You are looking at documentation for an older release. Not what you want? See the current release documentation.
In this section, you set up a SAML2 scenario with eXo Platform performing SP role and Identity Store as well.
IDP receives authentication request and callback to eXo Platform (as Identity Store)
so eXo Platform users will be authenticated.
This callback is carried out by idp-sig.war which can be deployed in
plain JBoss AS. However, it requires some additional modules which are packed inside eXo Platform package, so you will
deploy idp-sig.war
against an eXo Platform package.
Before you start steps below, let's see the interconnecting configurations:
At SP: gatein.sso.idp.url=http://${gatein.sso.idp.host}:8080/idp-sig/ so SP knows that IDP serves at /idp-sig.
At IDP: -Dsp.host=www.sp.com -Dsp.domains=sp.com, this will be declared in start command.
Platform SP configuration
Configure eXo Platform SP as described in eXo Platform as SAML2 SP.
You should change one configuration:
gatein.sso.idp.url=http://${gatein.sso.idp.host}:8080/idp-sig/
Start $Platform_SP
External IDP configuration
In this part, we will use another platform package to deploy idp-sig.war
.
Please do not confuse it with eXo Platform IDP described in previous section.
This package is used to run idp-sig.war
.
Copy $PLATFORM_SP/saml-plugin/idp-sig.war
to $PLATFORM_IDP/standalone/deployments
.
Create an empty file named idp-sig.war.dodeploy
under $PLATFORM_IDP/standalone/deployments
.
Remove $PLATFORM_IDP/standalone/deployments/platform.ear.dodeploy
, so that platform.ear will not be deployed.
Copy folder $PLATFORM_SP/saml-plugin/idp-sig-module/module
into $PLATFORM_IDP
.
Add the following security domain to the $PLATFORM_IDP/standalone/configuration/standalone.xml
file:
<security-domain name="idp" cache-type="default">
<authentication>
<login-module code="org.gatein.sso.saml.plugin.SAML2IdpLoginModule" flag="required">
<module-option name="gateInURL" value="http://www.sp.com:8080/portal"/>
</login-module>
</authentication>
</security-domain>
Start the IDP with options as follows:
./standalone.sh -b www.idp.com -c standalone.xml -Dsp.host=www.sp.com -Dsp.domains=sp.com -Dpicketlink.keystore=/jbid_test_keystore.jksTest case
Now you can test the scenario as follows:
In web browser, access http://www.sp.com:8080/portal, then complete setup screens if asked.
You will be redirected to http://www.idp:8080/idp-sig. The screen looks like as below:
Complete the screen with your eXo Platform identity. At this step, IDP sends RESTcallback to SP to authenticate your identity.
When authentication is done, you are logged in at SP.