Using Identity Assertion
Typically to support an SSO process, you need to have a LoginModule
object and an Identity Assertion provider. With these objects, you can exploit tokens stored by the operating system to do the HTTP authorization process without entering username and password and gain access to your secure resources.
The LoginModule
objects trust that the user has obtained the token by providing the username and password to another authority.
Your token can pass from client to server in different ways such as HTTP headers, cookies, SSL certificates, or other custom mechanisms. The Identity Assertion needs to grab this token and extract the security information to allow access to the secured context paths.
We will be using the SPNEGO Identity Asserter provider in Chapter 5, Integrating with Kerberos SPNEGO Identity Assertion to configure the SSO integration in an Active Directory context.