2.4.1. eXo Platform as SAML2 SP

Warning

You are looking at documentation for an older release. Not what you want? See the current release documentation.

  1. Install SAML2 add-on with the command: $PLATFORM_SP/addon install exo-saml (Windows, Linux / Mac OX).

    Note

    Add the option --no-compat for tomcat application server.

    Accordingly, the SAML2 package named saml-plugin-jboss.zip will be downloaded into $PLATFORM_SP folder. Unzip this package to see inside folders including: idp-sig.war and idp-sig-module. Notice these extracted folders will be used for the case SAML2 scenario with REST callback.

  2. For Jboss

    Open the $PLATFORM_SP/standalone/configuration/standalone-exo.xml file, and uncomment the configuration of SSODelegateLoginModule (under security domain gatein-domain). Then, replace ${gatein.sso.login.module.enabled} with #{gatein.sso.login.module.enabled} and ${gatein.sso.login.module.class} with #{gatein.sso.login.module.class}. Now, the SSODelegateLoginModule will look like:

    
    <login-module code="org.gatein.sso.integration.SSODelegateLoginModule" flag="required">
        <module-option name="enabled" value="#{gatein.sso.login.module.enabled}"/>
        <module-option name="delegateClassName" value="#{gatein.sso.login.module.class}"/>
        <module-option name="portalContainerName" value="portal"/>
        <module-option name="realmName" value="gatein-domain"/>
        <module-option name="password-stacking" value="useFirstPass"/>
    </login-module>
  3. For both Jboss and Tomcat

    Open the file $PLATFORM_SP/standalone/configuration/gatein/exo.properties (for Jboss) or $PLATFORM_SP/gatein/conf/exo.properties (for Tomcat).

    Note

    Rename the file exo-samples.properties to exo.properties.

    Edit the following properties (add them if they don't exist):

    # SSO
    gatein.sso.enabled=true
    gatein.sso.saml.sp.enabled=true
    gatein.sso.callback.enabled=${gatein.sso.enabled}
    gatein.sso.login.module.enabled=${gatein.sso.enabled}
    gatein.sso.filter.logout.enabled=false
    gatein.sso.filter.login.sso.url=/@@portal.container.name@@/dologin
    gatein.sso.filter.initiatelogin.enabled=false
    gatein.sso.saml.config.file=${exo.conf.dir}/saml2/picketlink-sp.xml
    gatein.sso.idp.host=www.idp.com
    gatein.sso.idp.url=http://${gatein.sso.idp.host}:8087/portal/sso
    gatein.sso.sp.url=http://www.sp.com:8080/portal/dologin
    # WARNING: This bundled keystore is only for testing purposes. You should generate and use your own keystore!
    gatein.sso.picketlink.keystore=${exo.conf.dir}/saml2/jbid_test_keystore.jks
    
    # Uncomment this when JBoss is used
    
    #gatein.sso.login.module.class=org.gatein.sso.agent.login.SAML2WildflyIntegrationLoginModule
    #gatein.sso.uri.suffix=dologin
    
    # Uncomment this when Tomcat is used
    
    #gatein.sso.login.module.class=org.gatein.sso.agent.login.SAML2IntegrationLoginModule
    #gatein.sso.valve.enabled=true
    #gatein.sso.valve.class=org.gatein.sso.saml.plugin.valve.ServiceProviderAuthenticator

    You need to modify gatein.sso.idp.host, gatein.sso.idp.url and gatein.sso.sp.url according to your environment setup. You also need to install your own keystore as instructed in Generating and using your own keystore.

  4. Download and import your generated IDP certificate to your keystore using this command:

    keytool -import -keystore jbid_test_keystore.jks -file idp-certificate.crt -alias Identity_Provider-idp

    Note

    The Default password of the keystore jbid_test_keystore.jks is store123.

  5. Start up the platform using:

    For Tomcat

    ./start_eXo.sh

    for linux Operating systems or

    start_eXo.bat

    for Windows operating systems.

    For Jboss

    cd $PLATFORM_SP/bin

    then

    ./standalone.sh -b www.sp.com
Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus