« Back to Single Sign-on

OpenSSO Integration

OpenSSO and Liferay integration#

This page describes the fixes done to OpenSSO integration and also gives an overview of design.

Fixes#

  1. Utilize opensso fix for 1079 - use isTokenValid operation to validate session
    1. if user logged out of OpenSSO directly or thru any other app, then user needs to be completely logged out. If validation is not done, then the user remains logged in to portal
  2. Do not send cookie as query param - its a security hole. POST it.
  3. Use getCookieNameForToken operation to get name of the cookie instead of configuring it
  4. Utilize getCookieNamesToForward operation and forward all these cookies via POST for reliable operation
  5. The following attributes should be configurable
    1. firstName=cn
    2. lastName=sn
    3. screenName=givenName
    4. emailAddress=mail
  6. Fix the method that parses attribute name-value pairs. Was working but this is little better.
  7. Fix Single Logout

Design Overview#

The authentication filter is OpenSSOFilter.java. It redirects an unauthenticated user to OpenSSO for login. After user logs in using the credentials at OpenSSO, s/he is redirected back to Liferay using the "goto" query parameter. This second time, the filter validates the user by making a REST call to OpenSSO.

In addition to the filter, the auto.login.hooks has OpenSSOAutoLogin configured which implements the AutoLogin interface. The AutoLogin filter calls login method on this class when any unauthenticated (to portal) user is detected. This hook checks if the user is already authenticated at OpenSSO. Then it gets the screen name from OpenSSO. Then it checks if the user already exists in Liferay. It creates a new user if the user is not found in Liferay. It imports four essential attributes from OpenSSO user store, namely, First Name, Last Name, Screen Name, Email. These 4 attributes must be set in OpenSSO.

Both these classes, use OpenSSOUtil.java for calling REST operations on OpenSSO. The following REST calls are made to OpenSSO:

  1. http://host:port/opensso/identity/getCookieNameForToken
  2. http://host:port/opensso/identity/getCookieNamesToForward
  3. http://host:port/opensso/identity/attributes
  4. http://host:port/opensso/identity/istokenvalid

Single Sign-On and Single Sign-out (SSO)#

There are 4 possible scenarios:

  1. User logs in via Liferay
  2. User logs in via some other application using OpenSSO or at OpenSSO itself
  3. User logs out at Liferay
  4. User logs out at some other application using OpenSSO or at OpenSSO itself

The first two use cases are definitely needed and the user does not have to re-login, once authenticated by OpenSSO.
If it is desired to keep user singed into Liferay even after having performed logout elsewhere, then the following mapping in web.xml needs to be removed.

    <filter-mapping>
        <filter-name>Open SSO Filter</filter-name>
        <url-pattern>/user/*</url-pattern>
    </filter-mapping>

If this is removed, then the user will need to explicitly logout from Liferay and that will perform a single logout from OpenSSO.

There is also another side-effect of this filter mapping during configuration. When the admin enables OpenSSO, and clicks save, a redirect happens immediately since the OpenSSO filter kicks in. This is the reason why it is advisable to first create the admin user (like Joe Bloggs) in OpenSSO (and login) before enabling OpenSSO in Liferay.

Configuration parameters and sample values#

  1. Login URL=http://openssohost:port/opensso/UI/Login?goto=http://portalhost:port/c/portal/login
  2. Logout URL=http://openssohost:port/opensso/UI/Logout?goto=http://portalhost:port/portal/
  3. Service URL=http://openssohost:port/opensso
  4. <strike> Cookie Name=iPlanetDirectoryPro</strike> - Will Not be required anymore
  5. First Name=cn
  6. Last Name=sn
  7. ScreenName=uid
  8. Email=mail

