of the sections here. Also it is assumed that you already know the various ways Stardust offers to integrate with other systems.


SSO and Secure Communication with Stardust using Kerberos Protocol

There can be many scenarios where one can use Kerberos to implement SSO and/or secure communicaiton with other/remote systems. Here I will explain how Stardust can use Kerberos to authenticate users and propagate the Kerberos tokens to remote system to achieve SSO and/or secure communication.


As we already know that with Stardust we can use various different ways to integrate with existing systems. The most common way is usage of WS Application type, Session Bean Application type, or Spring Remoting. For this article, consider that a user is already logged into Stardust application and we need to execute a service on other remote system on behalf of the logged in user. And we want user authentication data (not user id and password, but Kerberos token for already authenticated user) to be passed to the remote system. Also, we want all communication to be end to end secure between Stardust application and remote system. This means, we want SSO and secure communication here.

So, you can follow the steps below to achieve SSO and secure communication;

1. Implement the Stardust custom login provider with JAAS and JDK Krb5LoginModule login module. For details on setting up KDC, refer to the article SSO using JAAS and GSS API with Apache DS and Kerberos.

2. From step 1, you will have authenticated the user against KDC and initialized GSSContext for remote system communication.

3. Now, you can use initialized GSSContext to get the Kerberos token (containing authentication data, and cryptographic keys). Then, send it to the remote system for verification.

4. Once token sent by client (Stardust application, in this case) is validated and accepted by server (remote system), they will have established the secure session with cryptographic keys exchanged for secure remote communication. Here, accepting the Kerberos token by remote system means accepting the user authentication. In other words, it is a SSO.

5. After step 4, encrypted messages can be sent to each other (once or multiple times) using wraper methods of GSSContext. Again for details on how to encrypt and decrypt the messages, see an article SSO using JAAS and GSS API with Apache DS.


Note that above steps do not assume anything about integration methodology used. It can be any communication protocol or technology, as long as it allows Kerberos token to be passed bewtween two systems.

Retrieved from "https://wiki.eclipse.org/index.php?title=Stardust/Knowledge_Base/Security/Single_Sign-on/SSO_and_Secure_Communication_with_Stardust_using_Kerberos&oldid=342044"

This page was last modified 05:49, 28 June 2013 by Simone Seurer. Based on work by Robert Emsbach, Ganesh Lawande and Jan H. Scheufen.

Back to the top