NimbusSSO :: Single Sign-On for Ajax and Web 2.0 Applications

Nimble SSO for Ajax and cross-domain web apps

NimbusSSO is a nimble web service for supplying Single Sign-On (SSO) and session management to modern Ajax / Web 2.0 applications which tie data and services from multiple sources, often residing on different domains. The case is simple: Monolithic web apps can quickly become cumbersome; the wise approach to staying scalable, efficient and manageable is by adhering to an architecture where a rich web UI calls upon an array of lightly coupled web services, each with its own precisely scoped job and API. NimbusSSO handles the Single Sign-On (SSO) and shared session management for such distributed architectures.

Overview of the NimbusSSO web service

NimbusSSO providing single sign-on and session management to an Ajax app:
1) NimbusSSO receives a sso.login request from the browser and returns a session token (SID) upon successful user authentication. 2) The browser passes the SID with each application or service request. 3) The web app / services verify the SID with NimbusSSO and retrieve the user's identity.

JSON eases integration

NimbusSSO is a NoXML inspired solution. Its web API speaks JSON which is readily consumed by JavaScript and other applications.

Example JSON-RPC 2.0 request to login a user
{ "method" : "sso.login", "params" : { "username" : "alice@wonderland.net", "password" : "secret" }, "id" : "0001", "jsonrpc" : "2.0" }

Example JSON object representing a shared SSO session
{ "SID" : "cfcbc64e-eb28-4bce-91dc-da0506eda1c0", "userID" : "alice", "userDN" : "uid=alice,ou=people,dc=wonderland,dc=net", "start" : "2011-04-02T11:12:23Z", "lastAccess" : "2011-04-02T12:12:23Z", "end" : "2011-04-02T13:12:23Z", "maxTime" : 1440, "maxIdleTime" : 15, "userAttributes" : { "name" : "Alice Adams", "email" : "alice@wonderland.net", "phone" : [ "+1 685 622 6202", "+1 010 154 3228", "+1 225 216 5900" ] } "Json2Ldap" : { "URL" : "http://wonderland.net:8080/json2ldap/", "CID" : "bfee49bb-9beb-49d7-8a14-1ead77023090" }, "loginIP" : "192.168.0.1" }

Example JSON object representing a shared SSO session

{ 
  "SID"            : "cfcbc64e-eb28-4bce-91dc-da0506eda1c0",
  "userID"         : "alice",
  "userDN"         : "uid=alice,ou=people,dc=wonderland,dc=net",
  "start"          : "2011-04-02T11:12:23Z",
  "lastAccess"     : "2011-04-02T12:12:23Z",
  "end"            : "2011-04-02T13:12:23Z",
  "maxTime"        : 1440,
  "maxIdleTime"    : 15,
  "userAttributes" : { "name"  : "Alice Adams",
                       "email" : "alice@wonderland.net",
                       "phone" : [ "+1 685 622 6202", 
                                   "+1 010 154 3228", 
                                   "+1 225 216 5900" ] }
  "Json2Ldap"      : { "URL" : "http://wonderland.net:8080/json2ldap/",
                       "CID" : "bfee49bb-9beb-49d7-8a14-1ead77023090" },
  "loginIP"        : "192.168.0.1" 
}

Cross-domain capability

NimbusSSO, as all other NimbusDS services, supports cross-domain XHR through the emerging Cross-Origin Resourse Sharing (CORS) W3C standard. CORS is supported by all major browsers today, such as Firefox (3.5+), IE (8+), Chrome (3+) and Safari (4+).

Check out our open source CORS servlet filter if you intend to build conforming Java web services.

One session, multiple apps

Upon successful user login NimbusSSO returns a session identifier (SID) which can be passed to participating applications and back-end services to retrieve the user's identity and keep track of the session. An application may also ask to be notified when the user logs out or their session expires. This frees the participating applications from the task of user session tracking.

The NimbusSSO's URL and the session identifier (SID) string - that's all you need to identify a user across your Ajax services. Access to the session API can be controlled with API keys, client SSL certificates or other means.

URL: https://my.org/services/nimbussso/
SID: 5b2b3e3c-b9db-4ec0-afd4-22c2688a7dfb

To make session queries fast NimbusSSO employs a highly concurrent and efficient in-memory data store, with optional persistence. To enable load-balancing and fail-over you can run multiple replicas of NimbusSSO.

LDAP or proxied user authentication

NimbusSSO can authenticate users against an LDAPv3 compatible directory, such as Microsoft Active Directory, Novell eDirectory or OpenLDAP. This is done through an AuthService instance which can be embedded or remote.

Key features of LDAP user authentication:

Secure LDAP access over the web If NimbusSSO is hosted in the public cloud and your LDAP directory is on premise, the remote AuthService backend allows for secure web communications between the two.
User data provisioning The session JSON object can be optionally provisioned with selected details from the user's directory entry. NimbusSSO can also provide web applications with an LDAP connection (through Json2Ldap) authenticated as the logged-in user, to allow retrieval and update of profile details as well as password change.

AuthService based authentication

AuthService handles LDAP authentication on behalf of NimbusSSO

NimbusSSO also supports proxied login, to enable external authentication mechanisms, such as two-factor authentication.

Download

Interested? You are welcome to download an evalution copy of NimbusSSO. No registration is required for that.

Download now NimbusSSO

The software comes in a standard WAR package ready for immediate deployment. Check out the installation instructions for details.

NimbusSSO is offered under an affordable licence which includes 12 months of maintenance, updates and our support. Discounts are available if you wish to run multiple instances or would like to integrate NimbusSSO into your own product or service offerings. We also offer various dedicated services such as integration assistance, training and custom add-on development. Get in touch with sales for more information.