Wiki

Main | Proposals

« Back to Single Sign-on

OpenSSO Integration

Details

Tags: installation liferay v5.0.2

Table of Contents [-]

OpenSSO and Liferay integration

OpenSSO and Liferay integration#

This page describes the fixes done to OpenSSO integration and also gives an overview of design.

Fixes#

Utilize opensso fix for 1079 - use isTokenValid operation to validate session

if user logged out of OpenSSO directly or thru any other app, then user needs to be completely logged out. If validation is not done, then the user remains logged in to portal

Do not send cookie as query param - its a security hole. POST it.
Use getCookieNameForToken operation to get name of the cookie instead of configuring it
Utilize getCookieNamesToForward operation and forward all these cookies via POST for reliable operation
The following attributes should be configurable

firstName=cn
lastName=sn
screenName=givenName
emailAddress=mail

Fix the method that parses attribute name-value pairs. Was working but this is little better.
Fix Single Logout

Design Overview#

The authentication filter is OpenSSOFilter.java. It redirects an unauthenticated user to OpenSSO for login. After user logs in using the credentials at OpenSSO, s/he is redirected back to Liferay using the "goto" query parameter. This second time, the filter validates the user by making a REST call to OpenSSO.

In addition to the filter, the auto.login.hooks has OpenSSOAutoLogin configured which implements the AutoLogin interface. The AutoLogin filter calls login method on this class when any unauthenticated (to portal) user is detected. This hook checks if the user is already authenticated at OpenSSO. Then it gets the screen name from OpenSSO. Then it checks if the user already exists in Liferay. It creates a new user if the user is not found in Liferay. It imports four essential attributes from OpenSSO user store, namely, First Name, Last Name, Screen Name, Email. These 4 attributes must be set in OpenSSO.

Both these classes, use OpenSSOUtil.java for calling REST operations on OpenSSO. The following REST calls are made to OpenSSO:

http://host:port/opensso/identity/getCookieNameForToken
http://host:port/opensso/identity/getCookieNamesToForward
http://host:port/opensso/identity/attributes
http://host:port/opensso/identity/istokenvalid

Single Sign-On and Single Sign-out (SSO)#

There are 4 possible scenarios:

User logs in via Liferay
User logs in via some other application using OpenSSO or at OpenSSO itself
User logs out at Liferay
User logs out at some other application using OpenSSO or at OpenSSO itself

The first two use cases are definitely needed and the user does not have to re-login, once authenticated by OpenSSO.
If it is desired to keep user singed into Liferay even after having performed logout elsewhere, then the following mapping in web.xml needs to be removed.

    <filter-mapping>
        <filter-name>Open SSO Filter</filter-name>
        <url-pattern>/user/*</url-pattern>
    </filter-mapping>

If this is removed, then the user will need to explicitly logout from Liferay and that will perform a single logout from OpenSSO.

There is also another side-effect of this filter mapping during configuration. When the admin enables OpenSSO, and clicks save, a redirect happens immediately since the OpenSSO filter kicks in. This is the reason why it is advisable to first create the admin user (like Joe Bloggs) in OpenSSO (and login) before enabling OpenSSO in Liferay.

Configuration parameters and sample values#

Login URL=http://openssohost:port/opensso/UI/Login?goto=http://portalhost:port/c/portal/login
Logout URL=http://openssohost:port/opensso/UI/Logout?goto=http://portalhost:port/portal/
Service URL=http://openssohost:port/opensso
<strike> Cookie Name=iPlanetDirectoryPro</strike> - Will Not be required anymore
First Name=cn
Last Name=sn
ScreenName=uid
Email=mail

Configuration Steps#

http://download.java.net/general/opensso/nightly/latest/opensso/opensso.zip or any stable build after Wed May 14 07:09:55 PDT 2008
Make sure you read the release notes for OpenSSO. Currently (as of 5/16/08), it is not supported on Tomcat versions 5.5.26 and 6.0.16
Since OpenSSO does yet work with some versions of Tomcat, deploy Liferay on the containers as supported by OpenSSO. Otherwise, it encounters cookie encoding problems.

