• Home
• Solutions
• Software
• Services
• About

• Software overview
• Json2Ldap
  • Overview
  • Online Demo
  • Applications
  • Quick Start
  • Specification
  • Configuration
  • Web API
  • Error Codes
  • Roadmap
  • FAQ
• AuthService
  • Overview
  • Quick Start
  • Specification
  • Configuration
  • Web API
  • Error Codes
• NimbusSSO
  • Overview
  • Quick Start
  • Specification
  • Configuration
  • Web API
  • Error Codes
  • Roadmap
• Download

JSON web service for SSO and shared sessions

NimbusSSO is a lightweight JSON-RPC 2.0 web service for Single Sign-On (SSO) and shared session management to applications. It accepts requests over HTTP(S) POST.

AuthService for LDAP user authentication

NimbusSSO utilises an AuthService instance to authenticate users against an LDAP v3 compatible directory. Other types of user authentication, such as two-factor authentication or credential checking against an SQL database, are supported via the sso.proxiedLogin call.

If the AuthService accesses the LDAP directory through a Json2Ldap web API clients can be optionally provided with an LDAP connection authenticated as the user.

Web API

NimbusSSO handles JSON remote procedure call (JSON-RPC) requests for login, logout and shared session management.

Login and logout »	Session query »	Session monitoring »
sso.login sso.logout sso.proxiedLogin sso.proxiedLogout	sso.getSession sso.getUserID sso.getUserDN	sso.listUsers sso.listSessions sso.countUsers sso.countSessions
Session event notifications »	Web service information »
sso.addListener sso.removeListener sso.listListeners	ws.getName ws.getVersion ws.getTime

Deployment

NimbusSSO is packaged as a standard web application archive (WAR) ready for immediate deployment in a Java servlet container, such as the popular open source Apache Tomcat server.

Configuration

NimbusSSO allows configuration of access control policy, authentication backend, web API and session policy. See the configuration manual for details.

Access control »	AuthService connection details »
Allows / denies access to NimbusSSO based on a set of rules such as SSL/X.509 security or client IP whitelist. sso.access.https.require sso.access.https.requireClientCert sso.access.https.clientCertPrincipal sso.access.hosts.allow sso.access.apiKeys.require sso.access.apiKeys.exemptedMethods sso.access.apiKeys.map.*	The AuthService connection details for handling user authentication against an LDAP directory. sso.authService.url sso.authService.trustSelfSignedCerts sso.authService.apiKey sso.authService.uidAttribute sso.authService.connectTimeout sso.authService.readTimeout
Web API settings »	Session policy »
Enabling specific NimbusSSO requests and options, HTTP response content type. sso.api.allowLogin sso.api.allowProxiedLogin sso.api.allowProxiedLogout sso.api.allowUserListing sso.api.allowSessionListing sso.api.allowSessionEventNotifications sso.api.allowJson2LdapCIDProvision sso.api.reportRequestProcTime sso.api.responseContentType	Session policy for managing session quotas, login policy, max duration and idle time. sso.session.maxTime sso.session.maxIdleTime sso.session.quotaPerUser sso.session.onQuotaExhaustion sso.session.purgeInterval

Logging

NimbusSSO uses the popular log4j utility. Here are the event types that can be selectively logged (at various levels):

• On a HTTP request: method name, client IP, client X.509 certificate principal.
• On a JSON-RPC 2.0 request: method name, request parameters (but not passwords), response status (success or error code).
• Start, refresh and finish of user sessions.
• Internal NimbusSSO exceptions.

Logging is configured through the WEB-INF/log4j.properties file.

Example LDAP directory server

An example LDAP directory server is included in the NimbusSSO WAR to enable evaluation and testing of the service without an external directory. The example directory is enabled / disabled and configured through the WEB-INF/exampleDirectory.properties file.

System requirements and dependencies

NimbusSSO requires a web server conforming to the Java servlet specification, such as Apache Tomcat or Jetty:

• Java 1.6+
• Java servlet API 2.5+

For LDAP user authentication:

• AuthService 2.9+
• LDAP v3 compatible directory

All package dependencies are included in the NimbusSSO WAR file for convenience.

