In this section, we will discuss how to configure GateIn to provide Single Sign On (SSO). One possible way of configuring SSO with GateIn is to use an OpenSSO server.
OpenSSO is an SSO framework that can be configured to provide an authentication mechanism with different applications sharing realm configurations.
Note
For more information about OpenSSO, please visit the following URL:
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html.
- Download and install the OpenSSO server as described on the official website.
- Download the latest GateIn SSO support package from the following Maven repository location:
https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging
- The latest version available at the time of writing the book is 1.1.1-GA, it is downloadable from this URL:
- Extract the package in a folder in your filesystem.
First, we will start configuring all the artifacts relating to the classpath.
- Copy the files from
GATEIN_SSO_HOME/openssotoOPENSSO_HOME, adding all the needed files in the application server of GateIn. - If you are using OpenSSO in the same machine of GateIn, edit the file of the HTTP connector for the application server and change the connector port of OpenSSO to
8888, change the AJP port from8009to8809. - Edit the file
OPENSSO_HOME/webapps/opensso/config/auth/default/ AuthenticationPlugin.xmlin the following way:<?xml version='1.0' encoding="UTF-8"?> <!DOCTYPE ModuleProperties PUBLIC "=//iPlanet//Authentication Module Properties XML Interface 1.0 DTD//EN" "jar://com/sun/identity/authentication/Auth_Module_Properties.dtd"> <ModuleProperties moduleName="AuthenticationPlugin" version="1.0" > <Callbacks length="2" order="1" timeout="60" header="GateIn OpenSSO Login" > <NameCallback> <Prompt> Username </Prompt> </NameCallback> <PasswordCallback echoPassword="false" > <Prompt> Password </Prompt> </PasswordCallback> </Callbacks> </ModuleProperties>
- If you are using JBoss, uncomment the following snippet inside the file
gatein.ear/META-INF/gatein-jboss-beans.xml:<authentication> <login-module code="org.gatein.sso.agent.login.SSOLoginModule" flag="required"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> </login-module> <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> </login-module> </authentication>
- For Tomcat, update the file
TOMCAT_HOME/conf/jaas.confand uncomment this snippet:org.gatein.sso.agent.login.SSOLoginModule required; org.exoplatform.services.security.j2ee.TomcatLoginModule required portalContainerName=portal realmName=gatein-domain;
- Add a new valve in the Tomcat configuration inside the file
TOMCAT_HOME/webapps/portal.war/META-INF/context.xml:. . . <Context path='/portal' docBase='portal' ... > <Valve className='org.gatein.sso.agent.tomcat.ServletAccessValve' /> . . . </Context> . . .
Finally, we can configure the realm for the authentication process inside the OpenSSO server:
- Start the OpenSSO server.
- Point your browser to this URL:
http://localhost:8888/opensso. - Create a standard configuration.
- Access the OpenSSO server as an administrator and click on Configuration | Authentication | Core.
- Add a new value with the following class name:
org.gatein.sso.opensso.plugin.AuthenticationPlugin - Click on Access control and create a new realm
gatein. - Click on the new
gateinrealm and click on Authentication. - In the Authentication Chaining section, click on ldapService.
- Change the value from
DatastoretoAuthenticationPluginenabling the GateIn REST services for authenticating users. - Click on Advanced Properties and set Dynamic for the UserProfile, in this way all the user profiles will be created after a successful authentication from the GateIn side.
- Click on Access control | Top Level Realm | Privileges | All authenticated users and check these two settings:
- Read and write access only for policy properties
- Read and write access to all realm and policy properties
With these configuration steps done, the GateIn portal is configured to run with SSO executed by OpenSSO.
GateIn provides a support package dedicated to SSO integrations. In this way, all the required components and configuration are separated by the product and are used only if needed because it depends on your specific requirements.
During the first section of the configuration steps, we enabled the AuthenticationPlugin on OpenSSO and then we also configured JAAS for the application server. These are the typical steps to federate a realm against an authentication provider using Java.
We then configured OpenSSO using the administration console for exchanging user sessions with GateIn. Finally, we added the AuthenticationPlugin provided by GateIn and we used it for configuring the new dedicated realm.