Windows Live SSO from Java!

News


March 21st 2011
If a certificate in the Certificate chain for the mutual-SSL authentication process has expired or been revoked, it’s necessary to recreate the Java trust store used to reflect this change. The project ships a generic trust store which has the most up to date versions of the certificates used by the Microsoft SSO endpoint in cacerts-win32.jks though this sometimes falls out of date. If this is the case, please try one of the following:
- Using the standard Java trust store (older versions of Java didn’t include a Trusted Root cert the SSO service relied on, this may have since changed, please let me know if it has!)
- Build and use the CertificateConvert project that ships to extract all certificates from a Windows server to rebuild the cacerts-win32.jks file

February 24th 2011
Issues with SSO displaying the wrong Mailbox after the Dual ID change (described here: http://outlookliveanswers.com/forums/p/6490/20149.aspx#20149).

After making this change, they discovered that on occasion a user is connected to another user’s mailbox. The cause is with LiveID which occasionally strips URL params and the solution is to include exsvurl=1 as a parameter. Add this URL parameter to the property au.com.identityconcepts.windowslive.loginURLExchangeLabs in the WindowsLiveSSO.properties file and all should be resolved.

The property will now look like this

au.com.identityconcepts.windowslive.loginURLExchangeLabs=https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=10&ct=1217534617&rver=5.5.4177.0&wp=MBI_SSL&wreply=https:%2F%2Fexchangelabs.com%2Fowa%2F&lc=1033&exsvurl=1


July 13th 2010
Java 6 and issues with SSL renegotiation

Thanks to a Brasillian user for this advice.

Microsoft's web service require TLS renegotiation and this feature is disabled in Java 6 by default. Sun's position this behavior is to avoid "Man in the Middle" attacks and TLS renegotiation makes the software vulnerable to this kind of attack.
It is possible to allow TLS renegotiation on Java 6 by setting the system property sun.security.ssl.allowUnsafeRenegotiation to true before creating the session and calling GetSLT ( or as a property on the JVM call ).

In code:
System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
this.session = new Session();
this.shortLivedToken = Marshall.GetSLT(session,userName,loginSeconds);

Via JAVA_OPTS:
-Dsun.security.ssl.allowUnsafeRenegotiation=true

September 4th 2009
- Use your PFX file!
- Use SVN HEAD!

Background

- Windows Live uses a set of SOAP based Passport Web Services to obtain a short lived token (SLT) using a method known as GetSLT. GetSLT is secured using Client Certificate's and requires the TLS connection undergoes mutual authentication
- In order to make a TLS connection, Java must have access to a private key and a set of certificates from trusted Root and Intermediate CAs. Java requires the private key is located in the native format keystore known as Java Key Store (JKS). Both the keystore and private key must have the same password and all intermediate certificates must be present.
- We also require a truststore (usually cacerts in Java) which contains all required Root and Intermediate CA's. Java 6 doesn't have the necessary entries so we need to build a new truststore.
- Apache CXF is used to build a Java Proxy Client from the Passport WSDL (slightly modified)

Prerequisites

Truststore
- Use the supplied cacerts-win32.jks

Prerequisites

Keystore
- Use the PFX file supplied by the Partner Center
- Import to IE – double click in Windows Explorer – make sure you stipulate the private key is exportable and to use extended properties
- Export from IE. Check the option to include all intermediate certificates and extended properties and save with a password
- Update the WindowsLiveSSO.properties file with the path and password for the new PFX file
Windows Live SSO
- Java 1.5
- CXF 2.1.1 (and dependencies)
- PassportUtil.jar
- WindowsLiveHelper.jar
- Your code!
Optional
- WindowsLive SSO for J2EE. Secure the JSP and pass through the username in the HTTP header and get a URL which can be used for SSO

Tasks

Create a Truststore (trusted Root and intermediate CAs) (optional)
- Generate a new trust store using CertificateConvert.exe. Modify the App.Config to reflect where you would like your working/output directory to be and where your Java keytool.exe is located. Password for the resulting trust store is changeit.

Create a Windows Live SSO application
- Modify the client.properties file with your site specific information

---snip---
au.com.identityconcepts.windowslive.siteID=253988
au.com.identityconcepts.windowslive.domain=WLEduTraining.com
au.com.identityconcepts.windowslive.domainAdmin=administrator@WLEduTraining.com
au.com.identityconcepts.windowslive.keyStore=c:/customer.pfx
au.com.identityconcepts.windowslive.keyStorePassword=changeit
au.com.identityconcepts.windowslive.trustStore=c:/cacerts-win32.jks
au.com.identityconcepts.windowslive.trustStorePassword=changeit
au.com.identityconcepts.windowslive.debug=false
au.com.identityconcepts.windowslive.verbose=false
au.com.identityconcepts.windowslive.sslDebug=false
au.com.identityconcepts.windowslive.WSDLPath=c:/PPSACredentialWSDL.srf.wsdl
au.com.identityconcepts.windowslive.loginURLLive=https://login.live.com/ppsecure/post.srf
au.com.identityconcepts.windowslive.loginURLExchangeLabs=https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=10&ct=1217534617&rver=5.5.4177.0&wp=MBI_SSL&wreply=https:%2F%2Fexchangelabs.com%2Fowa%2F&lc=1033
---snip---

Create an application (JSP/Servlet/etc) and call the GetSLT method

WindowsLive SSO for J2EE
- Set the system environment variable WLIDConfigFilePath to the full path of the file which holds the configuration information for your Domain "WLIDConfigFilePath=c:/WLIDSSO.config"
(it defaults to c:\WindowsLiveSSO.properties)
- Unpack the installation zip file to a directory. There should be 3 files, WindowsLiveSSO.war, an example configuration file WindowsLiveSSO.properties and the Passport WSDL PPSACredentialWSDL.srf.wsdl
and an example Java trust store cacert-win32.jks
- Edit the configuration file and include your site specific information
- Deploy the WAR file to the Tomcat server
- Submit a request to the Servlet http://localhost:8080/WindowsLiveSSO/validate.jsp with a header variable "username" with the LiveID of the user, "service" with the servicename (either "livemail" or "exchangelabs"). Additional headers include "redirect" (set to true or false) and "debug" (also set to true or false).

Troubleshooting

- Ensure you've validated against the official SSO Toolkit first!
- Confirm you're using a PFX file with a Certificate
- Turn on debugging in the Properties file (debug, verbose and ssl)
- Ensure you're using the cacerts-win32.pks file from SVN HEAD
- Turn on CXF debugging by modifying the cxf.xml file (more details to come!)

<!-- Uncomment this block for CXF debugging -->
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>

Last edited Mar 21, 2011 at 1:21 AM by adam_j_bradley, version 43