4.8.2.2. Integration with JOSSO 2.2

JOSSO 2.2 has different approach than JOSSO 1.8. The idea is that even non-technical people are able to create their own SSO environment by model in flash web application called Atricore Console. But now it is much harder to plug the GateIn SSO Authentication plugin as it is is not easily possible to configure existing JOSSO 2.2 environment via Spring XML files similarly like it was with JOSSO 1.8.

So in reality, eXo Platform does not support plugging the GateIn SSO Authentication plugin into JOSSO 2.2. However, the Agent part is still supported, so nothing is changed from the portal perspective.

Setting up JOSSO server

First, download JOSSO 2.2.0 from JOSSO site and follow the instructions at JOSSO 2 Quickstart.

Note

One important note is that JOSSO 2.2.0 depends on some artifacts of JOSSO 1.8.5 that were removed from the Maven repository used by JOSSO 2.2.0. That's why you may meet certain failures when deploying or starting your Identity appliance on Atricore Console. To workaround them, you need to download these artifacts here, then unzip and push it in the Maven local repository of JOSSO package ($JOSSO_TOMCAT_HOME/m3-local-repository/org/josso).

Assume you have unzipped and run the JOSSO successfully (using atricore.bat on Windows or atricore on Ubuntu, in $JOSSO_TOMCAT_HOME/bin) and now can access Atricore Console on http://server.local.network:8081/atricore-console (server.local.network is the virtual host defined in /etc/hosts.)

  1. Log in as admin/admin.

  2. Create a new empty Identity appliance by selecting Identity Appliance ModelerNew:

    • Name: MYFIRSTIA

    • Realm name: com.mycompany.myrealm

    • Appliance location: http://server.local.network:8081

  3. Create a new Identity provider named AcmeIDP (EntitiesIdentity Provider), then let all options default.

  4. Create Identity vault IDPUsers (Identity SourcesIdentity Vault) and connect it with AcmeIDP via the Identity Lookup connection (ConnectionsIdentity Lookup).

  5. Create Service provider called SP1 (EntitiesService Provider) but let the hosts to be on server.local.network:8081.

  6. Create Identity vault SP1Users (Identity SourcesIdentity Vault) and wire it with SP1 via the Identity Lookup connection (ConnectionsIdentity Lookup).

  7. Create a Tomcat directory (for example, D:\temp\tomcat7) on your file system. Then, in Atricore Console, create a new Execution environment of the Tomcat type with params (Execution EnvironmentsTomcat):

    • Name: SP1EE

    • Version: 7.0.x

    • Target host: Local

    • Install home: D:\temp\tomcat7

  8. Wire SP1 and SP1EE via connection of the Activation type (ConnectionsActivation). The parameters include:

  9. Wire SP1 and AcmeIDP via connection of the Federated connection type (ConnectionsFederated Connection).

  10. Click Save to save this model.

  11. Go to the Identity Appliance Lifecycle Management tab, then drag and drop the Identity appliance (MYFIRSTIA) throughout its lifecycle (Saved => Staged => Deployed) as suggested in JOSSO 2 Quickstart. In the Deployed column, click the Start icon to start MYFIRSTIA.

  12. Go to the Account & Entitlement Management tab and create some users whose usernames are as the same as existing ones on eXo Platform. You need to add users in this way, because the REST callbacks to eXo Platform are not supported at this moment.

Configuring eXo Platform server

In Tomcat

Note

If you are using eXo Platform bundled with Tomcat, you will be noticed of a possible problem caused by $PLATFORM_TOMCAT_HOME/lib/jacc-x.y.jar. This file is not necessary, so you can workaround just by removing it.

  1. Edit the $PLATFORM_TOMCAT_HOME/gatein/conf/exo.properties file by adding/modifying the following lines (see Configuration overview for this file):

    # SSO
    gatein.sso.enabled=true
    gatein.sso.callback.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule
    gatein.sso.filter.initiatelogin.enabled=false
    gatein.sso.filter.initiatelogin.josso2.enabled=true
    gatein.sso.josso.agent.config.file=sso/josso/2.2/josso-agent-config.xml
    gatein.sso.josso.properties.file=file:${TOMCAT_HOME}/gatein/conf/exo.properties
    gatein.sso.portal.url=http://localhost:8080
    gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter
    gatein.sso.filter.logout.url=
    gatein.sso.josso.host=server.local.network:8081
    gatein.sso.server.url=http://${gatein.sso.josso.host}
    gatein.sso.josso.identityApplianceId=MYFIRSTIA
    gatein.sso.josso.partnerAppId=SP1
    gatein.sso.josso.partnerAppPoint=SP1EE
    gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/IDBUS/${gatein.sso.josso.identityApplianceId}/${gatein.sso.josso.partnerAppPoint}/JOSSO/SSO/REDIR?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@@/josso_security_check&josso_partnerapp_id=${gatein.sso.josso.partnerAppId}

    Once again, gatein.sso.josso.properties.file points to the exo.properties file. ${TOMCAT_HOME} is absolute path of $PLATFORM_TOMCAT_HOME.

