Need to create a Single Sign-on PKI infrastructure between Microsoft and Java? Recently, we had a requirement to process single sign on requests over https. The project called for integration of our Java end with client’s Microsoft based SSO (single sign on) end. The username/password was stored in Active Directory and we have a database of users without passwords. Here are some key points in the process:

1) Client sent over a Microsft self signed chained certificate in which I was not able to import into a Java keystore file. So, I imported into Internet Explorer then exported to a .cer file. Then, I was able to import into java keystore.

2) I sent the dev environment public key (using Java keytool) to client. Client uses it to send two strings via Form POST over https. (I’ll post the C# code if anyone is interested)

3) Both Strings are used for PKI Signature verfication. Here’s how to do it using BouncyCastle:

private boolean verify (String encryptedMessage, String encodedSignuture) {

Keystore keystore;

String alias = “root”;

try {

FileInputStream file_is = new FileInputStream(keystorefile);

keyStore = Keystore.getInstance(”JCEKS”);

keystore.load(file_is, password.toCharArray());

Certificate cert = keyStore.getCertificate(alias);

Signature sig = Signature.getInstance(”SHA1withRSA”);

sig.initVerify(cert.getPublicKey());

sig.update(Base64.decode(encryptedMessage.getBytes()));

return sig.verify(Base64.decode(encodedSignature.getBytes()));

} catch (Exception e) {

//log

}

}

Thank you to BouncyCastle for making Signature verifcation straightforward. We were able to implement a custom single sign-on solution between Microsoft and Java. Thank you to David Hook of the BouncyCastle project and his book “Beginning Cryptography with Java”.

If you know of other single sign-on solutions and/or products, please post a comment or trackback to this post.

Bookmark to: