{"id":275,"date":"2012-07-17T01:02:00","date_gmt":"2012-07-17T10:02:00","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/2012\/07\/17\/inside-the-windows-azure-active-directory-web-sso-sample-for-java-2\/"},"modified":"2012-07-17T01:02:00","modified_gmt":"2012-07-17T10:02:00","slug":"inside-the-windows-azure-active-directory-web-sso-sample-for-java-2","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2012\/07\/17\/inside-the-windows-azure-active-directory-web-sso-sample-for-java-2\/","title":{"rendered":"Inside the Windows Azure Active Directory Web SSO Sample for Java"},"content":{"rendered":"

\"image\"<\/a><\/p>\n

By now I am sure you heard that the Windows Azure Active Directory Developer Preview is out<\/a>.
We announced so many interesting news that you might just have missed an interesting fact: as part of this release we made available a couple of samples developed on\u2026 something other than Visual Studio \"Smile\" Namely, I am referring to the Windows Azure AD SSO sample for Java<\/a> and the Windows Azure AD SSO sample for PHP<\/a>. <\/p>\n

We provided detailed instructions on how to operate the Java sample, and I am told that the PHP one won\u2019t take long to bring out; however I think it would be interesting to provide you with some insights on how the project are structured and how they make the magic of claims-based identity happen. Add to it that my wife is out, and that if I\u2019d watch without the series finale of Eureka I\u2019d be in deep trouble\u2026 and you\u2019ve got yourself a blog post.<\/p>\n

Let\u2019s start with the Java sample<\/a>. One word of warning: I already wrote a tl; dr<\/a> (thanks Ryan for labeling it that way \"Smile\") post on how web SSO works in the developer preview<\/a>, and I am not going to repeat any of it here as most of it (modulo syntactic sugar) holds regardless of the language you use.<\/p>\n

The Project<\/h1>\n

We wrote the Java sample as a JBoss<\/a><\/strong> project. Before you come down with a case of apophenia<\/a> and read who-knows-what in it: when we first started to work on the code we were in contact with one partner who wanted to connect with Windows Azure Active Directory from a JBoss application (on Solaris!), hence it was natural for us to go that way.  However it should be pretty easy for you (assuming that you know Java better than I do) to port the code to any other application server. Also, this would be a great time for me to thank the usual Southworks for their help on this project. Thanks guys!<\/p>\n

We worked with JBoss Studio<\/a>, from where I\u2019ll take most of the following screenshots. Also, we leveraged Maven<\/a> for handling the many dependencies on the project.<\/p>\n

The project have two main components: a library you can reuse across different projects, and a sample JSP web application that shows those in action.<\/p>\n

\"image\"<\/a><\/p>\n

The package com.microsoft.samples.federation<\/strong> provides you with the basic building blocks for handling claims-based identity via WS-Federation in your Java applications. Here, I\u2019ll tell you a secret: the main hard rock when dealing with those scenarios is the SAML token handling itself, crypto verification, canonicalization, the whole brouhaha. Everything else is just a matter of triggering validation at the right times and in the right places; even ws-federation itself is really not that hard. In that optic, com.microsoft.samples.federation<\/strong> does the easy part of the job: we\u2019ll see i9t in details later. For the heavy lifting \u2013 the SAML token processing \u2013 why reinventing the wheel? We use OpenSAML<\/a>, a well-known Java and C++ library for handling (I *absolutely* loathe the expression \u201ccracking a token\u201d) SAML tokens.<\/p>\n

The package com.microsoft.samples.waad.federation<\/strong> augments the basic federation capabilities in the former package with elements that are specific to Windows Azure Active Directory, such as the SPN-based realm validation described in the SSO deep dive<\/a>.<\/p>\n

\"image\"<\/a><\/p>\n

Handling Web SSO<\/h1>\n

How does the sample really work? In a nutshell: we put a blanket filter in front of all pages; that filter intercepts requests, redirects the unauthenticated ones to a login page and restores the claims from the session for the authenticated ones. The login page performs HRD and generates the proper signin message, taking care of indicating as ultimate return URL the address of a servlet which is equipped to extract tokens from wresult and process them as appropriate. Most of the token & session processing logic is provided by the class ConfigurableFederatedLoginManager and its ancestor FederatedLoginManager.<\/p>\n

Too fast? OK, let\u2019s go through the same flow more in details. Here there\u2019s the structure of the web application:<\/p>\n

\"image\"<\/a><\/p>\n

The web site is really minimal, there\u2019s one resource (index.jsp) and one page to host the HRD experience (login.jsp).<\/p>\n

The WEB-INF\/web.xml carries the config: you can see part of it on the right side of the screenshot. From the top:<\/p>\n