Hint: This was tested on Glassfish V3 TP2

Install OpenSSO on the same host/server as portal or any other host

For example, on Glassfish, drop the war in autodeploy dir
Access http://host:port/opensso
Select default configuration and go through the steps and you are done

Login to opensso as amadmin
Create the user Joe Bloggs by giving "ID=joebloggs" and "Email=test@liferay.com" (Hint: First create the user, then edit to set email).
Logout and login to OpenSSO as joebloggs
Now in the same browser window, login to Liferay as test@liferay.com (Joe Bloggs)
Goto EnterpriseAdmin > Organizations > Settings > Authentication > OpenSSO tab
Set the values as described earlier and click Save
Here onwards, you will be redirected to OpenSSO for login

FAQ#

1. Why do I need to be logged in to OpenSSO as joebloggs before enabling OpenSSO?
As soon as you enable and click Save, OpenSSO filter kicks in and redirects to OpenSSO. If you are already logged in as joebloggs, then auth validation succeeds and the redirect back to Liferay works smoothly. If you are not already logged in, then you will be presented a login screen. If you login as joebloggs now, then after redirect back, you will see error in Enterprise admin portlet. The logs show an error message as "This URL can only be invoked using POST". Although this error message can be ignored, we will fix it soon.

2. After enabling OpenSSO, I see a success message but no redirect to OpenSSO login screen. Also a logout and re-login never redirects to OpenSSO or logout shows page not available or similar.
Most likely, the urls in the configuration are incorrect. Check the logs. Verify the urls for login, logout and service.

3. I was logged in to OpenSSO as joebloggs when enabling open sso, also saw a success message on save. But now, after logout, can not login?
Does it say "Server not found" or similar? If yes, then you most likely entered incorrect login url. How to fix it since you can not login? Goto directly to open sso login url and login as joebloggs. Then goto to Liferay and you will be single signed-on. Fix the login url now.

Bugs fixed:#

0 Attachments

44443 Views

Average (1 Vote)

Comments

Showing 20 Comments

Danilo Levantesi

10/20/08 7:10 AM

OpenSSO user uid should be set to test, or Liferay test account screen name must be set to joebloggs. Choose one of the two option.

Martin Goldhahn

3/4/09 11:49 PM

OpenSSO does work on Tomcat. All you need to do is follow the steps described at http://docs.sun.com/app/docs/doc/820-3320/ggwyv?a=view.

In short: you need to set the system property com.iplanet.am.cookie.c66Encode=true

Gerhard H

3/13/09 5:49 AM

can someone tell me how to configure lr 5.2 so that I have a public viewable area where anonymous visitors don't have to login after I have enabled opensso I always become redirected to the opensso login screen

jefrainmx 67z

5/11/09 9:50 AM

Can somebody tell me where this information is stored so i can disable/enable manually? After i enable if something goes wrong i have to re install everything.

Nikhil Francis

5/11/09 11:54 PM

To enable or disable OpenSSO manually, search for 'open.sso.auth.enabled' inside lportal.script (i'm using WebLogic 10.3, so i found it inside my ..user_projects\domains\data\hsql\lportal.script). Set this to true or false to switch on or off oSSO.

jefrainmx 67z

5/12/09 9:47 AM

Thanks a lot, i found it, to be more specific the value exists on a table called portletpreferences

In order to find the row with that info you can use(replace lportal with your DB schema name):
SELECT * FROM lportal.portletpreferences p where preferences like '%open.sso%'

Rajiv Terwadkar

5/13/09 6:45 AM

I am also having issues in getting this done. If you have found the solution let me know
Regards
Rajiv

Jonas Yuan

8/13/09 4:38 PM

To remove OpenSSO settings, in case:
1) shutdown the portal
2) Run script: delete from PortletPreferences where portletId = 'LIFERAY_PORTAL';
3) re-start the portal

Jonas Yuan

9/9/09 10:38 AM

When OpenSSO and Liferay are in the same domain (e.g., localhost) with setting (default configuration) "Encode Cookie Value = True ", then it is working fine.

And When OpenSSO and Liferay are in the same domain (e.g., localhost) with setting (custom configuration) "Encode Cookie Value = True"
with LDAP settings:
ldap://docs.cignex.com:10389
ou=users,ou=system
uid=admin,ou=system

Then it is working fine, too.

That is, OpenSSO and Liferay portal must be in the same domain.

Jonas Yuan

11/11/09 5:27 AM

OpenSSO and Liferay portal must be in the same domain.
The issue as reported as
http://issues.liferay.com/browse/LPS-4896

Faris Abdulla

1/20/10 8:13 AM

Can we use the same login portlet for login openSSO by customizing.

I dont need to go opensso page ..

Is there any way..
Please help me...

Nagendra Kumar Busam

2/17/10 2:23 AM

Hi Faris, I need similar kind of functionality what you are looking for. If you are done, Please let me know

DarshanKumar N Bhatia

4/30/10 1:47 AM

Hi All,

Let me explain my use case :

i have intranet on which different application running.
I have one internet web site running on internet which is made in liferay.

i want :
the changes made by intranet application should get reflect in liferay internet website.
both internet and intranet application have a common database.

=====> internet web site (liferay ) http://localhost:8080/guest
Comman DB
=====> intranet application some in liferay/
or in CRUD application in struts.

Now I want to access this intranet application using
http://localhost:8080/guest/myintanet_pp_name

will it is possible to do it with single sign on operation.

Suggestion are welcomes

Sandesh Chauhan

5/19/10 11:01 PM

Hi All,

I have deployed and configured OpenSSO on my GlassFish server. When I try to login with the AMLoginPortlet (provided by SUN) I am getting below error:

[#|2010-03-29T19:05:30.649+0000|SEVERE|sun-appserver2.1|javax.enterprise.system.container.web|_ThreadID=32;_ThreadName=httpSSLWorkerThread-38082-1;_RequestID=15f04380-5dca-434a-9867-10faeb3d4033;|StandardWrapperValve[Friendly URL Servlet - Public]: PWC1406: Servlet.service() for servlet Friendly URL Servlet - Public threw exception
java.lang.ExceptionInInitializerError
at com.iplanet.dpro.session.SessionID.<init>(SessionID.java:120)
at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:87)
at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:239)
at com.sun.portal.servlet.filters.sso.accessmanager.AccessManagerUtil.validateAuth(AccessManagerUtil.java:87)
at com.sun.portal.servlet.filters.sso.accessmanager.AccessManagerFilter.processFilter(AccessManagerFilter.java:110)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:100)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:91)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:313)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
at com.sun.enterprise.ee.web.sessmgmt.SessionLockingStandardPipeline.invoke(SessionLockingStandardPipeline.java:120)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:672)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:603)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:877)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:383)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:264)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:258)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.identity.common.PropertiesFinder.getProperty(PropertiesFinder.java:53)
at com.sun.identity.configuration.FedSystemProperties.get(FedSystemProperties.java:82)
at com.sun.identity.shared.configuration.SystemPropertiesManager.get(SystemPropertiesManager.java:136)
at com.sun.identity.shared.encode.CookieUtils.<clinit>(CookieUtils.java:61)
... 39 more
|#]

Cesar William

6/7/10 12:11 PM

I need it too!!

ankit yakkundi

9/22/10 6:24 AM

hi..
I am using liferay 5.2.3.I have deployed opensso war file in the same tomcat of liferay.I have a doubt ie when i login through opensso,it redirects me to liferay page.should i login again or not.It asks me to re-login.But when i logout it redirects me to opensso page,which i think is fine.

I have refered the following links:-
http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/
http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/OpenSSO+Integration

I am attaching some files for your reference ie:
server.xml
portal-ext.xml

Any suggestions are welcome.
Thanks in advance..

hari pulijala

12/13/10 9:26 AM

Hi Sandesh,

did you solve this issue? I am getting the same issue.

nikhil kshirsagar

5/4/11 4:02 AM

Hi,

I'm new to liferay as well as opensso. I need to integrate liferay 5.1.1 with opensso. Any idea if it will work? Is the auto login hook already implemented for opensso within liferay 5.1.1?

Raghu Jaligama

6/9/11 6:38 PM

Hi Nagendra,
Can we use same liferay login page to customize the opensso?

Nurul Amin Bhuiyan

9/18/11 12:30 AM

Hi all
I need similar kind of functionality as mentioned by Faris Abdulla,Nagendra Kumar Busam,Raghu Jaligama ---

Can we use the same liferay login page avoid opensso login page for login purpose.

I dont need to go opensso page for login in liferay and opensso integration.

Suggestion are welcomes.