Foren

Liferay + OpenSSO/OpenAM Integration -Login portlet

thumbnail
Sachin Mane, geändert vor 11 Jahren.

Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Hi,

Wanted to check with this forum if there is any login portlet available which can "POST" the authentication request to OpenAM/SSO from within the liferay page?

Currently the OpenSSO filter redirects users to openAM login page when user clicks on login link.

What i need is to stay on liferay home page and login from there using openAM instead of redirecting to different url.
thumbnail
sridhar iyer, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 57 Beitrittsdatum: 27.02.09 Neueste Beiträge
Hi Sachin
[indent]Did you find any solution for this?[/indent]
Thanks
Sridhar
thumbnail
Sachin Mane, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Not yet. I am planning to make my OpenAM page as landing page and use Liferay widgets to display other portlets on openAM login page.
thumbnail
jaid shaik, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Regular Member Beiträge: 171 Beitrittsdatum: 08.10.10 Neueste Beiträge
Hi sachin&sridar,

check this link
thumbnail
Sachin Mane, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Hi Jaid,
Thanks but that link talks about integration openAM and liferay for authentication which is already done. When user clicks on login link in liferay it will take user to openAM page.
What i want is to display openAM form itself in the liferay.. may be as a portlet.
thumbnail
sridhar iyer, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 57 Beitrittsdatum: 27.02.09 Neueste Beiträge
I think there is no straight away solution for that. We need to create custom portlet. May be we can consume some of the openam's Restful api and get our work done.

OpenAm Restful API

Regards
Sridhar
thumbnail
Sachin Mane, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Humm.. i wonder how openAM cookies will work in this case. OpenAM cookie need to be present in the browser so that once authenticated with OpenAM, all subsequent requests will pass through as the cookie will be sent by browser with them.

the approach that i am thinking of currently is to present OpenAM login page as soon as user hits the app url (webserver forward/redirection) and use liferay widget (<script> tag that you see when sharing option on portlet is selected) in the openAM login jsp. There is a quite a good support in OpenAM to customize the login page UI.
Srikanth Konjarla, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 51 Beitrittsdatum: 25.10.08 Neueste Beiträge
Try OpenSSO's zero page login feature where you can POST to a URL for authentication.

http://docs.oracle.com/cd/E19316-01/820-3885/gbaop/index.html

For example,

amurl - OpenSSO login url (e.g. http://opensso.myhost.com:18080/opensso/UI/Login)
gotorul - Liferay's login url (e.g. http://portal.myhost.com:8080/c/portal/login)

<form action="<%= amurl %>?goto=<%= gotourl %>" method="post">
          <table>
          <tbody><tr>
              <td>Username: </td><td><input type="text" name="IDToken1"></td>
</tr> <tr>
              <td>Password: </td><td><input type="password" name="IDToken2"></td>
          </tr>
          <!-- input type="hidden" name="realm" value="/" / -->
          <!-- input type="hidden" name="authmodule" value="LDAP" / -->
          <tr>
          <td><input type="submit" value="Login"></td>
          </tr>
          </tbody></table>
      </form>


HTH
thumbnail
Sachin Mane, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Thanks Srikanth. This looks promising. Will try it out.
thumbnail
David Underwood, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

New Member Beiträge: 22 Beitrittsdatum: 06.08.10 Neueste Beiträge
Sachin,

It turns out that I have the exact same problem and requirements.
Were you able to find a solution?

Thanks
thumbnail
sridhar iyer, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 57 Beitrittsdatum: 27.02.09 Neueste Beiträge
David,

I have created a login portlet which authenticates against openam. I am using open am rest web service (ajax call) to authenticate the user. If the authentication is successful (200) then i just forward the user to openam login page with the credentials he provided. (eg: http://localhost:8080/openam/UI/Login?IDToken1=username&IDToken2=password&goto=http://localhost:8080). It authenticates and redirect the user to liferay.

HTH
Sridhar Iyer B
thumbnail
Sachin Mane, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
sridhar iyer:
David,

I have created a login portlet which authenticates against openam. I am using open am rest web service (ajax call) to authenticate the user. If the authentication is successful (200) then i just forward the user to openam login page with the credentials he provided. (eg: http://localhost:8080/openam/UI/Login?IDToken1=username&IDToken2=password&goto=http://localhost:8080). It authenticates and redirect the user to liferay.

HTH
Sridhar Iyer B


Liked this idea. However only fallback is one extra redirect is involved and user credentials are passed over url and potentially visible to the end user.
thumbnail
sridhar iyer, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 57 Beitrittsdatum: 27.02.09 Neueste Beiträge
Sachin Mane:

Liked this idea. However only fallback is one extra redirect is involved and user credentials are passed over url and potentially visible to the end user.


That's right, one more redirect is there which is necessary for creation of the cookie from openam. You can use hidden form fields(with method=post), if you dont want the user to see his credentials in the url.
thumbnail
Sachin Mane, geändert vor 11 Jahren.

RE: Liferay + OpenSSO/OpenAM Integration -Login portlet

Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Yes.
Here is what I did -
1. Created a new hook "openam-authenticator-hook" in which i've just one class - public class OpenAmAuthenticator implements
com.liferay.portal.security.auth.Authenticator

2. Refer to the documnetation of com.liferay.portal.security.auth.Authenticator

3. Created a portal.properties in the same hook and registered the OpenAMAuthenticator class as below
auth.pipeline.pre=com.mypackage.portal.security.OpenAmAuthenticator

4. In the OpenAMAuthenticator class there will be following 4 methods -
authenticateByEmailAddress
authenticateByScreenName
authenticateByUserId
and
authenticate

5. In the authenticate method we make a call to OpenAM's rest service - url will of the form -
String url = "http://idp.mydomain.com:9080/openam/identity/authenticate?uri=realm=realmname&username="
+ login + "&password=" + password;
I've kept this url in a property file.

6. If the response code is 200, we get a token back from openAM.
7. We need to create a OpenAM cookies so that when redirect request come back to liferay, OpenAmAutoLogin filter can get the token and liferay login can happen.
8. We do not have access to HttpResponse in the Authenticator class, so i've used threadlocal variable to store the openAM token.
9. I've extended the com.liferay.portlet.login.action.LoginAction to read the threadlocal variable and create cookies required by OpenAM.
10. My openAm URL requires basic authentication. you can ignore the basic auth code if you dont need it.

Following is the code snippet for openam-autheticator-hook -
try {
			url = PrefsPropsUtil.getString(companyId, OPENSSO_AUTH_URL_KEY);
		} catch (Exception e) {

			_log.error("Error retrieving OpenSSO/AM authentication url. Please verify is portal setting ["
					+ OPENSSO_AUTH_URL_KEY
					+ "] for companyId ["
					+ companyId
					+ "]");

			return DNE;
		}

		url = url + "&amp;username=" + login + "&amp;password=" + password;

		if (_log.isDebugEnabled()) {
			_log.debug("Authenticating user with REST url ["
					+ url.replaceAll("password=.*", "password=******") + "]");
		}

		HttpURLConnection urlc = null;
		OutputStreamWriter osw = null;
		try {
			URL urlObj = new URL(url);

			urlc = (HttpURLConnection) urlObj.openConnection();

			String basicAuthUsername = System
					.getProperty("openAmBasicAuthUsername");
			String basicAuthPassword = System
					.getProperty("openAmBasicAuthPassword");

			if (!"".equals(basicAuthUsername) &amp;&amp; !"".equals(basicAuthPassword)) {

				
				
				String userpassword = basicAuthUsername + ":" + basicAuthPassword;
				String encodedAuthorization = Base64.encode(userpassword
						.getBytes());
				urlc.setRequestProperty("Authorization", "Basic "
						+ encodedAuthorization);
			}

			urlc.setDoOutput(true);
			urlc.setRequestMethod("POST");
			urlc.setRequestProperty("Content-type",
					"application/x-www-form-urlencoded");

			osw = new OutputStreamWriter(urlc.getOutputStream());

			osw.write("dummy");

			osw.flush();

			int responseCode = urlc.getResponseCode();

			if (responseCode == HttpURLConnection.HTTP_OK) {

				InputStream inStream = urlc.getInputStream();
				String data = StringUtil.read(inStream);

				if (_log.isDebugEnabled()) {
					_log.debug("Recieved authentication response as [" + data
							+ "] for user with login [" + login + "]");
				}

				if (data.toLowerCase().indexOf("token.id") != -1) {

					String token = data.split("=")[1];

					// Create cookies and set them on threadlocal

					List<keyvaluepair> customAuthCookies = new ArrayList<keyvaluepair>();

					String amlbcookieStr = urlc.getHeaderField("Set-Cookie");

					String[] amlbcookietokens = amlbcookieStr.split(";");

					KeyValuePair amlbcookie = new KeyValuePair(
							amlbcookietokens[0].split("=")[0],
							amlbcookietokens[0].split("=")[1]);

					customAuthCookies.add(amlbcookie);
					customAuthCookies.add(new KeyValuePair(
							"iPlanetDirectoryPro", token));
					customAuthCookies.add(new KeyValuePair("AMAuthCookie",
							token));

					AuthCookiesThreadLocal.set(customAuthCookies);

					// Authentication successful
					return SUCCESS;
				}
			} else {
				if (_log.isDebugEnabled()) {
					_log.debug("Received Http response code [" + responseCode
							+ "] while authentication user with login ["
							+ login + "]");
				}
			}</keyvaluepair></keyvaluepair>


10. Following is the code snippet for the LoginAction ext

LoginUtil.login(request, response, login, password, rememberMe,
				authType);
		// Following is the custom code after the LoginUtil.login call. This code creates OpenAM cookies and adds them to HttpResponse
		try {

			List<keyvaluepair> authenticationCookies = AuthCookiesThreadLocal.get();

			if (authenticationCookies != null) {

				String domain = CookieKeys.getDomain(request);

				for (KeyValuePair keyValuePair : authenticationCookies) {

					Cookie c = new Cookie(keyValuePair.getKey(),
							keyValuePair.getValue());
					c.setPath(StringPool.SLASH);
					c.setDomain(domain);

					CookieKeys.addCookie(request, response, c);
				}
			}
		} finally {

			AuthCookiesThreadLocal.remove();

		}
</keyvaluepair>