  2. Remove all files josso-*.jar from the $PLATFORM_TOMCAT_HOME/lib.

  3. Copy all the .jar files from $GATEIN_SSO_HOME/josso/gatein-josso-182/modules/org/gatein/sso/main/*.jar into the $PLATFORM_TOMCAT_HOME/lib directory:

  4. Add <Valve className="org.gatein.sso.agent.tomcat.ServletAccessValve" /> to the $PLATFORM_TOMCAT_HOME/conf/server.xml file. The content of this file now looks like:

    
    ...
        <Engine name="Catalina" defaultHost="localhost">
            <Host name="localhost" appBase="webapps" startStopThreads="-1"
                  unpackWARs="${EXO_TOMCAT_UNPACK_WARS}" autoDeploy="true">
                <Valve className="org.gatein.sso.agent.tomcat.ServletAccessValve" />
                ... 
                <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
                ...
                <Listener className="org.exoplatform.platform.server.tomcat.PortalContainersCreator" />
                ...
            </Host>
        </Engine>
    ...

In JBoss

  1. Edit the $PLATFORM_JBOSS_HOME/standalone/configuration/gatein/exo.properties file by adding/modifying the following lines (see Configuration overview for this file):

    # SSO
    gatein.sso.enabled=true
    gatein.sso.callback.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule
    gatein.sso.filter.initiatelogin.enabled=false
    gatein.sso.filter.initiatelogin.josso2.enabled=true
    gatein.sso.josso.agent.config.file=sso/josso/2.2/josso-agent-config.xml
    gatein.sso.josso.properties.file=file:${jboss.home.dir}/standalone/configuration/gatein/exo.properties
    gatein.sso.portal.url=http://localhost:8080
    gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter
    gatein.sso.filter.logout.url=
    gatein.sso.josso.host=server.local.network:8081
    gatein.sso.server.url=http://${gatein.sso.josso.host}
    gatein.sso.josso.identityApplianceId=MYFIRSTIA
    gatein.sso.josso.partnerAppId=SP1
    gatein.sso.josso.partnerAppPoint=SP1EE
    gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/IDBUS/${gatein.sso.josso.identityApplianceId}/${gatein.sso.josso.partnerAppPoint}/JOSSO/SSO/REDIR?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@@/josso_security_check&josso_partnerapp_id=${gatein.sso.josso.partnerAppId}
  2. Uncomment the below login module in $PLATFORM_JBOSS_HOME/standalone/configuration/standalone-exo.xml, then change ${gatein.sso.login.module.enabled} and ${gatein.sso.login.module.class} into #{gatein.sso.login.module.enabled} and #{gatein.sso.login.module.class} respectively.

    
    <login-module code="org.gatein.sso.integration.SSODelegateLoginModule" flag="required">
        <module-option name="enabled" value="#{gatein.sso.login.module.enabled}"/>
        <module-option name="delegateClassName" value="#{gatein.sso.login.module.class}"/>
        <module-option name="portalContainerName" value="portal"/>
        <module-option name="realmName" value="gatein-domain"/>
        <module-option name="password-stacking" value="useFirstPass"/>
    </login-module>
  3. Remove all files josso-*.jar from the $PLATFORM_JBOSS_HOME/standalone/deployments/platform.ear/lib folder.

  4. Copy all the .jar files from $GATEIN_SSO_HOME/josso/gatein-josso-182/modules/org/gatein/sso/main/*.jar into the $PLATFORM_JBOSS_HOME/standalone/deployments/platform.ear/lib directory:

Testing this integration

After successful integration, when you use localhost:8080/portal/ to go to eXo Platform, you will be auto-redirected to the JOSSO centralized authentication form not the eXo Platform one:

Now, log in with the credentials created in Step 12 (the usernames are as the same as ones in eXo Platform).

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus