Saturday, March 30, 2013

SSO for Java or .Net Web based applications using Openam

  • Single Sign on for Java/J2ee based Web applications
  • Single sign on using  Spring Security SAML Extension and  Role based authentication using Spring Security 
  • Single sign on Java
  • Single sign on for JSF based web application.

Introduction: Single Sign On (SSO) for Web applications using OPENAM 

Why do we need SSO ?
Say a user is logged in to one application and clicks on a link to another application and in this case if you don't want the user to enter his userid/password again but based on some token you know that "Yes the person say" is already authenticated so he can access your second application.
Its like you log in to gmail and from there you can navigate to youtube or google+ or blogspot without entering password. This can be facilitated by an IDP and each time the request goes IDP know that yes "person" was authenticated already and his token id is "axxbv67745554wedxyXcDb".

OpenAM is and identity provider (and more) formerly known as OpenSSO was owned by Sun which was later taken over by oracle. However Forgerock has it own source code and its called OpenAM and maintains it . You can download and deploy openam as web based J2ee application on any application server like - Tomcat, Websphere , Jboss or Weblogic.

Before getting in to the details of why we need OpenAM lets know some terminologies.I will describe them in my own words as those technical jargon's took me a while to catch up.

IDP:(Identity provider) - A module/application that can authenticate and provide you a security token which can be used in singe sign on.
SP:(Service provider):  A system that allows users (Or principal) to authenticate against IDP.
E.g.: We have a JSF 2.0 web application that talks to openam.
Here our web application is SP, Openam is IDP and I am logging in to our webapp I am the principal (user).
Realm: A realm is the unit that used to organize configuration information. Authentication properties, authorization policies, data stores, subjects (including a user, a group of users, or a collection of protected resources) and other data can be defined within the realm.
Lets say your company has Active directory for authenticating user and you want to use that as data store that the IDP can finally use. In the realm you can to use this ActiveDirectory.

Circle of Trust: COT is a federation of any number of service providers (and at least one identity provider) with whom principals can transact in a secure and apparently seamless environment.
In lay man terms we add a list of IP addresses say the SP urls,IDP url all in to once circle of trust. If they are not in same COT openam doesn't allow us to send request.
Eg: Say your web application (SP) is at and your identity provider url is then you need to add both these urls to one circle of trust in OpenAM.

Realm and Circle of Trust. How are they connected ?
- This is what I think. 
Realm =>Can have many Data stores or Identity Stores.
COT =>Will have many host names or Ip address (ie. SPs, IDP)
When we create a new Circle of Trust you need to specify the realm name,.
COT ===> Is linked to Realm. 
 For sake of discussion lets call our sample circle of trust as "COT1" and realm as "Relam1"
COT1 = has (SP  and IDP -
Realm1 == Is configured to use Active Directory as Identity store for Authentication.
So by doing this we are telling hey if the request comes from SP ( use the IDP ( because they are in same Circle of Trust = COT1. Now the IDP sees that COT1 is linked to Realm1 and so it uses the Active directory checks the user credentials and does the Authentication.

We can have many circle of trusts linked to one realm.  Here is my visualization.

Fedlet: A client that we can generate using OpenAM. The client generated can be for a .Net or a Java based Fedlet. In Java the Fedlete can be used plugged into existing your web application  if your just doing Single sign on and not role based authorization. In my case I had to allow the user to sign in and also check in what groups the user is and based on that I had to block some pages so we had to use Spring saml extension to talk to IDP instead of Fedlet. At least for initial testing of OpenAM set up Fedlet was very useful.

SAML: Security Assertion Mark Language is an XML based data format that flows between IDP and SP when a principal is trying authentication and/or authorization. You dont need to worry about this as OpenAM generates this for you when it sends response and in your Web application if you are u

There could be a situation where you may have to integrate more than one IDP to your SP in that case you need to have another instance of OpenAM that can act like IDP proxy.
So your configuration will look like

SP (Your Java Web app or Generated Fedlet) <===> IDP Proxy (openam)   <=====>  (IDP1, IDP2.....)
IDPProxy is an OpenAM instance
IDP1, IDP2- Are Identity providers which can be OpenAM or any SAML2 Complaint IDPs.

I have seen in openam wiki where they have given an example to install 3 instances of openam so that one is IDP, other is Proxy and 3rd openam instance as SP. That is way complex.

For simple scenario you need just one openam instance which acts as IDP and generate a Fedlet and that will act as SP.For just SP you don't need another openam instance. Also consider using proxy only if you are integrating with more than one IDP so that the SP can talk to proxy and need not worry about multiple IDP's. Here your proxy is acting like a Facade and hides complexity of multiple IDP's

So for simple scenario it will look like
SP (Your Java Web app or Openam generated Fedlet client) <===> IDP (openam)

Here SP should be able to send and receive SAML requests/responses.

Here is link  for some sample saml request and responses.
Don't panic you will not create this xml OpenAM, Spring Saml extension or Fedlet does the job for you.

In the next article I will explain how to install OpenAM as IDP and how you can plugin Spring SAML extension and Spring Security to you web app to talk to OpenAM and trouble shooting.
Before I continue further I want to thank two people for there out standing support and help and answering all my stupid questions during our implementation of SSO  solution and integrating with Spring Saml extension along with Spring Security.
Vladmir Schafer: Author of Spring Saml Extension library
Peter Major and the entire OpenAM community.

I have a added new article on how to intgerate a Java based web applications with openam for single sign on . The application can be a JSP or Struts or JSF based web app.
All can use this tutorial.

If you like my articles or have any suggestions please leave a comment.


  1. Hi Reddy,

    Thanks for this tutorial.
    Could you plz share sample applications if any you have. My email:

    Also, please explain how to install OpenAM as IDP and how you can plugin Spring SAML extension and Spring Security to your web app to talk to OpenAM.

    I am working on a project with the same requirements and don't know where to start and what to do. Your help will be greatly appreciated.


    1. Check this I have added an article.

  2. Hi,
    We are doing an implementation using Spring and OpenAM and Active Directory. Not sure how to proceed with the SAML SSO implementation for the RESTful APIs. Can you please share your leaning on OpenAM, Spring Security and SAML SSO here for the community?

    Thanks in Advance!

    1. Check this I have added an article.

  3. Hi Reddy, If it's note ready to be published (still work in progress notes) I'd still appreciate if you can email it to me at


    1. Check this I have added an article.

  4. Guys,
    Sorry I was busy. I will add an article in a 2-3 days showing how to integrate JSF with Spring SAML and OPENAM as Idp (Identity Provider)

  5. Check this I have added an article.

  6. Hi Reddy,

    I found this article very helpful to understand the architecture of openAM. One thing i am still confused about are the policy agents. Can you tell me where does the policy agents come into picture in this architecture. There are different policy agents , J2EE , WSP and WSC. As far i as i understand these agents needs to be configured in the SP side and they act as proxy. All requests to the SP will be intercepted by the agents and if no token is available the request is redirected to the openAM login screen. Let me know if my understanding is correct

    1. Policy agents are only required when security tokens uses cookies to flow between SP and idP. When SAML is used to pass token between SP and idP, you have to either use OpenAM again as SP or use spring security library for SP.

  7. Roy,
    My understanding was policy agents are specific to each application server. So we didnt use it instead used Spring SAML intgeration.

  8. I have an application in portal which is e-Forms application . Now in this application I have installed Agent Policy for SSO to work , so that user if not logged into portal tries to access this application should get portal’s login page (OpenAm SSO) . Now I have a separate button on the eform application which is linked to Customer service centre so that they can also fill the e-forms and through there separate login . Now the scenario is that when I am going from Customer Service Centre login its not able to access the eform directly as again its asking for SSO login due to Agent policy . plz hlp how can I fix this as I don't have the third party's information like data base . Is there way .

  9. This comment has been removed by the author.