3.2.1. Integration with JOSSO 1.8

Installation of eXo JOSSO add-on

If you are using JOSSO 1.8.1, install the JOSSO add-on with the command: $PLATFORM_HOME/addon install exo-josso-181.

Or, if you are using newer versions, run the command: $PLATFORM_HOME/addon install exo-josso.

Accordingly, the JOSSO package (named josso181-plugin.zip or josso-plugin.zip) is downloaded into $PLATFORM_HOME. Extract these packages to folders with the same name. Notice these folders will be used in the next sections.

Configuring JOSSO server

  1. Merge files of the JOSSO plugin ($PLATFORM_HOME/josso181-plugin/* if you are using JOSSO 1.8.1; or $PLATFORM_HOME/josso-plugin/josso/* if you are using JOSSO 1.8.2 or newer) to $JOSSO_TOMCAT_HOME to use the REST callback service.

    This action should replace or add some JAR files to the $JOSSO_TOMCAT_HOME/webapps/josso/WEB-INF/lib directory and also the files:

    • $JOSSO_TOMCAT_HOME/lib/josso-gateway-config.xml

    • $JOSSO_TOMCAT_HOME/lib/josso-gateway-gatein-stores.xml

    • $JOSSO_TOMCAT_HOME/webapps/josso/WEB-INF/classes/gatein.properties - This file may need to be reconfigured according to your eXo Platform environment (you need to use host and port where your eXo Platform is running as this will be used by Authentication plugin to send REST request over HTTP).

  2. Edit $JOSSO_TOMCAT_HOME/conf/server.xml) and replace 8080 port with 8888 to change the default Tomcat port and avoid a port conflict with the default eXo Platform port (for testing purposes).

    Note

    If eXo Platform is running on the same machine as Tomcat, other ports need to be changed in addition to 8080 to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from 8005 to 8805, and AJP port from 8009 to 8809.

  3. Start the JOSSO server (using catalina.bat run on Windows or catalina.sh run on Ubuntu, in $JOSSO_TOMCAT_HOME/bin) that now allows access to http://localhost:8888/josso/signon/login.do. However, if you are using SSO Authentication plugin, the login will not be available at this stage as your eXo Platform server is not set yet.

Configuring eXo Platform server

In Tomcat

  1. Edit the $PLATFORM_TOMCAT_HOME/gatein/conf/exo.properties file by adding/modifying the following lines (see Configuration overview for this file):

    #SSO
    gatein.sso.enabled=true
    gatein.sso.callback.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule
    gatein.sso.josso.agent.config.file=sso/josso/1.8/josso-agent-config.xml
    gatein.sso.josso.properties.file=file:${PLATFORM_TOMCAT_HOME}/gatein/conf/exo.properties
    gatein.sso.josso.host=localhost:8888
    gatein.sso.josso.base.url=http://${gatein.sso.josso.host}/josso/signon
    gatein.sso.server.url=${gatein.sso.josso.base.url}/login.do
    gatein.sso.portal.url=http://localhost:8080
    gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter
    gatein.sso.filter.logout.url=${gatein.sso.josso.base.url}/logout.do
    gatein.sso.filter.login.sso.url=${gatein.sso.server.url}?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@@/initiatessologin			

    Most of these properties were already described in Central Authentication Service (CAS). For JOSSO, some of the properties are different, including:

    • gatein.sso.josso.agent.config.file points to location of Agent configuration file, which is relative to classpath. So the agent file location is actually in portal.war!/WEB-INF/classes/sso/josso/1.8/josso-agent-config.xml but normally you will not need to change anything here.

    • gatein.sso.josso.properties.file points to the exo.properties file. ${PLATFORM_TOMCAT_HOME} is the absolute path to the Platform package.

    • gatein.sso.josso.host, which points to location of the JOSSO server.

    • gatein.sso.portal.url needs to be changed if you expect eXo Platform to be accessed on different URL than localhost:8080.

    • gatein.sso.filter.logout.class is the logout filter class that is now org.gatein.sso.agent.filter.JOSSOLogoutFilter.

    • gatein.sso.filter.logout.url is URL for redirecting to logout of the JOSSO server.

  2. Add <Valve className="org.gatein.sso.agent.tomcat.ServletAccessValve"/> to the $PLATFORM_TOMCAT_HOME/conf/server.xml file. The content of this file now looks like:

    
    ...
        <Engine name="Catalina" defaultHost="localhost">
            <Host name="localhost" appBase="webapps" startStopThreads="-1"
                  unpackWARs="${EXO_TOMCAT_UNPACK_WARS}" autoDeploy="true">
                <Valve className="org.gatein.sso.agent.tomcat.ServletAccessValve"/>
                ... 
                <Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
                ...
                <Listener className="org.exoplatform.platform.server.tomcat.PortalContainersCreator"/>
                ...
            </Host>
        </Engine>
    ...

In JBoss

  1. Edit the $PLATFORM_JBOSS_HOME/standalone/configuration/gatein/exo.properties file by adding/modifying the following lines (see Configuration overview for this file):

    #SSO
    gatein.sso.enabled=true
    gatein.sso.callback.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule
    gatein.sso.josso.agent.config.file=sso/josso/1.8/josso-agent-config.xml
    gatein.sso.josso.properties.file=file:${jboss.home.dir}/standalone/configuration/gatein/exo.properties
    gatein.sso.josso.host=localhost:8888
    gatein.sso.josso.base.url=http://${gatein.sso.josso.host}/josso/signon
    gatein.sso.server.url=${gatein.sso.josso.base.url}/login.do
    gatein.sso.portal.url=http://localhost:8080
    gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter
    gatein.sso.filter.logout.url=${gatein.sso.josso.base.url}/logout.do
    gatein.sso.filter.login.sso.url=${gatein.sso.server.url}?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@@/initiatessologin			
  2. Uncomment the below login module in $PLATFORM_JBOSS_HOME/standalone/configuration/standalone-exo.xml, then change ${gatein.sso.login.module.enabled} and ${gatein.sso.login.module.class} into #{gatein.sso.login.module.enabled} and #{gatein.sso.login.module.class} respectively.

    
    <login-module code="org.gatein.sso.integration.SSODelegateLoginModule" flag="required">
        <module-option name="enabled" value="#{gatein.sso.login.module.enabled}"/>
        <module-option name="delegateClassName" value="#{gatein.sso.login.module.class}"/>
        <module-option name="portalContainerName" value="portal"/>
        <module-option name="realmName" value="gatein-domain"/>
        <module-option name="password-stacking" value="useFirstPass"/>
    </login-module>

Testing this integration

From now on, when you use http://localhost:8080/portal/ to go to eXo Platform, you will be auto-redirected to the JOSSO centralized authentication form not the eXo Platform one:

If you set GateIn SSO plugin, you can log in with eXo Platform credentials (for example, root/gtn).

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus