Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Sachin Mane
Liferay + OpenSSO/OpenAM Integration -Login portlet
June 26, 2012 1:52 AM
Answer

Sachin Mane

Rank: Junior Member

Posts: 76

Join Date: April 9, 2012

Recent Posts

Hi,

Wanted to check with this forum if there is any login portlet available which can "POST" the authentication request to OpenAM/SSO from within the liferay page?

Currently the OpenSSO filter redirects users to openAM login page when user clicks on login link.

What i need is to stay on liferay home page and login from there using openAM instead of redirecting to different url.
sridhar iyer
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
July 5, 2012 3:16 AM
Answer

sridhar iyer

Rank: Junior Member

Posts: 57

Join Date: February 27, 2009

Recent Posts

Hi Sachin
Did you find any solution for this?
Thanks
Sridhar
Sachin Mane
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
July 5, 2012 3:19 AM
Answer

Sachin Mane

Rank: Junior Member

Posts: 76

Join Date: April 9, 2012

Recent Posts

Not yet. I am planning to make my OpenAM page as landing page and use Liferay widgets to display other portlets on openAM login page.
jaid shaik
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
July 5, 2012 3:22 AM
Answer

jaid shaik

Rank: Regular Member

Posts: 170

Join Date: October 7, 2010

Recent Posts

Hi sachin&sridar,

check this link
Sachin Mane
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
July 5, 2012 3:31 AM
Answer

Sachin Mane

Rank: Junior Member

Posts: 76

Join Date: April 9, 2012

Recent Posts

Hi Jaid,
Thanks but that link talks about integration openAM and liferay for authentication which is already done. When user clicks on login link in liferay it will take user to openAM page.
What i want is to display openAM form itself in the liferay.. may be as a portlet.
sridhar iyer
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
July 5, 2012 7:27 AM
Answer

sridhar iyer

Rank: Junior Member

Posts: 57

Join Date: February 27, 2009

Recent Posts

I think there is no straight away solution for that. We need to create custom portlet. May be we can consume some of the openam's Restful api and get our work done.

OpenAm Restful API

Regards
Sridhar
Sachin Mane
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
July 5, 2012 9:23 AM
Answer

Sachin Mane

Rank: Junior Member

Posts: 76

Join Date: April 9, 2012

Recent Posts

Humm.. i wonder how openAM cookies will work in this case. OpenAM cookie need to be present in the browser so that once authenticated with OpenAM, all subsequent requests will pass through as the cookie will be sent by browser with them.

the approach that i am thinking of currently is to present OpenAM login page as soon as user hits the app url (webserver forward/redirection) and use liferay widget (<script> tag that you see when sharing option on portlet is selected) in the openAM login jsp. There is a quite a good support in OpenAM to customize the login page UI.
Srikanth Konjarla
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
July 5, 2012 9:45 AM
Answer

Srikanth Konjarla

Rank: Junior Member

Posts: 51

Join Date: October 24, 2008

Recent Posts

Try OpenSSO's zero page login feature where you can POST to a URL for authentication.

http://docs.oracle.com/cd/E19316-01/820-3885/gbaop/index.html

For example,

amurl - OpenSSO login url (e.g. http://opensso.myhost.com:18080/opensso/UI/Login)
gotorul - Liferay's login url (e.g. http://portal.myhost.com:8080/c/portal/login)

 1<form action="<%= amurl %>?goto=<%= gotourl %>" method="post">
 2          <table>
 3          <tr>
 4              <td>Username: </td><td><input type="text" name="IDToken1" /></td>
 5</tr> <tr>
 6              <td>Password: </td><td><input type="password" name="IDToken2" /></td>
 7          </tr>
 8          <!-- input type="hidden" name="realm" value="/" / -->
 9          <!-- input type="hidden" name="authmodule" value="LDAP" / -->
10          <tr>
11          <td><input type="submit" value="Login" /></td>
12          </tr>
13          </table>
14      </form>


HTH
Sachin Mane
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
July 5, 2012 10:25 PM
Answer

Sachin Mane

Rank: Junior Member

Posts: 76

Join Date: April 9, 2012

Recent Posts

Thanks Srikanth. This looks promising. Will try it out.
David Underwood
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
October 3, 2012 10:36 AM
Answer

David Underwood

Rank: New Member

Posts: 22

Join Date: August 6, 2010

Recent Posts

Sachin,

It turns out that I have the exact same problem and requirements.
Were you able to find a solution?

