[…] OpenSSO … from the same blog … Web SSO, Of Course. You knew that.It’s a centrally controlled service that creates and mainains a verifiable user session and creates an audit trail. Applications use the central service to verify that the user is in session and to report audit events [from the architecture document).
Let’s see, you have to modify every app to use the service, like that’s going to happen, and you’re going to introduce another single point of failure server.
If you read a little more of the linked architecture document, you will discover that OpenSSO uses agents to SSO enable web containers. The agent is essentially a filter that refers to the central service to determine the user’s identity and whether she should be given access to the requested resource. Section 4 of the architecture describes this in the context of OpenSSO. The reference to ‘applications’ as well as agents recognizes that any application accessed via HTTP can participate in SSO. So yes, if you have a custom HTTP app, you’ll have to do some enabling. If your app runs in a web container you just have to deploy and configure an agent. Access Manager (OpenSSO’s ‘parent product’) provides agents for a huge variety of containers. We will be releasing the code for a couple of agents into OpenSSO in March.
Marty goes on to say
Under Limited scope of SSO we find “web applications that are hosted on servers that do not reside in the domain of OpenSSO services deployment will not be able to participate in SSO” …. a small and probably disqualifying limitation. Children and their toys.
I would hardly describe OpenSSO as a toy – it is based on Sun’s Java System Access Manager. OpenSSO provides SSO across systems in a single domain, so you could SSO across www.example.com, www.subdomain.example.com, hr.example.com etc. This limitation is a consequence of the cookie-based implementation that OpenSSO uses – cookies only work within a single internet domain. To cross domains to, say, www.partner.com, you need federation. Federation capability is not currently in the OpenSSO roadmap.