Foren
Liferay + OpenSSO/OpenAM Integration -Login portlet
Sachin Mane, geändert vor 11 Jahren.
Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Hi,
Wanted to check with this forum if there is any login portlet available which can "POST" the authentication request to OpenAM/SSO from within the liferay page?
Currently the OpenSSO filter redirects users to openAM login page when user clicks on login link.
What i need is to stay on liferay home page and login from there using openAM instead of redirecting to different url.
Wanted to check with this forum if there is any login portlet available which can "POST" the authentication request to OpenAM/SSO from within the liferay page?
Currently the OpenSSO filter redirects users to openAM login page when user clicks on login link.
What i need is to stay on liferay home page and login from there using openAM instead of redirecting to different url.
sridhar iyer, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 57 Beitrittsdatum: 27.02.09 Neueste Beiträge
Hi Sachin
[indent]Did you find any solution for this?[/indent]
Thanks
Sridhar
[indent]Did you find any solution for this?[/indent]
Thanks
Sridhar
Sachin Mane, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Not yet. I am planning to make my OpenAM page as landing page and use Liferay widgets to display other portlets on openAM login page.
jaid shaik, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Regular Member Beiträge: 171 Beitrittsdatum: 08.10.10 Neueste Beiträge
Sachin Mane, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Hi Jaid,
Thanks but that link talks about integration openAM and liferay for authentication which is already done. When user clicks on login link in liferay it will take user to openAM page.
What i want is to display openAM form itself in the liferay.. may be as a portlet.
Thanks but that link talks about integration openAM and liferay for authentication which is already done. When user clicks on login link in liferay it will take user to openAM page.
What i want is to display openAM form itself in the liferay.. may be as a portlet.
sridhar iyer, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 57 Beitrittsdatum: 27.02.09 Neueste Beiträge
I think there is no straight away solution for that. We need to create custom portlet. May be we can consume some of the openam's Restful api and get our work done.
OpenAm Restful API
Regards
Sridhar
OpenAm Restful API
Regards
Sridhar
Sachin Mane, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Humm.. i wonder how openAM cookies will work in this case. OpenAM cookie need to be present in the browser so that once authenticated with OpenAM, all subsequent requests will pass through as the cookie will be sent by browser with them.
the approach that i am thinking of currently is to present OpenAM login page as soon as user hits the app url (webserver forward/redirection) and use liferay widget (<script> tag that you see when sharing option on portlet is selected) in the openAM login jsp. There is a quite a good support in OpenAM to customize the login page UI.
the approach that i am thinking of currently is to present OpenAM login page as soon as user hits the app url (webserver forward/redirection) and use liferay widget (<script> tag that you see when sharing option on portlet is selected) in the openAM login jsp. There is a quite a good support in OpenAM to customize the login page UI.
Srikanth Konjarla, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 51 Beitrittsdatum: 25.10.08 Neueste Beiträge
Try OpenSSO's zero page login feature where you can POST to a URL for authentication.
http://docs.oracle.com/cd/E19316-01/820-3885/gbaop/index.html
For example,
amurl - OpenSSO login url (e.g. http://opensso.myhost.com:18080/opensso/UI/Login)
gotorul - Liferay's login url (e.g. http://portal.myhost.com:8080/c/portal/login)
HTH
http://docs.oracle.com/cd/E19316-01/820-3885/gbaop/index.html
For example,
amurl - OpenSSO login url (e.g. http://opensso.myhost.com:18080/opensso/UI/Login)
gotorul - Liferay's login url (e.g. http://portal.myhost.com:8080/c/portal/login)
<form action="<%= amurl %>?goto=<%= gotourl %>" method="post">
<table>
<tbody><tr>
<td>Username: </td><td><input type="text" name="IDToken1"></td>
</tr> <tr>
<td>Password: </td><td><input type="password" name="IDToken2"></td>
</tr>
<!-- input type="hidden" name="realm" value="/" / -->
<!-- input type="hidden" name="authmodule" value="LDAP" / -->
<tr>
<td><input type="submit" value="Login"></td>
</tr>
</tbody></table>
</form>
HTH
Sachin Mane, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Thanks Srikanth. This looks promising. Will try it out.
David Underwood, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
New Member Beiträge: 22 Beitrittsdatum: 06.08.10 Neueste Beiträge
Sachin,
It turns out that I have the exact same problem and requirements.
Were you able to find a solution?
Thanks
It turns out that I have the exact same problem and requirements.
Were you able to find a solution?
Thanks
sridhar iyer, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 57 Beitrittsdatum: 27.02.09 Neueste Beiträge
David,
I have created a login portlet which authenticates against openam. I am using open am rest web service (ajax call) to authenticate the user. If the authentication is successful (200) then i just forward the user to openam login page with the credentials he provided. (eg: http://localhost:8080/openam/UI/Login?IDToken1=username&IDToken2=password&goto=http://localhost:8080). It authenticates and redirect the user to liferay.
HTH
Sridhar Iyer B
I have created a login portlet which authenticates against openam. I am using open am rest web service (ajax call) to authenticate the user. If the authentication is successful (200) then i just forward the user to openam login page with the credentials he provided. (eg: http://localhost:8080/openam/UI/Login?IDToken1=username&IDToken2=password&goto=http://localhost:8080). It authenticates and redirect the user to liferay.
HTH
Sridhar Iyer B
Sachin Mane, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträgesridhar iyer:
David,
I have created a login portlet which authenticates against openam. I am using open am rest web service (ajax call) to authenticate the user. If the authentication is successful (200) then i just forward the user to openam login page with the credentials he provided. (eg: http://localhost:8080/openam/UI/Login?IDToken1=username&IDToken2=password&goto=http://localhost:8080). It authenticates and redirect the user to liferay.
HTH
Sridhar Iyer B
Liked this idea. However only fallback is one extra redirect is involved and user credentials are passed over url and potentially visible to the end user.
sridhar iyer, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 57 Beitrittsdatum: 27.02.09 Neueste BeiträgeSachin Mane:
Liked this idea. However only fallback is one extra redirect is involved and user credentials are passed over url and potentially visible to the end user.
That's right, one more redirect is there which is necessary for creation of the cookie from openam. You can use hidden form fields(with method=post), if you dont want the user to see his credentials in the url.
Sachin Mane, geändert vor 11 Jahren.
RE: Liferay + OpenSSO/OpenAM Integration -Login portlet
Junior Member Beiträge: 76 Beitrittsdatum: 10.04.12 Neueste Beiträge
Yes.
Here is what I did -
1. Created a new hook "openam-authenticator-hook" in which i've just one class - public class OpenAmAuthenticator implements
com.liferay.portal.security.auth.Authenticator
2. Refer to the documnetation of com.liferay.portal.security.auth.Authenticator
3. Created a portal.properties in the same hook and registered the OpenAMAuthenticator class as below
auth.pipeline.pre=com.mypackage.portal.security.OpenAmAuthenticator
4. In the OpenAMAuthenticator class there will be following 4 methods -
authenticateByEmailAddress
authenticateByScreenName
authenticateByUserId
and
authenticate
5. In the authenticate method we make a call to OpenAM's rest service - url will of the form -
String url = "http://idp.mydomain.com:9080/openam/identity/authenticate?uri=realm=realmname&username="
+ login + "&password=" + password;
I've kept this url in a property file.
6. If the response code is 200, we get a token back from openAM.
7. We need to create a OpenAM cookies so that when redirect request come back to liferay, OpenAmAutoLogin filter can get the token and liferay login can happen.
8. We do not have access to HttpResponse in the Authenticator class, so i've used threadlocal variable to store the openAM token.
9. I've extended the com.liferay.portlet.login.action.LoginAction to read the threadlocal variable and create cookies required by OpenAM.
10. My openAm URL requires basic authentication. you can ignore the basic auth code if you dont need it.
Following is the code snippet for openam-autheticator-hook -
10. Following is the code snippet for the LoginAction ext
Here is what I did -
1. Created a new hook "openam-authenticator-hook" in which i've just one class - public class OpenAmAuthenticator implements
com.liferay.portal.security.auth.Authenticator
2. Refer to the documnetation of com.liferay.portal.security.auth.Authenticator
3. Created a portal.properties in the same hook and registered the OpenAMAuthenticator class as below
auth.pipeline.pre=com.mypackage.portal.security.OpenAmAuthenticator
4. In the OpenAMAuthenticator class there will be following 4 methods -
authenticateByEmailAddress
authenticateByScreenName
authenticateByUserId
and
authenticate
5. In the authenticate method we make a call to OpenAM's rest service - url will of the form -
String url = "http://idp.mydomain.com:9080/openam/identity/authenticate?uri=realm=realmname&username="
+ login + "&password=" + password;
I've kept this url in a property file.
6. If the response code is 200, we get a token back from openAM.
7. We need to create a OpenAM cookies so that when redirect request come back to liferay, OpenAmAutoLogin filter can get the token and liferay login can happen.
8. We do not have access to HttpResponse in the Authenticator class, so i've used threadlocal variable to store the openAM token.
9. I've extended the com.liferay.portlet.login.action.LoginAction to read the threadlocal variable and create cookies required by OpenAM.
10. My openAm URL requires basic authentication. you can ignore the basic auth code if you dont need it.
Following is the code snippet for openam-autheticator-hook -
try {
url = PrefsPropsUtil.getString(companyId, OPENSSO_AUTH_URL_KEY);
} catch (Exception e) {
_log.error("Error retrieving OpenSSO/AM authentication url. Please verify is portal setting ["
+ OPENSSO_AUTH_URL_KEY
+ "] for companyId ["
+ companyId
+ "]");
return DNE;
}
url = url + "&username=" + login + "&password=" + password;
if (_log.isDebugEnabled()) {
_log.debug("Authenticating user with REST url ["
+ url.replaceAll("password=.*", "password=******") + "]");
}
HttpURLConnection urlc = null;
OutputStreamWriter osw = null;
try {
URL urlObj = new URL(url);
urlc = (HttpURLConnection) urlObj.openConnection();
String basicAuthUsername = System
.getProperty("openAmBasicAuthUsername");
String basicAuthPassword = System
.getProperty("openAmBasicAuthPassword");
if (!"".equals(basicAuthUsername) && !"".equals(basicAuthPassword)) {
String userpassword = basicAuthUsername + ":" + basicAuthPassword;
String encodedAuthorization = Base64.encode(userpassword
.getBytes());
urlc.setRequestProperty("Authorization", "Basic "
+ encodedAuthorization);
}
urlc.setDoOutput(true);
urlc.setRequestMethod("POST");
urlc.setRequestProperty("Content-type",
"application/x-www-form-urlencoded");
osw = new OutputStreamWriter(urlc.getOutputStream());
osw.write("dummy");
osw.flush();
int responseCode = urlc.getResponseCode();
if (responseCode == HttpURLConnection.HTTP_OK) {
InputStream inStream = urlc.getInputStream();
String data = StringUtil.read(inStream);
if (_log.isDebugEnabled()) {
_log.debug("Recieved authentication response as [" + data
+ "] for user with login [" + login + "]");
}
if (data.toLowerCase().indexOf("token.id") != -1) {
String token = data.split("=")[1];
// Create cookies and set them on threadlocal
List<keyvaluepair> customAuthCookies = new ArrayList<keyvaluepair>();
String amlbcookieStr = urlc.getHeaderField("Set-Cookie");
String[] amlbcookietokens = amlbcookieStr.split(";");
KeyValuePair amlbcookie = new KeyValuePair(
amlbcookietokens[0].split("=")[0],
amlbcookietokens[0].split("=")[1]);
customAuthCookies.add(amlbcookie);
customAuthCookies.add(new KeyValuePair(
"iPlanetDirectoryPro", token));
customAuthCookies.add(new KeyValuePair("AMAuthCookie",
token));
AuthCookiesThreadLocal.set(customAuthCookies);
// Authentication successful
return SUCCESS;
}
} else {
if (_log.isDebugEnabled()) {
_log.debug("Received Http response code [" + responseCode
+ "] while authentication user with login ["
+ login + "]");
}
}</keyvaluepair></keyvaluepair>
10. Following is the code snippet for the LoginAction ext
LoginUtil.login(request, response, login, password, rememberMe,
authType);
// Following is the custom code after the LoginUtil.login call. This code creates OpenAM cookies and adds them to HttpResponse
try {
List<keyvaluepair> authenticationCookies = AuthCookiesThreadLocal.get();
if (authenticationCookies != null) {
String domain = CookieKeys.getDomain(request);
for (KeyValuePair keyValuePair : authenticationCookies) {
Cookie c = new Cookie(keyValuePair.getKey(),
keyValuePair.getValue());
c.setPath(StringPool.SLASH);
c.setDomain(domain);
CookieKeys.addCookie(request, response, c);
}
}
} finally {
AuthCookiesThreadLocal.remove();
}
</keyvaluepair>