Thanks
sridhar iyer
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
October 3, 2012 11:11 PM
Answer

sridhar iyer

Rank: Junior Member

Posts: 57

Join Date: February 27, 2009

Recent Posts

David,

I have created a login portlet which authenticates against openam. I am using open am rest web service (ajax call) to authenticate the user. If the authentication is successful (200) then i just forward the user to openam login page with the credentials he provided. (eg: http://localhost:8080/openam/UI/Login?IDToken1=username&IDToken2=password&goto=http://localhost:8080). It authenticates and redirect the user to liferay.

HTH
Sridhar Iyer B
Sachin Mane
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
October 4, 2012 1:32 AM
Answer

Sachin Mane

Rank: Junior Member

Posts: 76

Join Date: April 9, 2012

Recent Posts

Yes.
Here is what I did -
1. Created a new hook "openam-authenticator-hook" in which i've just one class - public class OpenAmAuthenticator implements
com.liferay.portal.security.auth.Authenticator

2. Refer to the documnetation of com.liferay.portal.security.auth.Authenticator

3. Created a portal.properties in the same hook and registered the OpenAMAuthenticator class as below
auth.pipeline.pre=com.mypackage.portal.security.OpenAmAuthenticator

4. In the OpenAMAuthenticator class there will be following 4 methods -
authenticateByEmailAddress
authenticateByScreenName
authenticateByUserId
and
authenticate

5. In the authenticate method we make a call to OpenAM's rest service - url will of the form -
String url = "http://idp.mydomain.com:9080/openam/identity/authenticate?uri=realm=realmname&username="
+ login + "&password=" + password;
I've kept this url in a property file.

6. If the response code is 200, we get a token back from openAM.
7. We need to create a OpenAM cookies so that when redirect request come back to liferay, OpenAmAutoLogin filter can get the token and liferay login can happen.
8. We do not have access to HttpResponse in the Authenticator class, so i've used threadlocal variable to store the openAM token.
9. I've extended the com.liferay.portlet.login.action.LoginAction to read the threadlocal variable and create cookies required by OpenAM.
10. My openAm URL requires basic authentication. you can ignore the basic auth code if you dont need it.

Following is the code snippet for openam-autheticator-hook -
  1try {
  2            url = PrefsPropsUtil.getString(companyId, OPENSSO_AUTH_URL_KEY);
  3        } catch (Exception e) {
  4
  5            _log.error("Error retrieving OpenSSO/AM authentication url. Please verify is portal setting ["
  6                    + OPENSSO_AUTH_URL_KEY
  7                    + "] for companyId ["
  8                    + companyId
  9                    + "]");
 10
 11            return DNE;
 12        }
 13
 14        url = url + "&username=" + login + "&password=" + password;
 15
 16        if (_log.isDebugEnabled()) {
 17            _log.debug("Authenticating user with REST url ["
 18                    + url.replaceAll("password=.*", "password=******") + "]");
 19        }
 20
 21        HttpURLConnection urlc = null;
 22        OutputStreamWriter osw = null;
 23        try {
 24            URL urlObj = new URL(url);
 25
 26            urlc = (HttpURLConnection) urlObj.openConnection();
 27
 28            String basicAuthUsername = System
 29                    .getProperty("openAmBasicAuthUsername");
 30            String basicAuthPassword = System
 31                    .getProperty("openAmBasicAuthPassword");
 32
 33            if (!"".equals(basicAuthUsername) && !"".equals(basicAuthPassword)) {
 34
 35               
 36               
 37                String userpassword = basicAuthUsername + ":" + basicAuthPassword;
 38                String encodedAuthorization = Base64.encode(userpassword
 39                        .getBytes());
 40                urlc.setRequestProperty("Authorization", "Basic "
 41                        + encodedAuthorization);
 42            }
 43
 44            urlc.setDoOutput(true);
 45            urlc.setRequestMethod("POST");
 46            urlc.setRequestProperty("Content-type",
 47                    "application/x-www-form-urlencoded");
 48
 49            osw = new OutputStreamWriter(urlc.getOutputStream());
 50
 51            osw.write("dummy");
 52
 53            osw.flush();
 54
 55            int responseCode = urlc.getResponseCode();
 56
 57            if (responseCode == HttpURLConnection.HTTP_OK) {
 58
 59                InputStream inStream = urlc.getInputStream();
 60                String data = StringUtil.read(inStream);
 61
 62                if (_log.isDebugEnabled()) {
 63                    _log.debug("Recieved authentication response as [" + data
 64                            + "] for user with login [" + login + "]");
 65                }
 66
 67                if (data.toLowerCase().indexOf("token.id") != -1) {
 68
 69                    String token = data.split("=")[1];
 70
 71                    // Create cookies and set them on threadlocal
 72
 73                    List<KeyValuePair> customAuthCookies = new ArrayList<KeyValuePair>();
 74
 75                    String amlbcookieStr = urlc.getHeaderField("Set-Cookie");
 76
 77                    String[] amlbcookietokens = amlbcookieStr.split(";");
 78
 79                    KeyValuePair amlbcookie = new KeyValuePair(
 80                            amlbcookietokens[0].split("=")[0],
 81                            amlbcookietokens[0].split("=")[1]);
 82
 83                    customAuthCookies.add(amlbcookie);
 84                    customAuthCookies.add(new KeyValuePair(
 85                            "iPlanetDirectoryPro", token));
 86                    customAuthCookies.add(new KeyValuePair("AMAuthCookie",
 87                            token));
 88
 89                    AuthCookiesThreadLocal.set(customAuthCookies);
 90
 91                    // Authentication successful
 92                    return SUCCESS;
 93                }
 94            } else {
 95                if (_log.isDebugEnabled()) {
 96                    _log.debug("Received Http response code [" + responseCode
 97                            + "] while authentication user with login ["
 98                            + login + "]");
 99                }
100            }


10. Following is the code snippet for the LoginAction ext
 1
 2LoginUtil.login(request, response, login, password, rememberMe,
 3                authType);
 4        // Following is the custom code after the LoginUtil.login call. This code creates OpenAM cookies and adds them to HttpResponse
 5        try {
 6
 7            List<KeyValuePair> authenticationCookies = AuthCookiesThreadLocal.get();
 8
 9            if (authenticationCookies != null) {
10
11                String domain = CookieKeys.getDomain(request);
12
13                for (KeyValuePair keyValuePair : authenticationCookies) {
14
15                    Cookie c = new Cookie(keyValuePair.getKey(),
16                            keyValuePair.getValue());
17                    c.setPath(StringPool.SLASH);
18                    c.setDomain(domain);
19
20                    CookieKeys.addCookie(request, response, c);
21                }
22            }
23        } finally {
24
25            AuthCookiesThreadLocal.remove();
26
27        }
Sachin Mane
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
October 4, 2012 1:44 AM
Answer

Sachin Mane

Rank: Junior Member

Posts: 76

Join Date: April 9, 2012

Recent Posts

sridhar iyer:
David,

I have created a login portlet which authenticates against openam. I am using open am rest web service (ajax call) to authenticate the user. If the authentication is successful (200) then i just forward the user to openam login page with the credentials he provided. (eg: http://localhost:8080/openam/UI/Login?IDToken1=username&IDToken2=password&goto=http://localhost:8080). It authenticates and redirect the user to liferay.

HTH
Sridhar Iyer B


Liked this idea. However only fallback is one extra redirect is involved and user credentials are passed over url and potentially visible to the end user.
sridhar iyer
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
October 4, 2012 2:07 AM
Answer

sridhar iyer

Rank: Junior Member

Posts: 57

Join Date: February 27, 2009

Recent Posts

Sachin Mane:

Liked this idea. However only fallback is one extra redirect is involved and user credentials are passed over url and potentially visible to the end user.


That's right, one more redirect is there which is necessary for creation of the cookie from openam. You can use hidden form fields(with method=post), if you dont want the user to see his credentials in the url.