Configuration Steps#

  1. http://download.java.net/general/opensso/nightly/latest/opensso/opensso.zip or any stable build after Wed May 14 07:09:55 PDT 2008
  2. Make sure you read the release notes for OpenSSO. Currently (as of 5/16/08), it is not supported on Tomcat versions 5.5.26 and 6.0.16
  3. Since OpenSSO does yet work with some versions of Tomcat, deploy Liferay on the containers as supported by OpenSSO. Otherwise, it encounters cookie encoding problems.
    1. Hint: This was tested on Glassfish V3 TP2
  4. Install OpenSSO on the same host/server as portal or any other host
    1. For example, on Glassfish, drop the war in autodeploy dir
    2. Access http://host:port/opensso
    3. Select default configuration and go through the steps and you are done
  5. Login to opensso as amadmin
  6. Create the user Joe Bloggs by giving "ID=joebloggs" and "Email=test@liferay.com" (Hint: First create the user, then edit to set email).
  7. Logout and login to OpenSSO as joebloggs
  8. Now in the same browser window, login to Liferay as test@liferay.com (Joe Bloggs)
  9. Goto EnterpriseAdmin > Organizations > Settings > Authentication > OpenSSO tab
  10. Set the values as described earlier and click Save
  11. Here onwards, you will be redirected to OpenSSO for login

FAQ#

1. Why do I need to be logged in to OpenSSO as joebloggs before enabling OpenSSO?
As soon as you enable and click Save, OpenSSO filter kicks in and redirects to OpenSSO. If you are already logged in as joebloggs, then auth validation succeeds and the redirect back to Liferay works smoothly. If you are not already logged in, then you will be presented a login screen. If you login as joebloggs now, then after redirect back, you will see error in Enterprise admin portlet. The logs show an error message as "This URL can only be invoked using POST". Although this error message can be ignored, we will fix it soon.

2. After enabling OpenSSO, I see a success message but no redirect to OpenSSO login screen. Also a logout and re-login never redirects to OpenSSO or logout shows page not available or similar.
Most likely, the urls in the configuration are incorrect. Check the logs. Verify the urls for login, logout and service.

3. I was logged in to OpenSSO as joebloggs when enabling open sso, also saw a success message on save. But now, after logout, can not login?
Does it say "Server not found" or similar? If yes, then you most likely entered incorrect login url. How to fix it since you can not login? Goto directly to open sso login url and login as joebloggs. Then goto to Liferay and you will be single signed-on. Fix the login url now.

Bugs fixed:#

  1. LEP-4076
  2. LEP-5943
  3. LEP-5187
0 Attachments
76532 Views
Average (1 Vote)
The average rating is 5.0 stars out of 5.
Comments
Threaded Replies Author Date
OpenSSO user uid should be set to test, or... Danilo Levantesi October 20, 2008 7:10 AM
OpenSSO does work on Tomcat. All you need to do... Martin Goldhahn March 4, 2009 11:49 PM
can someone tell me how to configure lr 5.2 so... Gerhard H March 13, 2009 5:49 AM
I am also having issues in getting this done.... Rajiv Terwadkar May 13, 2009 6:45 AM
Can somebody tell me where this information is... jefrainmx 67z May 11, 2009 9:50 AM
To enable or disable OpenSSO manually, search... Nikhil Francis May 11, 2009 11:54 PM
Thanks a lot, i found it, to be more specific... jefrainmx 67z May 12, 2009 9:47 AM
To remove OpenSSO settings, in case: 1)... Jonas Yuan August 13, 2009 4:38 PM
When OpenSSO and Liferay are in the same domain... Jonas Yuan September 9, 2009 10:38 AM
OpenSSO and Liferay portal must be in the same... Jonas Yuan November 11, 2009 5:27 AM
Can we use the same login portlet for login... Faris Abdulla January 20, 2010 8:13 AM
Hi Faris, I need similar kind of functionality... Nagendra Kumar Busam February 17, 2010 2:23 AM
I need it too!! Cesar William June 7, 2010 12:11 PM
Hi All, Let me explain my use case : i have... DarshanKumar N Bhatia April 30, 2010 1:47 AM
Hi All, I have deployed and configured OpenSSO... Sandesh Chauhan May 19, 2010 11:01 PM
Hi Sandesh, did you solve this issue? I am... hari pulijala December 13, 2010 9:26 AM
Hi, I'm new to liferay as well as opensso. I... nikhil kshirsagar May 4, 2011 4:02 AM
Hi Nagendra, Can we use same liferay login page... Raghu Jaligama June 9, 2011 6:38 PM
hi.. I am using liferay 5.2.3.I have deployed... ankit yakkundi September 22, 2010 6:24 AM
Hi all I need similar kind of functionality as... Nurul Amin Bhuiyan September 18, 2011 12:30 AM
Hello, I have installed openAM10.0.0 and... Nael Popal June 7, 2012 1:26 AM
Hi Nael, Did you manage to get an answer to... Femi Ajayi January 22, 2014 6:53 PM
Hey Nael, Did you get a solution to this... Tina Agrawal October 6, 2014 3:28 AM

OpenSSO user uid should be set to test, or Liferay test account screen name must be set to joebloggs. Choose one of the two option.
Posted on 10/20/08 7:10 AM.
OpenSSO does work on Tomcat. All you need to do is follow the steps described at http://docs.sun.com/app/docs/doc/820-3320/ggwyv?a=view.

In short: you need to set the system property com.iplanet.am.cookie.c66Encode=true
Posted on 3/4/09 11:49 PM.
can someone tell me how to configure lr 5.2 so that I have a public viewable area where anonymous visitors don't have to login after I have enabled opensso I always become redirected to the opensso login screen
Posted on 3/13/09 5:49 AM.
Can somebody tell me where this information is stored so i can disable/enable manually? After i enable if something goes wrong i have to re install everything.
Posted on 5/11/09 9:50 AM.
To enable or disable OpenSSO manually, search for 'open.sso.auth.enabled' inside lportal.script (i'm using WebLogic 10.3, so i found it inside my ..user_projects\domains\data\hsql\lportal.script). Set this to true or false to switch on or off oSSO.
Posted on 5/11/09 11:54 PM in reply to Jose 67z.
Thanks a lot, i found it, to be more specific the value exists on a table called portletpreferences

In order to find the row with that info you can use(replace lportal with your DB schema name):
SELECT * FROM lportal.portletpreferences p where preferences like '%open.sso%'
Posted on 5/12/09 9:47 AM in reply to Nikhil Francis.
I am also having issues in getting this done. If you have found the solution let me know
Regards
Rajiv
Posted on 5/13/09 6:45 AM in reply to Gerhard Hofweber.
To remove OpenSSO settings, in case:
1) shutdown the portal
2) Run script: delete from PortletPreferences where portletId = 'LIFERAY_PORTAL';
3) re-start the portal
Posted on 8/13/09 4:38 PM.
When OpenSSO and Liferay are in the same domain (e.g., localhost) with setting (default configuration) "Encode Cookie Value = True ", then it is working fine.

And When OpenSSO and Liferay are in the same domain (e.g., localhost) with setting (custom configuration) "Encode Cookie Value = True"
with LDAP settings:
ldap://docs.cignex.com:10389
ou=users,ou=system
uid=admin,ou=system

Then it is working fine, too.

That is, OpenSSO and Liferay portal must be in the same domain.
Posted on 9/9/09 10:38 AM in reply to Jonas Yuan.
OpenSSO and Liferay portal must be in the same domain.
The issue as reported as
http://issues.liferay.com/browse/LPS-4896
Posted on 11/11/09 5:27 AM in reply to Jonas Yuan.
Can we use the same login portlet for login openSSO by customizing.

I dont need to go opensso page ..

Is there any way..
Please help me...
Posted on 1/20/10 8:13 AM in reply to Jonas Yuan.
Hi Faris, I need similar kind of functionality what you are looking for. If you are done, Please let me know
Posted on 2/17/10 2:23 AM in reply to Faris Abdulla.
Hi All,

Let me explain my use case :

i have intranet on which different application running.
I have one internet web site running on internet which is made in liferay.

i want :
the changes made by intranet application should get reflect in liferay internet website.
both internet and intranet application have a common database.




=====> internet web site (liferay ) http://localhost:8080/guest
Comman DB
=====> intranet application some in liferay/
or in CRUD application in struts.

Now I want to access this intranet application using
http://localhost:8080/guest/myintanet_pp_name

will it is possible to do it with single sign on operation.

Suggestion are welcomes
Posted on 4/30/10 1:47 AM.
Hi All,

I have deployed and configured OpenSSO on my GlassFish server. When I try to login with the AMLoginPortlet (provided by SUN) I am getting below error:

[#|2010-03-29T19:05:30.649+0000|SEVERE|sun-appserver2.1|javax.enterprise.s­ystem.container.web|_ThreadID=32;_ThreadName=httpSSLWorkerThread-38082-1;_Reques­tID=15f04380-5dca-434a-9867-10faeb3d4033;|StandardWrapperValve[Friendly URL Servlet - Public]: PWC1406: Servlet.service() for servlet Friendly URL Servlet - Public threw exception
java.lang.ExceptionInInitializerError
at com.iplanet.dpro.session.SessionID.<init>(SessionID.java:120)
at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.ja­va:87)
at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:239)
at com.sun.portal.servlet.filters.sso.accessmanager.AccessManagerUtil.validateAuth(­AccessManagerUtil.java:87)
at com.sun.portal.servlet.filters.sso.accessmanager.AccessManagerFilter.processFilt­er(AccessManagerFilter.java:110)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:100)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt­erChain.java:246)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChai­n.java:91)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.jav­a:197)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.­java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:3­13)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValv­e.java:287)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:2­18)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingS­tandardPipeline.java:98)
at com.sun.enterprise.ee.web.sessmgmt.SessionLockingStandardPipeline.invoke(Session­LockingStandardPipeline.java:120)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166­)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(Defa­ultProcessorTask.java:672)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultP­rocessorTask.java:603)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultPro­cessorTask.java:877)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(De­faultReadTask.java:341)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.­java:263)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.­java:214)
at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnific­ationPipeline.java:383)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:264)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread­.java:106)
Caused by: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:258)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.identity.common.PropertiesFinder.getProperty(PropertiesFinder.java:53)
at com.sun.identity.configuration.FedSystemProperties.get(FedSystemProperties.java:­82)
at com.sun.identity.shared.configuration.SystemPropertiesManager.get(SystemProperti­esManager.java:136)
at com.sun.identity.shared.encode.CookieUtils.<clinit>(CookieUtils.java:61)
... 39 more
|#]
Posted on 5/19/10 11:01 PM in reply to DarshanKumar Bhatia.
I need it too!!
Posted on 6/7/10 12:11 PM in reply to Nagendra Kumar Busam.
hi..
I am using liferay 5.2.3.I have deployed opensso war file in the same tomcat of liferay.I have a doubt ie when i login through opensso,it redirects me to liferay page.should i login again or not.It asks me to re-login.But when i logout it redirects me to opensso page,which i think is fine.

I have refered the following links:-
http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-­liferay-portal-on-tomcat/
http://www.liferay.com/web/guest/community/wiki/-/wiki/­Main/OpenSSO+Integration

I am attaching some files for your reference ie:
server.xml
portal-ext.xml

Any suggestions are welcome.
Thanks in advance..
Posted on 9/22/10 6:24 AM.
Hi Sandesh,

did you solve this issue? I am getting the same issue.
Posted on 12/13/10 9:26 AM in reply to Sandesh Lalji Chauhan.
Hi,

I'm new to liferay as well as opensso. I need to integrate liferay 5.1.1 with opensso. Any idea if it will work? Is the auto login hook already implemented for opensso within liferay 5.1.1?
Posted on 5/4/11 4:02 AM in reply to hari pulijala.
Hi Nagendra,
Can we use same liferay login page to customize the opensso?
Posted on 6/9/11 6:38 PM in reply to nikhil kshirsagar.
Hi all
I need similar kind of functionality as mentioned by Faris Abdulla,Nagendra Kumar Busam,Raghu Jaligama ---

Can we use the same liferay login page avoid opensso login page for login purpose.

I dont need to go opensso page for login in liferay and opensso integration.

Suggestion are welcomes.
Posted on 9/18/11 12:30 AM.
Hello,
I have installed openAM10.0.0 and Liferay 6.1 EE in a tomcat environment on my laptop. After enabling openSSO single sign on works fine. But single sign out through openAM it self (scenario4: User logs out at some other application using OpenSSO or at OpenSSO itself) does not work. So if I logout through openAM then I still stay sign in in Liferay. Does anyone have a solution for this issue? If so, please share it with us.

Greets,
Nael
Posted on 6/7/12 1:26 AM.
Hi Nael,

Did you manage to get an answer to this issue? I have the same issue.

Thanks.
Posted on 1/22/14 6:53 PM in reply to Nael Popal.
Hey Nael,

Did you get a solution to this issue?
I am using Liferay 6.2 EE and fixing the same issue.

Tina
Posted on 10/6/14 3:28 AM in reply to Nael Popal.