Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Stardust/Knowledge Base/Security/Single Sign-on/SSO and Secure Communication with Stardust using Kerberos
SSO and Secure Communication with IPP using Kerberos
Introduction
This article will explain how Kerberos can be used for SSO and secure communication with IPP. For details on how Kerberos protocol works and how to implement it in Java using JASS and GSS see the article Implementing SSO using JAAS and GSS API with Apache DS and Kerberos and is must read to understand this article.
SSO and Secure Communication with IPP using Kerberos Protocol
There can be many scenarios. Here I will explain how IPP can use Kerberos to authenticate users and propagate the Kerberos tokens to remote system and achieve the SSO and secure communication.
As we already know that with IPP we can use various different ways to integrate with other systems. The most common way is usage of WS Application type, Session Bean Application type, Spring Remoting etc. So for this article, consider that a user is already logged into IPP and we need to execute a service on other remote system on behalf of the logged in user. And we want user authentication data (not user id and password, but Kerberos token for already authenticated user) to be passed to the remote system. Also we want all the communication to be end to end secure between IPP and remote system. This means, we want SSO and secure communication here.
So you can follow the steps below to achieve SSO and secure communication;
1. Implement the custom login provider with JAAS and with JDK Krb5LoginModule login provider. Note that for details on setting up KDC and please refer the article Implementing SSO using JAAS and GSS API with Apache DS.
2. From step 1 you will have authenticated the user against KDC and got the initialized GSSContext for remote system communication. This is your SSO.
3. Now you can use GSSContext from step1 to get the Kerberos token (containing authentication data, and cryptographic keys) and send it to remote system for verification and establish session with it.
4. Once token sent by client (IPP in this case) is validated by server, both, IPP and remote system, will have established the secure session with cryptographic keys exchanged for secure remote communication.
5. After step 4, encrypted messages can be sent to each other (once or multiple times). Again for details on how to encrypt and decrypt the messages, see the article Implementing SSO using JAAS and GSS API with Apache DS.