Session Problem:
There are 3 sessions involve in the flow: idp session, sp session and application session. Idp need to interact with SP and SP need to interact with application versus Agent.
If idp is having the pop up browser window to call SP, you may have this session problem: when IDP spuser1 does the Registration with SP spuser1 and then IDP idpuser2 wants to do the Registration with SP spuser2 but will be ends up to Registration with SP spuser1. That is because the previous SP of spuser1 is still in the session and we have to find a way to logout SP session at the time it reaches the application.
My Solution is to create two servlet actions (I use struts action), for example: one is com.2qvideo.sso.InitSSOAction class (initSSOAction) and other is com.2qvideo.sso.FinalSSOAction class (finalSSAction). The Agent will listens to initSSOAction when it gets call, this class will grabs the UserToken on request parameter and put on application session attribute and forward to SP url to invalid SP session and redirect to finalSSOAction to get this UserToken from the session attribute. There is two ways to config this, one is on the OpenSSO Services under Agents tab and the other one is using the redirect jsp do the SP logout and redirect. I did use both solution to both application, because I could not use the OpenSSO Services under Agents tab for the extranet application since the config url had to be well form url and not relative path. Here is the two ways to config session logout on SP:
1. Config OpenSSO Services under Agents tab, set Agent Logout URL to http://www.2qvideo.com:8080/2qvideo/initSSOAction (when it hits this url, agent will does the logout to OpenSSO Logout URL: http://opensso.sp.com:8080/sp/UI/Logout) and set Logout Redirect URL to http://www.2qvideo.com:8080/2qvideo/finalSSOAction so that it will redirects to this action.
2. We can do this flow in the servlet and jsp, after initialSSOAction had called, it will calls redirect jsp and this jsp will does the logout SP session and then redirect to finalSSOAction. Here is the sample code of this redirect.jsp
<html>
<script type="text/javascript">
function redirectAction() {
window.location.href = "http://opensso.sp.com/2qvideo/UI/Logout?realm=2qvideo&goto=<%=request.getContextPath()%>/2qvideo/finalSSOAction
}
</script>
<body onload="redirectAction();">
</body>
</html>
Conclusion:
We have made two projects to use this OpenSSO SP with JDBC datastore module to production sucessfully. OpenSSO is a powerful product. It had a good architecture design and can do so many things but the codes are buggy and lack of documentation of how to do things. Don't get me wrong, OpenSSO does have some documents but they are everywhere and they are good only as reference but they did not show you how to configure and why you need to configure that. You have 'conquer' the codes and able to do 'a work around' to fix them. Overall, I still like this product and I hope forgerock.com will rocks this product in the next release.