Custom Single Sign-On Using BouncyCastle with Microsoft Self Signed Certificate
Need to create a Single Sign-on PKI infrastructure between Microsoft and Java? Recently, we had a requirement to process single sign on requests over https. The project called for integration of our Java end with client’s Microsoft based SSO (single sign on) end. The username/password was stored in Active Directory and we have a database of users without passwords. Here are some key points in the process:
1) Client sent over a Microsft self signed chained certificate in which I was not able to import into a Java keystore file. So, I imported into Internet Explorer then exported to a .cer file. Then, I was able to import into java keystore.
2) I sent the dev environment public key (using Java keytool) to client. Client uses it to send two strings via Form POST over https. (I’ll post the C# code if anyone is interested)
3) Both Strings are used for PKI Signature verfication. Here’s how to do it using BouncyCastle:
private boolean verify (String encryptedMessage, String encodedSignuture) {
Keystore keystore;
String alias = “root”;
try {
FileInputStream file_is = new FileInputStream(keystorefile);
keyStore = Keystore.getInstance(”JCEKS”);
keystore.load(file_is, password.toCharArray());
Certificate cert = keyStore.getCertificate(alias);
Signature sig = Signature.getInstance(”SHA1withRSA”);
sig.initVerify(cert.getPublicKey());
sig.update(Base64.decode(encryptedMessage.getBytes()));
return sig.verify(Base64.decode(encodedSignature.getBytes()));
} catch (Exception e) {
//log
}
}
Thank you to BouncyCastle for making Signature verifcation straightforward. We were able to implement a custom single sign-on solution between Microsoft and Java. Thank you to David Hook of the BouncyCastle project and his book “Beginning Cryptography with Java”.
If you know of other single sign-on solutions and/or products, please post a comment or trackback to this post.





























