Single-Sign-On for CUBA Applications - CUBA Platform. Developer’s Manual

9.4. Single-Sign-On for CUBA Applications

Single-sign-on (SSO) for CUBA applications allows a user to log in to the multiple running applications by entering a single login name and password once in a browser session.

When using SSO, there are two types of applications:

Identity Provider (IDP) is an application that provides user authentication. It contains a login form for entering user credentials and checks the credentials against the list of registered users. Only one Identity Provider is allowed in a SSO environment.
Service Provider (SP) is a regular application that redirects to IDP for user authentication. SP should contain the same list of users as IDP (passwords do not matter though). SP provides authorization using CUBA security roles and access groups. There may be any number of Service Providers in a SSO environment.

An application can be an Identity Provider and a Service Provider at the same time, so you don’t have to setup a dedicated IDP. The SSO functionality is provided by the cuba-idp module which is a part of the Web Client block. You can develop your applications as usual and setup SSO just on deployment stage if needed.

Warning

CUBA SSO uses custom HTTP-based protocol and currently does not provide integration with systems using standard authentication protocols like SAML or OIDC.

In SSO environment, when a user enters a Service Provider URL, the SP redirects to the IDP page for entering login name and password. After successful authentication, IDP redirects back to the SP application and the user transparently logs in to SP.

In order to set up SSO, do the following:

On Identity Provider:

Add the following settings to the web.xml file of the web module (if you do it on the deployment stage, this file is located by the following path: tomcat/webapps/app/WEB-INF/web.xml):

<servlet>
    <servlet-name>idp</servlet-name>
    <servlet-class>com.haulmont.idp.sys.CubaIdpServlet</servlet-class>
    <load-on-startup>3</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>idp</servlet-name>
    <url-pattern>/idp/*</url-pattern>
</servlet-mapping>

<filter>
    <filter-name>idpSpringSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>contextAttribute</param-name>
        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.idp</param-value>
    </init-param>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>springSecurityFilterChain</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>idpSpringSecurityFilterChain</filter-name>
    <url-pattern>/idp/*</url-pattern>
</filter-mapping>

Set the application properties:
- cuba.idp.serviceProviderUrls - a comma-separated list of service provider URLs (trailing / are required). For example:
  cuba.idp.serviceProviderUrls = http://foo:8081/app/,http://bar:8082/app/
- cuba.idp.serviceProviderLogoutUrls - a comma-separated list of URLs that are used to notify service providers about user logout or session expiration. Standard CUBA applications accept logout requests on the /dispatch/idpc/logout path. For example:
  cuba.idp.serviceProviderLogoutUrls = http://foo:8081/app/dispatch/idpc/logout,http://bar:8082/app/dispatch/idpc/logout
- cuba.idp.trustedServicePassword - a password which is used in server-to-server communication between SP and IDP.
- There is also a number of optional properties: cuba.idp.sessionExpirationTimeoutSec, cuba.idp.ticketExpirationTimeoutSec, cuba.idp.sessionExpirationCheckIntervalMs, cuba.idp.cookieMaxAgeSec, cuba.idp.cookieHttpOnly.

On Service Providers:
- Set the application properties:
  - cuba.webAppUrl - an URL of the application (with the required trailing /). This URL should also be among the URLs defined in the cuba.idp.serviceProviderUrls property of IDP. For example:
    
    cuba.webAppUrl = http://foo:8081/app/
  - cuba.web.externalAuthentication should be set to true to indicate that the application uses an external authentication.
  - cuba.web.externalAuthenticationProviderClass should be set to com.haulmont.cuba.web.auth.IdpAuthProvider.
  - cuba.web.idp.baseUrl - on this URL the IDP accepts authentication requests. Standard CUBA IDP uses the idp/ path (the trailing / is requred). For example:
    
    cuba.web.idp.baseUrl = http://main:8080/app/idp/
  - cuba.web.idp.trustedServicePassword - the same as defined for IDP in its cuba.idp.trustedServicePassword property.