SAML2 scenario with eXo Platform and Google Apps

In this section, you will set up a SAML2 scenario with eXo Platform as IDP and Google Apps as SP.

The integration between eXo Platform and Google Apps requires user synchronization. The premise is username in eXo Platform that matches nick in Google. For example, if your domain is example.com and your Google Apps account is john@example.com, your eXo Platform username should be john.

Configurations at Google Apps

  1. Export a certificate file using your own keystore, as described in Generating and using your own keystore. The command to export:

    keytool -export -keystore secure-keystore.jks -alias secure-key -file test-certificate.crt

    Note that if you are using default jbid_test_keystore.jks (for testing only), the keystore password is store123.

    As the result, a file named test-certificate.crt will be created. You will use it in next step.

  2. Go to Google Apps Single Sign-On settings page by accessing your Admin console, then clicking More controlsSecurityAdvanced settings (UI may be changed by Google). Complete this page as follows:

    • Upload the test-certificate.crt file that is exported previously.

    • Enter http://www.idp.com:8080/portal/dologin to Sign-in and Sign-out URLs.

    • Check the box Enable Single Sign-On.

    • The checkbox Use a domain specific issuer is optional. If it is checked, the SP host is signed as google.com/a/${your_domain} (google.com/a/test.com for example), otherwise it is simply google.com. Configurations at IDP side will change according to this, as you will see later.


    Be careful when you are setting up Single Sign-On in your Google Apps. Make sure your settings are correct before you save.

Configurations at eXo Platform

  1. Configure eXo Platform IDP as instructed in eXo Platform as SAML2 IDP. Note that now SP is google.com so you need to add it to the list of domains and hosts. Instead of adding via exo.properties (see Configuration overview for the exo.properties file), you should directly modify the picketlink-idp.xml file:

    For SP domains:


    For SP hosts, the host is google.com or google.com/a/${your_domain}, depending on your Google Apps settings, as explained before:

    <KeyProvider ...>
        <ValidatingAlias Key="${gatein.sso.sp.host}" Value="secure-key"/>
        <ValidatingAlias Key="google.com" Value="secure-key"/>
        <!--<ValidatingAlias Key="google.com/a/test.com" Value="secure-key"/>-->
    • "secure-key" is the alias in your command to create the keystore file.

  2. Create a file named WEB-INF/conf/sso/saml/sp-metadata.xml inside standalone/deployments/platform.ear/exo.portal.web.portal.war with the following content:

    <?xml version="1.0" encoding="UTF-8"?>
    <md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
        <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2022-06-13T21:46:02.496Z">
            <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />

    in which entityID is either "google.com" or "google.com/a/${your_domain}" ("google.com/a/test.com" for example), depending on your Google Apps settings as explained before. You can add many md:EntityDescriptor for many SP.

  3. Modify the WEB-INF/conf/sso/saml/picketlink-idp.xml file inside standalone/deployments/platform.ear/exo.portal.web.portal.war to add MetaDataProvider element as follows:

    <PicketLinkIDP ...>
        <MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
            <Option Key="FileName" Value="/WEB-INF/conf/sso/saml/sp-metadata.xml"/>

Test the scenario

Be sure you have synchronized accounts. If not yet, create a username in eXo Platform that matches nick in Google Apps.

Logout eXo Platform and Google Apps, then access one of services of your Google Apps, for example: http://mail.google.com/a/${your_domain}. You will be redirected to the eXo Platform login page. Login using your synchronized username, after that you have your access to the Google service.


Note that said by Google, in SSO-enabled domains without network masks, the super administrator account will not be redirected to the SSO page (so that you can access Admin console in case there is something wrong with SSO settings). Refer to https://support.google.com/a/answer/60224?hl=en for more Google's instructions.

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus