OpenSSO add-on

Introduction:

As described in OpenSSO and WebSynergy, there are 3 ways to use OpenSSO as the Single Sign-on framework for WebSynergy. This page explains how to install, configure and use OpenSSO add-on.

OpenSSO add-on has the following benefits:

  1. OpenSSO Realm to WebSynergy Org mapping
  2. OpenSSO membership (Roles/Filtered-roles/Groups) to WebSynergy Communities mapping
  3. Mapping portlet for admin to do the org and community mapping
  4. User synchronization - when a user is deleted from OpenSSO, the user entry is removed from WebSynergy
  5. Better performance since it uses OpenSSO clientsdk which has its cache
  6. Allow public pages to unauthenticated users. This is configurable.
  7. Webservices are secured using the same OpenSSO basic auth for tunnel-web

How it works

  1. End user accesses WebSynergy
  2. Redirected to OpenSSO for auth
    • if public page access is allowed, then show public pages w/o auth
    • any private page access or click on "Sign In" causes the redirect to OpenSSO
  3. Redirected back to WebSynergy after successful auth at OpenSSO
  4. user logs in to WebSynergy, if already exists in WebSynergy
  5. If user does not exist in WebSynergy, create a new user entry in WebSynergy and then login
    • If user belongs to an OpenSSO realm which is mapped to a WebSynergy org, then s/he is assigned to the mapped org
  6. If user has membership (role/filtered role/group) in OpenSSO which is mapped to a community in WebSynergy, then add the user to the mapped community (thus show the community content)
    • If the user has been removed from the membership in OpenSSO then remove the user from the mapped community
  7. Once authenticated with OpenSSO, user is single signed on with all applications using OpenSSO
  8. Single logout, either at WebSynergy or at any other application supporting OpenSSO, causes the user be logged out of WebSynergy and OpenSSO

Installation

Requirements
  • ant version 1.7.0 or higher
  • ant-nodeps.jar
  • java in the path
  • ant in the path
  • JAVA_HOME is set
  • ANT_HOME is set

1. Update Tool

1. cd to <install-root>/bin dir and run updatetool

2. You may need to run updatetool twice if it has not been installed yet

3. Edit properties of the "support.sun.com" repository and enable it.

4. Select Available Add-ons to see the list of addons

5. Select OpenSSO add-on and click install. This will install the bits.

2. Edit Templates

1. cd to <install-root>/webspace/opensso/templates

2. Copy AMConfig.properties.template to AMConfig.properties

3. Edit AMConfig.properties file with appropriate values for OpenSSO server details.

Note
Review the URL carefully. By default, for AM 7.1 the URI contains /amserver whereas for OpenSSO it contains /opensso. If you have customized it then change it accordingly.

Here is the example.

com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.iplanet.am.cookie.secure=false
com.iplanet.am.naming.url=http://<opensso-host>:<port>/opensso/namingservice
com.iplanet.am.notification.url=http://<opensso-host>:<port>/opensso/notificationservice
com.iplanet.am.service.password=anonymous
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.services.debug.directory=/var/opt/sun/identity/debug
com.iplanet.services.debug.level=error
com.sun.identity.agents.app.username=anonymous

8. Edit portal-ext.properties file with appropriate values for your OpenSSO server.

Here is the example.

access.manager.login.url=http://<opensso-host>:<port>/opensso/UI/Login?goto=http://<portal-host>:8080/c/portal/login
access.manager.logout.url=http://<opensso-host>:<port>/opensso/UI/Logout?goto=http://<portal-host>:8080/portal

3. Run the installer

1. cd to <install-root>/webspace/opensso

2. ant -f install-gfv2.xml

After an update, if install-glassfish.xml exists then run ant -f install-glassfish.xml instead.

4. Restart GlassFish

After successful installation, restart the GlassFish server.

Configuration

 The configuration for OpenSSO included in "portal-ext.properties" and "AMConfig.properties". As the OpenSSO addon uses opensso client SDK the AMConfig.properties must be configured with appropriate values. The files will be copied to the websynergy's web application directory of GlassFish (<GF Domain>/applications/j2ee-modules/websynergy/WEB-INF/classes).

portal-ext.properties

# If set to false the OpenSSO addon is disabled. Default: true

access.manager.auth.enabled=true

# Perform the synchronization of the data at the time of Login. Default: true

access.manager.sync.enabled=true

# Set this to false to enforce authentication for public pages. Public pages does not require authentication by default.

access.manager.allow.public.pages=true

#  After a successful authentication against OpenSSO/AM, the Websynergy would read following attributes for the authenticated user to determine the access to the portal. The attributes "email, first name, last name and screen name" are required to determine access to the Websynergy portal and hence must be populated with values in the OpenSSO/AM. The following configuration provides and option to map these required attributes to different attributes.

# OpenSSO/AM attribute for Websynergy's screen name attribute. Default: uid

access.manager.screen.name.attr=uid

#  OpenSSO/AM attribute for Websynergy's email attribute. Default: mail

access.manager.email.attr=mail

# OpenSSO/AM attribute for Websynergy's first name attribute. Default: givenName

access.manager.first.name.attr=givenName

# OpenSSO/AM attribute for Websynergy's last name attribute. Default: sn

access.manager.last.name.attr=sn

# OpenSSO/Access Manger login URL. Here the "goto" parameter must point to the Websynergy server.

access.manager.login.url=[http://opensso.myhost.com:18080/opensso/UI/Login?goto=http://portal.myhost.com:8080/c/portal/login]
access.manager.logout.url=[http://opensso.myhost.com:18080/opensso/UI/Logout?goto=http://portal.myhost.com:8080/portal]

# Auto Login Hook. Configured by the installer. The  "com.sun.portal.security.auth.AccessManagerAutoLogin" should be the first entry in the list.

