9.4.2. Single-Sign-On Example

In this section, we consider an example of setting up SSO for two applications: Foo and Bar. Foo will be an Identity Provider and Service Provider at the same time, Bar will be a Service Provider.

  1. Both applications will be running on localhost, so start with creating aliases in your hosts file:

    127.0.0.1    foo
    127.0.0.1    bar
  2. Create two projects in Studio and assign different sets of Tomcat ports.

    Project HTTP port AJP port Shutdown port

    Foo

    8081

    8011

    8051

    Bar

    8082

    8012

    8052

  3. In the Foo project, edit the modules/web/web/WEB-INF/web.xml file and add the following IDP configuration:

    <servlet>
        <servlet-name>idp</servlet-name>
        <servlet-class>com.haulmont.idp.sys.CubaIdpServlet</servlet-class>
        <load-on-startup>3</load-on-startup>
    </servlet>
    
    <servlet-mapping>
        <servlet-name>idp</servlet-name>
        <url-pattern>/idp/*</url-pattern>
    </servlet-mapping>
    
    <filter>
        <filter-name>idpSpringSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>contextAttribute</param-name>
            <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.idp</param-value>
        </init-param>
        <init-param>
            <param-name>targetBeanName</param-name>
            <param-value>springSecurityFilterChain</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
        <filter-name>idpSpringSecurityFilterChain</filter-name>
        <url-pattern>/idp/*</url-pattern>
    </filter-mapping>
  4. In the Foo project, edit the web-app.properties file of the web module and add the following properties:

    cuba.idp.serviceProviderUrls = http://foo:8081/app/,http://bar:8082/app/
    cuba.idp.serviceProviderLogoutUrls = http://foo:8081/app/dispatch/idpc/logout,http://bar:8082/app/dispatch/idpc/logout
    cuba.idp.trustedServicePassword = mdgh12SSX_pic2
    
    cuba.webAppUrl = http://foo:8081/app/
    cuba.web.externalAuthentication = true
    cuba.web.externalAuthenticationProviderClass = com.haulmont.cuba.web.auth.IdpAuthProvider
    cuba.web.idp.baseUrl = http://foo:8081/app/idp/
    cuba.web.idp.trustedServicePassword = mdgh12SSX_pic2
  5. In the Bar project, edit the web-app.properties file of the web module and add the following properties:

    cuba.webAppUrl = http://bar:8082/app/
    cuba.web.externalAuthentication = true
    cuba.web.externalAuthenticationProviderClass = com.haulmont.cuba.web.auth.IdpAuthProvider
    cuba.web.idp.baseUrl = http://foo:8081/app/idp/
    cuba.web.idp.trustedServicePassword = mdgh12SSX_pic2
  6. Start the Foo server by launching its tomcat/bin/startup.* script.

  7. Go to http://foo:8081/app in your web browser. You will be redirected to the IDP login page. Log in with the admin / admin credentials. Create a new user, for example u1.

  8. Start the Bar server by launching its tomcat/bin/startup.* script.

  9. Go to http://bar:8082/app in the same web browser. If you are still logged in to the Foo application, you will be automatically logged in as admin to Bar. Create the same u1 user (password does not matter) in the Bar application.

  10. Now you can log in as admin or u1 to both applications via the single login form, and if you are logged in in one application, the login process for the second application will be automatic, bypassing the login form.