JOSSO.orgCommunity Documentation

Chapter 1. Introduction

1.1. Enter Point-and-Click Internet Single Sign On (SSO)
1.2. First or Second Generation ?

JOSSO is an open source Internet SSO solution for rapid and standards-based Internet-scale Single Sign-On implementations, allowing secure Internet access to the Web-based applications or services of customers, suppliers, and business partners.

With Single Sign-On (SSO), access to multiple applications and services that are related (yet independent of one another) can be achieved without requiring multiple authentications by the user. By logging in just once, the user gains access to all the applications - saving time and avoiding the inconvenience of logging in to each separately.

JOSSO accomplishes this with ease. In most cases, deploying an SSO solution means investing some pretty significant resources for SSO-enabling business applications and the set up of authoritative sources of identity data. With JOSSO things are different. Through its agent architecture, JOSSO enables these capabilities transparently, making integration so simple it's practically non-existent. In most cases, it won't even require an application build.

Third-party applications – whose source code might not be available – can be SSO-enabled just as if they were in-house applications.

Identity and Access Management is widely considered to be a highly technical domain, with an implementation that's out of reach for most people. The process of setting up a system for identity and access management has a well-earned reputation for technical difficulty, inconvenience, and errors; all in pursuit of an end product that most users dislike and avoid.

Commercial identity and access management packages offer web-based facilities to set up their products; but without an intimate knowledge of the product's inner structure, the overall set up and roll-out experience is tedious and error-prone.

JOSSO incorporates the Atricore Console Rich Internet Application (RIA) to enable ease of use, which translates to productivity. Technically savvy people can get on board with your identity solutions, significantly accelerating time-to-value for enabling federated identity settings.

Simply "draw" your Internet SSO setting, and bring it to life in a snap. Work at the architecture level.

JOSSO1 represents the first generation of the JOSSO product line. It's a mature and stable SSO solution for transparent SSO, targeted to introduce End-to-End SSO capabilities onto application servers and web containers.

The transparency capability is mainly achieved via JOSSO's compliance with security contract standards such as the ones offered by the JavaEE platform. The main benefit of transparency is that the applications which rely on the the underlying platform's security contracts can be SSO-enabled without any integration effort at all, and without being forced to couple with the underlying SSO stack.

JOSSO's wide support for application vendors makes it a compelling option for bringing on board applications built on heterogeneous platforms.

Moreover, the product is highly extensible, offering a simple component model for implementing plug-ins intended to introduce business-specific variability within the access management layer.

One of the major limitations of JOSSO1 is that it doesn't "play nice" with third-party SSO solutions, potentially hosted in external security domains. For instance, there is no out of the box support for passing on the security context to an SaaS provider. Whereas setting up an Internet-scale SSO setting is possible with JOSSO1, it would force all the involved parties to use JOSSO1. This is rarely the case.

In terms of usability, setting up the product requires the involvement of technically-savvy personnel, capable of dealing with configuration descriptors and with a good working knowledge of both the SSO pieces and the underlying infrastructure.

JOSSO1 is highly extensible in terms of the wide support provided for mainstream application platforms, authentication mechanisms and identity stores, but the SSO protocol is hardwired onto the product. Therefore, providing full compatibility with other protocols and their bindings - such as the commonly known SAML or OpenID - is not possible.

Another limitation is that JOSSO1 is not oriented to work in a multi-tenant environment. Limited support is provided for this feature through the definition of security domains.

Finally, JOSSO1 is targeted for SSO only, thus leaving account and entitlement management and storage to third-party software components. As a result, more effort and investment are usually involved in order to cope with the missing pieces.

JOSSO2 is the second generation of the JOSSO product line. This generation is an all-in-one solution that enables end-to-end delivery of Internet/Federated Single Sign-On settings, building on a purely model-driven approach to lower the entry barrier and shorten time-to-value. It's also bundled with account and entitlement management support, building on an RDBMS-based internal identity store. Many other building blocks, which are provided by the Atricore Identity Bus kernel, enable JOSSO2 to expand its coverage to other areas of identity and access management which haven't been addressed in the past.

If you have a rather standard and controlled setting, and you're looking to implement it in an out-of-the-box fashion with little involvement from IT, JOSSO2 might be the right choice for you. JOSSO2 can significantly help by delivering an Internet-scale SSO solution, thus involving external/cloud-based partner sites (e.g. suppliers, remote branches, etc.) and potentially hosting their internal identity back-end.

You might consider using JOSSO1 for solving simpler SSO scenarios scoped to a single administrative unit, with few or no requirements in terms of interoperability with external entities (e.g. partners, suppliers, branches, etc.) where the trust relationship among these is weak. Since no account and entitlement management is provided, a third-party solution would need to be adopted, or a home-grown application would need to be built.

Alternatively, whoile a third-party generic tooling could be leveraged for this (like an LDAP console), it would provide a view only at the specific storage technology abstraction level, thus significantly affecting usability and information consistency, as well as increasing the entry barrier for administrators.

In addition, you'll find more free support from the large community of adopters that the project has won since project inception in the year 2004.