3.5.3. SAML2 scenario with REST callback

In this section, you set up a SAML2 scenario with eXo Platform performing SP role and Identity Store as well. IDP receives authentication request and callback to eXo Platform (as Identity Store) so eXo Platform users will be authenticated. This callback is carried out by idp-sig.war which can be deployed in plain JBoss AS. However, it requires some additional modules which are packed inside eXo Platform package, so you will deploy idp-sig.war against an eXo Platform package.

Before you start steps below, let's see the interconnecting configurations:

  1. Configure eXo Platform SP as described in eXo Platform as SAML2 SP. Note gatein.sso.idp.url=http://${gatein.sso.idp.host}:8080/idp-sig/.

  2. Start SP.

  3. Deploy idp-sig.war into another eXo Platform package called $PLATFORM_EXTERNAL_IDP. Do not confuse this package with $PLATFORM_IDP described previously. This package is used to run idp-sig.war and eXo Platform would not be deployed as you will see. Here are details of this step:

    • Copy idp-sig.war from $PLATFORM_SP/saml-plugin-jboss/ to $PLATFORM_EXTERNAL_IDP/standalone/deployments.

    • Create an empty file named idp-sig.war.dodeploy under $PLATFORM_EXTERNAL_IDP/standalone/deployments.

    • Remove $PLATFORM_EXTERNAL_IDP/standalone/deployments/platform.ear.dodeploy, so that platform.ear will not be deployed.

    • Copy $PLATFORM_SP/saml-plugin-jboss/idp-sig-module/modules into $PLATFORM_EXTERNAL_IDP.

  4. Add the following security domain to the $PLATFORM_EXTERNAL_IDP/standalone/configuration/standalone.xml file:

    
    <security-domain name="idp" cache-type="default">
        <authentication>
            <login-module code="org.gatein.sso.saml.plugin.SAML2IdpLoginModule" flag="required">
            <module-option name="rolesProcessing" value="STATIC"/>
            <module-option name="staticRolesList" value="manager,employee,sales"/>
            <module-option name="gateInURL" value="http://www.sp.com:8080/portal"/>
            </login-module>
        </authentication>
    </security-domain>
  5. Start the IDP with options as follows:

    ./standalone.sh -c standalone.xml -Dsp.host=www.sp.com -Dsp.domains=sp.com -Dpicketlink.keystore=/jbid_test_keystore.jks

    Note that, in JBoss package, the standalone.sh (or .bat) file is modified to use standalone-exo.xml as default configuration file so the -c standalone.xml option is needed.

    -Dsp.host accepts only one value. For multiple hosts, you need to edit the WEB-INF/picketlink.xml file inside idp-sig.war, similarly as instructed in eXo Platform as SAML2 IDP.

Now you can test the scenario as follows:

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus