9.5.2. Single-Sign-On Example

In this section, we consider an example of setting up SSO for two applications: Fish and Chips. Fish will be an Identity Provider and Service Provider at the same time, Chips will be a Service Provider.

  1. Both applications will be running on localhost, so start with creating aliases in your hosts file:

    127.0.0.1    fish
127.0.0.1    chips

  2. Create two projects in Studio and assign different sets of Tomcat ports.

    Project HTTP port AJP port Shutdown port

    Fish

    8081

    8011

    8051

    Chips

    8082

    8012

    8052

  3. In the Fish project, edit the modules/web/web/WEB-INF/web.xml file and add the following IDP configuration:

    <servlet>
    <servlet-name>idp</servlet-name>
    <servlet-class>com.haulmont.idp.sys.CubaIdpServlet</servlet-class>
    <load-on-startup>3</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>idp</servlet-name>
    <url-pattern>/idp/*</url-pattern>
</servlet-mapping>

<filter>
    <filter-name>idpSpringSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>contextAttribute</param-name>
        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.idp</param-value>
    </init-param>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>springSecurityFilterChain</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>idpSpringSecurityFilterChain</filter-name>
    <url-pattern>/idp/*</url-pattern>
</filter-mapping>

  4. In the Fish project, edit the web-app.properties file of the web module and add the following properties:

    cuba.idp.serviceProviderUrls = http://fish:8081/app/,http://chips:8082/app/
cuba.idp.serviceProviderLogoutUrls = http://fish:8081/app/dispatch/idpc/logout,http://chips:8082/app/dispatch/idpc/logout
cuba.idp.trustedServicePassword = mdgh12SSX_pic2

cuba.webAppUrl = http://fish:8081/app/
cuba.web.idp.enabled = true
cuba.web.idp.baseUrl = http://fish:8081/app/idp/
cuba.web.idp.trustedServicePassword = mdgh12SSX_pic2

  5. In the Chips project, edit the web-app.properties file of the web module and add the following properties:

    cuba.webAppUrl = http://chips:8082/app/
cuba.web.idp.enabled = true
cuba.web.idp.baseUrl = http://fish:8081/app/idp/
cuba.web.idp.trustedServicePassword = mdgh12SSX_pic2

  6. Start the Fish server by launching its tomcat/bin/startup.* script.

  7. Go to http://fish:8081/app/ in your web browser. You will be redirected to the IDP login page. Log in with the admin / admin credentials. Create a new user, for example u1.

  8. Start the Chips server by launching its tomcat/bin/startup.* script.

  9. Go to http://chips:8082/app/ in the same web browser. If you are still logged in to the Fish application, you will be automatically logged in as admin to Chips. Create the same u1 user (password does not matter) in the Chips application.

  10. Now you can log in as admin or u1 to both applications via the single login form, and if you are logged in in one application, the login process for the second application will be automatic, bypassing the login form.