In this section, you set up a SAML2 scenario with eXo Platform performing SP role and Identity Store as well.
IDP receives authentication request and callback to eXo Platform (as Identity Store)
so eXo Platform users will be authenticated.
This callback is carried out by idp-sig.war which can be deployed in
plain JBoss AS. However, it requires some additional modules which are packed inside eXo Platform package, so you will
deploy idp-sig.war against an eXo Platform package.
Before you start steps below, let's see the interconnecting configurations:
At SP: gatein.sso.idp.url=http://${gatein.sso.idp.host}:8080/idp-sig/ so SP knows that IDP serves at /idp-sig.
At IDP: -Dsp.host=www.sp.com -Dsp.domains=sp.com, this will be declared in start command.
Configure eXo Platform SP as described in eXo Platform as SAML2 SP. Note gatein.sso.idp.url=http://${gatein.sso.idp.host}:8080/idp-sig/.
Start SP.
Deploy
idp-sig.warinto another eXo Platform package. Do not confuse this package with eXo Platform IDP described previously. This package is used to runidp-sig.warand eXo Platform would not be deployed as you will see. Here are details of this step:Copy
idp-sig.war(from$GATEIN_SSO_HOME/saml/) tostandalone/deployments.Create an empty file named
idp-sig.war.dodeployunderstandalone/deployments.Remove
standalone/deployments/platform.ear.dodeploy, so thatplatform.earwill not be deployed.
Configure additional modules for
idp-sig.waras follows:Create a folder named
modules/org/picketlink/gatein.Copy 2 files, including
picketlink-core.jarandpicketlink-jbas7.jar, fromstandalone/deployments/platform.ear/libtomodules/org/picketlink/gatein.Create the
module.xmlwith the following content undermodules/org/picketlink/gatein:<?xml version='1.0' encoding='UTF-8'?>
<module xmlns="urn:jboss:module:1.0" name="org.picketlink" slot="gatein">
<resources>
<resource-root path="picketlink-core.jar"/>
<resource-root path="picketlink-jbas7.jar"/>
</resources>
<dependencies>
<module name="javax.security.auth.message.api"/>
<module name="javax.security.jacc.api"/>
<module name="javax.transaction.api"/>
<module name="javax.xml.bind.api"/>
<module name="javax.xml.stream.api"/>
<module name="javax.servlet.api"/>
<module name="org.jboss.common-core"/>
<module name="org.jboss.logging"/>
<module name="org.jboss.as.web"/>
<module name="org.jboss.security.xacml"/>
<module name="org.picketbox"/>
<module name="javax.xml.ws.api"/>
<module name="org.apache.log4j"/>
<module name="javax.api"/>
</dependencies>
</module>
Add the following security domain to the
standalone/configuration/standalone.xmlfile:<security-domain name="idp" cache-type="default">
<authentication>
<login-module code="org.gatein.sso.saml.plugin.SAML2IdpLoginModule" flag="required">
<module-option name="rolesProcessing" value="STATIC"/>
<module-option name="staticRolesList" value="manager,employee,sales"/>
<module-option name="gateInURL" value="http://www.sp.com:8080/portal"/>
</login-module>
</authentication>
</security-domain>
Start the IDP with options as follows:
./standalone.sh -c standalone.xml -Dsp.host=www.sp.com -Dsp.domains=sp.com -Dpicketlink.keystore=/jbid_test_keystore.jks
Note that, in JBoss package, the
standalone.sh(or.bat) file is modified to usestandalone-exo.xmlas default configuration file so the -c standalone.xml option is needed.-Dsp.host accepts only one value. For multiple hosts, you need to edit the
WEB-INF/picketlink.xmlfile insideidp-sig.war, similarly as instructed in eXo Platform as SAML2 IDP.
Now you can test the scenario as follows:
In web browser, access http://www.sp.com:8080/portal, then complete setup screens if asked.
You will be redirected to http://www.idp:8080/idp-sig. The screen looks like following:
Complete the screen with your eXo Platform identity. At this step, IDP sends RESTcallback to SP to authenticate your identity.
When authentication is done, you are logged in at SP.