JOSSO 2.2 has different approach than JOSSO 1.8. The idea is that even non-technical people are able to create their own SSO environment by model in flash web application called Atricore Console. But now it is much harder to plug the GateIn SSO Authentication plugin as it is is not easily possible to configure existing JOSSO 2.2 environment via Spring XML files similarly like it was with JOSSO 1.8.
So in reality, eXo Platform does not support plugging the GateIn SSO Authentication plugin into JOSSO 2.2. However, the Agent part is still supported, so nothing is changed from the portal perspective.
First, download JOSSO 2.2.0 from JOSSO site and follow the instructions at JOSSO 2 Quickstart.
One important note is that JOSSO 2.2.0 depends on some artifacts of JOSSO 1.8.5
that were removed from the Maven repository used by JOSSO 2.2.0.
That's why you may meet certain failures when deploying or starting your Identity appliance on Atricore Console.
To workaround them, you need to download these artifacts here,
then unzip and push it in the Maven local repository of JOSSO package ($JOSSO_TOMCAT_HOME/m3-local-repository/org/josso
).
Assume you have unzipped and run the JOSSO successfully (using atricore.bat on Windows or atricore on Ubuntu, in $JOSSO_TOMCAT_HOME/bin
) and now can access Atricore Console on http://server.local.network:8081/atricore-console
(server.local.network is the virtual host defined in /etc/hosts
.)
Log in as admin/admin.
Create a new empty Identity appliance by selecting → :
Name: MYFIRSTIA
Realm name: com.mycompany.myrealm
Appliance location: http://server.local.network:8081
Create a new Identity provider named AcmeIDP (
→ ), then let all options default.Create Identity vault IDPUsers (
→ ) and connect it with AcmeIDP via the Identity Lookup connection ( → ).Create Service provider called SP1 (server.local.network:8081.
→ ) but let the hosts to be on
Create Identity vault SP1Users (
→ ) and wire it with SP1 via the Identity Lookup connection ( → ).
Create a Tomcat directory (for example, D:\temp\tomcat7
) on your file system.
Then, in Atricore Console, create a new Execution environment of the Tomcat type with params ( → ):
Name: SP1EE
Version: 7.0.x
Target host: Local
Install home: D:\temp\tomcat7
Wire SP1 and SP1EE via connection of the Activation type ( → ). The parameters include:
The partner application location: http://localhost:8080/portal.
The default values for other parameters.
Wire SP1 and AcmeIDP via connection of the Federated connection type ( → ).
Click
to save this model.Go to the Identity Appliance Lifecycle Management tab, then drag and drop the Identity appliance (MYFIRSTIA) throughout its lifecycle (Saved => Staged => Deployed) as suggested in JOSSO 2 Quickstart. In the Deployed column, click the Start icon to start MYFIRSTIA.
Go to the Account & Entitlement Management tab and create some users whose usernames are as the same as existing ones on eXo Platform. You need to add users in this way, because the REST callbacks to eXo Platform are not supported at this moment.
Configuring eXo Platform server
In Tomcat
If you are using eXo Platform bundled with Tomcat, you will be noticed of a possible problem caused by $PLATFORM_TOMCAT_HOME/lib/jacc-x.y.jar
.
This file is not necessary, so you can workaround just by removing it.
Edit the $PLATFORM_TOMCAT_HOME/gatein/conf/exo.properties
file by adding/modifying the following lines
(see Configuration overview for this file):
# SSO gatein.sso.enabled=true gatein.sso.callback.enabled=${gatein.sso.enabled} gatein.sso.login.module.enabled=${gatein.sso.enabled} gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule gatein.sso.filter.initiatelogin.enabled=false gatein.sso.filter.initiatelogin.josso2.enabled=true gatein.sso.josso.agent.config.file=sso/josso/2.2/josso-agent-config.xml gatein.sso.josso.properties.file=file:${TOMCAT_HOME}/gatein/conf/exo.properties gatein.sso.portal.url=http://localhost:8080 gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter gatein.sso.filter.logout.url= gatein.sso.josso.host=server.local.network:8081 gatein.sso.server.url=http://${gatein.sso.josso.host} gatein.sso.josso.identityApplianceId=MYFIRSTIA gatein.sso.josso.partnerAppId=SP1 gatein.sso.josso.partnerAppPoint=SP1EE gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/IDBUS/${gatein.sso.josso.identityApplianceId}/${gatein.sso.josso.partnerAppPoint}/JOSSO/SSO/REDIR?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@@/josso_security_check&josso_partnerapp_id=${gatein.sso.josso.partnerAppId}
Once again, gatein.sso.josso.properties.file
points to the exo.properties
file.
${TOMCAT_HOME}
is absolute path of $PLATFORM_TOMCAT_HOME
.
Remove all files josso-*.jar
from the $PLATFORM_TOMCAT_HOME/lib
.
Copy all the .jar
files from $GATEIN_SSO_HOME/josso/gatein-josso-182/modules/org/gatein/sso/main/*.jar
into the $PLATFORM_TOMCAT_HOME/lib
directory:
Add <Valve className="org.gatein.sso.agent.tomcat.ServletAccessValve" />
to
the $PLATFORM_TOMCAT_HOME/conf/server.xml
file. The content of this file now looks like:
...
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" startStopThreads="-1"
unpackWARs="${EXO_TOMCAT_UNPACK_WARS}" autoDeploy="true">
<Valve className="org.gatein.sso.agent.tomcat.ServletAccessValve" />
...
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
...
<Listener className="org.exoplatform.platform.server.tomcat.PortalContainersCreator" />
...
</Host>
</Engine>
...
In JBoss
Edit the $PLATFORM_JBOSS_HOME/standalone/configuration/gatein/exo.properties
file by adding/modifying the following lines
(see Configuration overview for this file):
# SSO gatein.sso.enabled=true gatein.sso.callback.enabled=${gatein.sso.enabled} gatein.sso.login.module.enabled=${gatein.sso.enabled} gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule gatein.sso.filter.initiatelogin.enabled=false gatein.sso.filter.initiatelogin.josso2.enabled=true gatein.sso.josso.agent.config.file=sso/josso/2.2/josso-agent-config.xml gatein.sso.josso.properties.file=file:${jboss.home.dir}/standalone/configuration/gatein/exo.properties gatein.sso.portal.url=http://localhost:8080 gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter gatein.sso.filter.logout.url= gatein.sso.josso.host=server.local.network:8081 gatein.sso.server.url=http://${gatein.sso.josso.host} gatein.sso.josso.identityApplianceId=MYFIRSTIA gatein.sso.josso.partnerAppId=SP1 gatein.sso.josso.partnerAppPoint=SP1EE gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/IDBUS/${gatein.sso.josso.identityApplianceId}/${gatein.sso.josso.partnerAppPoint}/JOSSO/SSO/REDIR?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@@/josso_security_check&josso_partnerapp_id=${gatein.sso.josso.partnerAppId}
Uncomment the below login module in $PLATFORM_JBOSS_HOME/standalone/configuration/standalone-exo.xml
,
then change ${gatein.sso.login.module.enabled}
and ${gatein.sso.login.module.class}
into #{gatein.sso.login.module.enabled}
and #{gatein.sso.login.module.class}
respectively.
<login-module code="org.gatein.sso.integration.SSODelegateLoginModule" flag="required">
<module-option name="enabled" value="#{gatein.sso.login.module.enabled}"/>
<module-option name="delegateClassName" value="#{gatein.sso.login.module.class}"/>
<module-option name="portalContainerName" value="portal"/>
<module-option name="realmName" value="gatein-domain"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
Remove all files josso-*.jar
from the $PLATFORM_JBOSS_HOME/standalone/deployments/platform.ear/lib
folder.
Copy all the .jar
files from $GATEIN_SSO_HOME/josso/gatein-josso-182/modules/org/gatein/sso/main/*.jar
into the $PLATFORM_JBOSS_HOME/standalone/deployments/platform.ear/lib
directory:
Testing this integration
After successful integration, when you use localhost:8080/portal/ to go to eXo Platform, you will be auto-redirected to the JOSSO centralized authentication form not the eXo Platform one:
Now, log in with the credentials created in Step 12 (the usernames are as the same as ones in eXo Platform).