Change log

• version 1.0 (2011-04-13)
  • First official and stable release.
• version 1.1 (2011-04-27)
  • Allows for a configurable log4j properties file location.
  • Adds explicit Cross-Origin Resource Sharing (CORS) support.
  • Validates the jsonsso.clients.responseContentType configuration parameter using the javax.mail library.
• version 1.1.1 (2011-04-29)
  • Fixes missing check of the jsonsso.logoutCallbacks.allow parameter.
• version 1.1.2 (2011-05-20)
  • Updates JSON-RPC 2.0 Base JAR to 1.16.
• version 1.1.3 (2011-06-14)
  • Thread-safe parsing of JSON-RPC 2.0 requests.
  • Updates JSON-RPC 2.0 Base JAR to 1.17 (JSON Smart).
  • Updates UnboundID SDK JAR to 2.2.0.
  • Updates JSON-RPC 2.0 Shell to 1.7.
• version 1.2 (2011-12-27)
  • Makes compatible with Json2Ldap 2.1.
  • Introduces support for jsonsso.dnResolution.method NONE that utilises plain SASL bind.
  • Renames configuration parameter jsonsso.clients.requireHTTPS to jsonsso.clients.requireSecureAccess.
  • Merges configuration parameters jsonsso.ldapServer.host and jsonsso.ldapServer.port into jsonsso.ldapServer.url.
  • Cancels purge timer on JsonSSO shutdown.
  • Adds dependency to LDAP Util 1.0.
  • Updates UnboundID SDK JAR to 2.3.0.
  • Updates DN Resolver JAR to 1.2.
  • Updates JSON Smart JAR to 1.0.9-1.
  • Updates JSON-RPC 2.0 Base JAR to 1.24.
  • Updates JSON-RPC 2.0 Server JAR to 1.4.1.
  • Updates JSON-RPC 2.0 Client JAR to 1.6.
  • Updates Property Util JAR to 1.5.
  • Updates CORS Filter JAR to 1.3.1.
  • Updates JSON-RPC 2.0 Shell to 1.12.
• version 1.2.1 (2012-04-03)
  • Updates JSON Smart JAR to 1.1.1.
  • Updates JSON-RPC 2.0 Base JAR to 1.25.1.
  • Updates JSON-RPC 2.0 Server JAR to 1.5.1.
  • Updates JSON-RPC 2.0 Client JAR to 1.7.1.
• version 2.0 (2012-08-30)
  • Renames service to NimbusSSO.
  • Refactors JSON-RPC 2.0 web API.
  • Refactors configuration.
  • Switches to AuthService 2.4 (embedded or remote) for user authentication.
  • Introduces support for replicated / distributed session storage (Infinispan).
  • Adds API key support.
• version 2.1 (2012-09-01)
  • Switches to AuthService 2.5.
  • Adds example in-memory directory server for demo and testing purposes.
  • Updates NimbusDS Common JAR to 1.15.
• version 2.2 (2012-09-05)
  • Adds web API configuration settings for disabling proxied login, proxied logout, user listing, session listing and session event notifications.
• version 2.3 (2012-09-13)
  • Modified sso.proxiedLogin call to automatically populate session object DN and user attributes through an AuthService user.get call (version 2.7).
  • Adds sso.session.purgeInterval configuration setting for controlling the purge interval for expired sessions.
• version 2.4 (2012-09-13)
  • Adds sso.api.allowLogin configuration setting for enabling / disabling regular sso.login calls.
• version 2.4.1 (2012-09-13)
  • Adds -3025 "Login denied" JSON-RPC 2.0 error to handle disabled sso.login calls.
• version 2.5 (2012-10-03)
  • Adds remote AuthService detector.
  • Upgrades AuthService JAR to 2.8.
  • Updates NimbusDS Common JAR to 1.16.
• version 2.6 (2012-10-28)
  • Removes JTA dependency for managing UID Infinispan cache updates, switches to compound "UID + session number" keys.
  • Adds provision for external Infinispan configuration file through a sso.infinispan.configurationFile parameter.
  • Upgrades CORS Filter JAR to 1.5.
• version 2.6.1 (2012-10-30)
  • Updates default embedded AuthService configuration to prevent resolving authService.access.hosts.allow by changing the value from "localhost" to "127.0.0.1".
  • Upgrades AuthService JAR to 2.8.1.
• version 2.7 (2012-12-12)
  • Moves Infinispan configuration file parameter location from nimbusSSO.properties to web.xml.
  • NimbusSSO "sso.proxiedLogin" call provides more detailed messages on AuthService / LDAP backend exceptions.
  • Adds JCIP JAR dependency and annotations.
  • Upgrades NimbusDS Common JAR 1.42.
  • Upgrades JSON-RPC 2.0 Base JAR to 1.30.
  • Upgrades JSON-RPC 2.0 Server JAR to 1.8.
  • Upgrades JSON-RPC 2.0 Client JAR to 1.9.
  • Upgrades Log4j JAR to 1.2.17.
  • Upgrades AuthService JAR to 2.9.1.
• version 2.7.1 (2012-12-13)
  • Updates embedded AuthService configuration.
  • Upgrades AuthService JAR to 2.9.2.