I have a simple web application which authenticates users via username/password entries in the database. The webapplication lies within the enterprise network
Now we are trying to implement SSO using OpenAM, for this web application. OpenAM is deployed within the DMZ of enterprise.
I would like to continue to use the authentication already provided by the web application. I do not want to replicate the userName and Password combinations to the OpenAM datastore.
The scenario would be as follows
1. Enterprise user (within the network) access the web application via browser.
2. The request is redirected to openAM login page
3. OpenAM internally uses the web application authentication (which could be exposed as a webservice)
4. After authentication user can navigate to other web applications (like Salesforce) without needing to login again.
1. Should i implement a customized authentication using openAM as described @ http://openam.forgerock.org/doc/dev-guide/OpenAM-Dev-Guide/chap-auth-spi.html
Should i implement a post authentication plugin using openAM as described @ http://openam.forgerock.org/doc/dev-guide/OpenAM-Dev-Guide/chap-post-auth.html
2. How do i manage to implement this using federated SSO. The link @ http://developers.sun.com/identity/reference/techart/app-integration.html provides integration pattern for delegated SSO
There is a JDBC Authentication Module which already exists, which may well server your purposes. How you then map this to the users you have for the remainder of your user accounts will be dependant upon your datastore. I would suggest that you might want to ask the OpenAM mailing list, as they tend to be pretty good about giving answers to these questions ( [https://lists.forgerock.org/mailman/listinfo/openam] ).