# Please note that it is one single line. It is split into two lines for better readability.

auto.login.hooks=com.sun.portal.security.auth.AccessManagerAutoLogin,com.liferay.portal.security.auth.CASAutoLogin,com.liferay.portal.security.auth.NtlmAutoLogin,

com.liferay.portal.security.auth.OpenIdAutoLogin,com.liferay.portal.security.auth.OpenSSOAutoLogin,com.liferay.portal.security.auth.ParameterAutoLogin,com.liferay.portal.security.auth.RememberMeAutoLogin

AMConfig.properties

This file contains the configuration for AM client SDK. Please refer to OpenSSO/AM documentation for more information.

com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.iplanet.am.cookie.secure=false
com.iplanet.am.naming.url=[http://opensso.myhost.com:8080/opensso/namingservice]
com.iplanet.am.notification.url=[http://opensso.myhost.com:8080/opensso/notificationservice]
com.iplanet.am.service.password=anonymous
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.services.debug.directory=/user/home/opensso/client
com.iplanet.services.debug.level=error
com.sun.identity.agents.app.username=anonymous

Mapping Portlet

As part of the OpenSSO/AM addon a Mapping Portlet is provided which can only be used by the admin user. In order to use the Mapping portlet, the admin user must use "add application" from the dock to add the portlet to a page. With Mapping portlet, the roles/groups of OpenSSO/AM can be mapped to the Websynergy's communities to access the content of the pages. The portal level permissions are still managed by the Websynergy. The membership of a user to a community can be controlled by his/her membership of a role/group in OpenSSO/AM. If a user is removed from a group/role of OpenSSO/AM the user is also removed from the community's membership.

FAQ

1. After the installation, browser is not redirected to AM/OpenSSO for authentication. Naming service related errors appear in logs.

Check the OpenSSO/AM URL. Check if the URL is accessible from the browser.

2. OpenSSO/AM authentication does not work over "HTTPS".*

See if the AM/OpenSSO server's certificate signer is trusted. If not, obtain and install the server certificate CA into the GlassFish's certificate database.  Here are few quick steps to obtain and import the Server's certificate into the GlassFish's certificate database.

a. Obtain the certificate from https://<OpenSSO server>. Refer to the following link.

http://blogs.sun.com/andreas/entry/no_more_unable_to_find

b. Export the certificate imported in step a.

keytool -exportcert -alias myserver-cert -keystore /<local Dir>/jssecacerts -file /<local Dir>/myserver.cer

c. Copy the myserver.cer file generated in above example to your Websynergy machine.

d. Import the certificate the into Glassfish domain's cacerts db.
keytool -storepass changeit -import -trustcacerts -keystore /<glassfish domain dir>/config/cacerts.jks -file /<local Dir>/myserver.cer -alias <certificate alias>

e. Restart the Websynergy.

Please take a backup of all certificate files (with jks extension) before running any commands mentioned above. Also, please refer to the manual page for Java's "keytool".

3. The user "admin" can't login to the Websynergy.*

Create the user "admin" in OpenSSO with "givenName,sn,mail,uid" attributes populated. Please note that the e-mail ID of the admin user created in OpenSSO/AM must match to that of Websynergy. For example, the default e-mail for "admin" user in Websynergy is "admin@example.com". When admin user is created in OpenSSO/AM the user "admin" should be populated with "admin@example.com" for mail attribute.

4. After successfully authenticating against OpenSSO, browser is not redirected to the Websynergy. Instead, browser complains about infinite loop.*

a. Check if Websynergy and OpenSSO/AM are in the same domain. If not, enable CDSSO (Cross Domain Single Sign On). Please refer to the OpenSSO documentation for more details on enabling CDSSO.

b. Enable the Cookie Encoding on OpenSSO server. 

  1. Login to OpenSSO as amadmin
  2. Goto Configuration -> Server and Sites -> <myserver> -> Security -> Cookie
  3. Set  "Encode Cookie Value" to Yes

If this value is not editable, then click on "Inheritance Settings" button. Uncheck "Encode Cookie Value" from inheritance settings and save. Then go back and you should see a check box for Encode Cookie Value.

Restart the OpenSSO server after making changes to Cookie Encode.

NOTE: If OpenSSO server is deployed on Sun Web Server 7.x then set "Encode Cookie Value" to No on the OpenSSO server and set "com.iplanet.am.cookie.encode=true" (which is default) in AMConfig.properties file of the Websynergy's addon.

5. Can't find OpenSSO/AM Roles/Groups in Mapping Portlet.*

As the Mapping portlet is used by the "admin" user, ensure that the admin user has privileges on OpenSSO/AM to browse (read) all available roles/groups etc. This has to be done via OpenSSO/AM administration console.

6. Can not login as amAdmin to WebSynergy*

amAdmin is a special OpenSSO user and can not be imported into WebSynergy, so can not be used to login to WebSynergy. Instead create another user in OpenSSO and assign sufficent privileges to acheive the same.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact