2.4.1. eXo Platform as SAML2 SP

Warning

You are looking at documentation for an older release. Not what you want? See the current release documentation.

  1. Install SAML2 add-on with the command: $PLATFORM_SP/addon install exo-saml (Windows, Linux / Mac OX).

    Note

    Add the option --no-compat for tomcat application server.

    Accordingly, the SAML2 package named saml-plugin-jboss.zip will be downloaded into $PLATFORM_SP folder. Unzip this package to see inside folders including: idp-sig.war and idp-sig-module. Notice these extracted folders will be used for the case SAML2 scenario with REST callback.

    Note

    For tomcat application server, you should delete the jar saml-plugin-jboss/idp-sig-module/modules/org/picketlink/gatein/picketlink-jbas7-2.5.3.Final.jar and install the jar picketlink-tomcat7-2.5.3.Final.jar instead.

    You should also install the jar jboss-­security­-spi-­3.0.0.Final.jar in $PLATFORM_SP/lib folder.

  2. For Jboss

    Open the $PLATFORM_SP/standalone/configuration/standalone-exo.xml file, and uncomment the configuration of SSODelegateLoginModule (under security domain gatein-domain). Then, replace ${gatein.sso.login.module.enabled} with #{gatein.sso.login.module.enabled} and ${gatein.sso.login.module.class} with #{gatein.sso.login.module.class}. Now, the SSODelegateLoginModule will look like: 

    
<login-module code="org.gatein.sso.integration.SSODelegateLoginModule" flag="required">
    
    <module-option name="enabled" value="#{gatein.sso.login.module.enabled}"/>
    
    <module-option name="delegateClassName" value="#{gatein.sso.login.module.class}"/>
    
    <module-option name="portalContainerName" value="portal"/>
    
    <module-option name="realmName" value="gatein-domain"/>
    
    <module-option name="password-stacking" value="useFirstPass"/>
    
</login-module>

    For Tomcat

    Add the file portal.xml under $PLATFORM_SP/conf/Catalina/localhost/portal.xml in which the valve will be declared: 

    

    
<Context path='/portal' docBase='portal' reloadable='true' crossContext='true' privileged='true'>
    
  <Realm className='org.apache.catalina.realm.JAASRealm'
    
         appName='gatein-domain'
    
         userClassNames='org.exoplatform.services.security.jaas.UserPrincipal'
    
         roleClassNames='org.exoplatform.services.security.jaas.RolePrincipal'/>
    
  <Valve
    
      className='org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator'
    
      configFile="${catalina.home}/gatein/conf/saml2/picketlink-sp.xml" />
    
  <Valve
    
      className='org.apache.catalina.authenticator.FormAuthenticator'
    
      characterEncoding='UTF-8'/>
    
</Context>

  3. In the file $PLATFORM_SP/gatein/conf/saml2/picketlink-­sp.xml: 

    

    
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
    
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
    
                ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true" LogOutPage="/">
    
    <IdentityURL>${gatein.sso.idp.url}</IdentityURL>
    
    <ServiceURL>${gatein.sso.sp.url}</ServiceURL>
    

    
    <!-- WARNING: This bundled keystore is only for testing purposes. You should generate and configure your own keystore!-->
    
    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
    
      <Auth Key="KeyStoreURL" Value="${gatein.sso.picketlink.keystore}"/>
    
      <!-- <Auth Key="KeyStorePass" Value="store123" /> -->
    
      <Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg=="/>
    
      <!-- <Auth Key="SigningKeyPass" Value="test123" /> -->
    
      <Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8="/>
    
      <Auth Key="SigningKeyAlias" Value="servercert"/>
    
      <Auth Key="salt" Value="18273645"/>
    
      <Auth Key="iterationCount" Value="11"/>
    
      <ValidatingAlias Key="${gatein.sso.idp.host}" Value="servercert"/>
    
    </KeyProvider>
    

    
  </PicketLinkSP>
    

    
  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    
    <Handler
    
        class="org.gatein.sso.agent.saml.PortalSAML2LogOutHandler"/>
    
    <Handler
    
        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
    
    <Handler
    
        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2InResponseToVerificationHandler"/>
    
    <Handler
    
        class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
    
    <Handler
    
        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
    
    <Handler
    
        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
    
  </Handlers>
    
</PicketLink>

    You need to change:

    • IdentityURL ${gatein.sso.idp.url}: The access URL to the Identity provider.

    • ServiceURL ${gatein.sso.sp.url}: The access URL to the Service Provider.

    • KeyStoreURL ${gatein.sso.picketlink.keystore}: The path to the generated key.

    • KeyStorePass: The password of the keystore.

  4. In exo.properties file, you need to modify these properties according to your environmenet setup:

    • gatein.sso.enabled=true

    • gatein.sso.callback.enabled=${gatein.sso.enabled}

    • gatein.sso.login.module.enabled=${gatein.sso.enabled}

    • gatein.sso.login.module.class=org.gatein.sso.agent.login.SAML2IntegrationLoginModule

    • gatein.sso.filter.login.sso.url=/@@portal.container.name@@/dologin

    • gatein.sso.filter.logout.enabled=true

    • gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.SAML2LogoutFilter

    • gatein.sso.filter.initiatelogin.enabled=false

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus