SSO XML Config
Example SSO XML config file (assuming the latest SSO Client version). It uses an Apache style certificate and key file instead of a keystore, but if you would rather use a keystore file then see the alternative below.
<?xml version="1.0" encoding="UTF-8"?> <config> <!-- Do you want to allow HTTP BASIC auth on this filter? --> <httpbasic><allow>true</allow></httpbasic> <!-- mode can be 'old' or 'new' this defines if the SSOClientFilter should use the old WarwickSSO cookie or the newer SSO-SSC-* cookies --> <mode>new</mode> <shire> <!-- This is the key that the filter will put the User object under in the request You should be able to get a user with request.getAttribute("SSO_USER") --> <filteruserkey>SSO_USER</filteruserkey> <!-- If your app proxies through another server like Apache, you should configure it to place the requested URL into a header with this name: --> <uri-header>x-requested-uri</uri-header> <!-- location of this services SHIRE, should be HTTPS...as mapped in the web.xml --> <location>https://myapp.warwick.ac.uk/myapp/shire</location> <sscookie> <!-- Name of the service specific cookie (SSC) that will be used for keeping a session --> <name>SSO-SSC-MyAppName</name> <!-- path scope of this cookie --> <path>/sso-client</path> <!-- domain scope of this cookie...should be as restrictive as possible --> <domain>myapp.warwick.ac.uk</domain> <!-- whether the Secure flag is set, default: false, since v2.12 --> <secure>true</secure> <!-- the value of the SameSite flag for the service specific cookie, since v2.58 --> <samesite>Lax</samesite> <!-- Strict, Lax or None --> <!-- Note: since version 2.7, the cookie is automatically set to HttpOnly --> </sscookie> <!-- provider id, as assigned by single sign on --> <providerid>urn:myapp.warwick.ac.uk:myapp:service</providerid> </shire> <logout> <location>http://myapp.warwick.ac.uk/myapp/logout</location> </logout> <!-- Use this if not using keystore.location above --> <credentials> <certificate>file:/etc/apache2/SSL/java-monkey.warwick.ac.uk.crt</certificate> <key>file:/etc/apache2/SSL/java-monkey.warwick.ac.uk.key</key> <chain>file:/etc/apache2/SSL/terena-ca.crt</chain> </credentials> </config>
Alternative configurations
If you are using a keystore instead of .crt and .key files, comment out the credentials
element and insert this into the <shire> element (with the appropriate values for your keystore).
<keystore> <location>file:/your/path/to/myapp.warwick.ac.uk.keystore</location> <!-- password for that keystore --> <password>changeit</password> <!-- keystore alias for the client service machine --> <shire-alias>myapp.warwick.ac.uk</shire-alias> <!-- keystore alias for the single sign on origin machine --> <origin-alias>websignon.warwick.ac.uk</origin-alias> </keystore>
If you're proxying through another server and can't set a request header, but can add a request parameter, replace the uri-header
element with this:
<urlparamkey>requestedUrl</urlparamkey> <!-- if there are some rewrites which are done internally to apache where querystring parameters are added and you don't want them showing up after a redirect, add in the parameter names here and they will be stripped --> <stripparams> <key>test</key> <key>page</key> </stripparams>