Stardust/Knowledge Base/Security/Single Sign-on/SSO and Secure Communication with Stardust using Kerberos
This article will explain how Kerberos protocol can be used for SSO and secure communication with Stardust. For details on how Kerberos works and how to implement it in Java, see the article SSO using JAAS and GSS API with Apache DS and Kerberos . You must read this article on SSO to understand rest of the sections here. Also it is assumed that you already know the various ways Stardust offers to integrate with other systems.
SSO and Secure Communication with Stardust using Kerberos Protocol
There can be many scenarios where one can use Kerberos to implement SSO and/or secure communicaiton with other/remote systems. Here I will explain how Stardust can use Kerberos to authenticate users and propagate the Kerberos tokens to remote system to achieve SSO and/or secure communication.
As we already know that with Stardust we can use various different ways to integrate with existing systems. The most common way is usage of WS Application type, Session Bean Application type, or Spring Remoting. For this article, consider that a user is already logged into Stardust application and we need to execute a service on other remote system on behalf of the logged in user. And we want user authentication data (not user id and password, but Kerberos token for already authenticated user) to be passed to the remote system. Also, we want all communication to be end to end secure between Stardust application and remote system. This means, we want SSO and secure communication here.
So, you can follow the steps below to achieve SSO and secure communication;
1. Implement the Stardust custom login provider with JAAS and JDK Krb5LoginModule login module. For details on setting up KDC, refer to the article SSO using JAAS and GSS API with Apache DS and Kerberos.
2. From step 1, you will have authenticated the user against KDC and initialized GSSContext for remote system communication.
3. Now, you can use initialized GSSContext to get the Kerberos token (containing authentication data, and cryptographic keys). Then, send it to the remote system for verification.
4. Once token sent by client (Stardust application, in this case) is validated and accepted by server (remote system), they will have established the secure session with cryptographic keys exchanged for secure remote communication. Here, accepting the Kerberos token by remote system means accepting the user authentication. In other words, it is a SSO.
5. After step 4, encrypted messages can be sent to each other (once or multiple times) using wraper methods of GSSContext. Again for details on how to encrypt and decrypt the messages, see an articleSSO using JAAS and GSS API with Apache DS.
Note that above steps do not assume anything about integration methodology used. It can be any communication protocol or technology, as long as it allows Kerberos token to be passed bewtween two systems.