Wiki

Main | Proposals
Search
Print Print Details Details

OpenSSO Integration

Tags: installation liferay v5.0.2

Table of Contents [-+]

OpenSSO and Liferay integration

This page describes the fixes done to OpenSSO integration and also gives an overview of design.

Fixes

  1. Utilize opensso fix for 1079 - use isTokenValid operation to validate session
    • if user logged out of OpenSSO directly or thru any other app, then user needs to be completely logged out. If validation is not done, then the user remains logged in to portal
  2. Do not send cookie as query param - its a security hole. POST it.
  3. Use getCookieNameForToken operation to get name of the cookie instead of configuring it
  4. Utilize getCookieNamesToForward operation and forward all these cookies via POST for reliable operation
  5. The following attributes should be configurable
    • firstName=cn
    • lastName=sn
    • screenName=givenName
    • emailAddress=mail
  6. Fix the method that parses attribute name-value pairs. Was working but this is little better.
  7. Fix Single Logout

Design Overview

The authentication filter is OpenSSOFilter.java. It redirects an unauthenticated user to OpenSSO for login. After user logs in using the credentials at OpenSSO, s/he is redirected back to Liferay using the "goto" query parameter. This second time, the filter validates the user by making a REST call to OpenSSO.

In addition to the filter, the auto.login.hooks has OpenSSOAutoLogin configured which implements the AutoLogin interface. The AutoLogin filter calls login method on this class when any unauthenticated (to portal) user is detected. This hook checks if the user is already authenticated at OpenSSO. Then it gets the screen name from OpenSSO. Then it checks if the user already exists in Liferay. It creates a new user if the user is not found in Liferay. It imports four essential attributes from OpenSSO user store, namely, First Name, Last Name, Screen Name, Email. These 4 attributes must be set in OpenSSO.

Both these classes, use OpenSSOUtil.java for calling REST operations on OpenSSO. The following REST calls are made to OpenSSO:

  1. http://host:port/opensso/identity/getCookieNameForToken
  2. http://host:port/opensso/identity/getCookieNamesToForward
  3. http://host:port/opensso/identity/attributes
  4. http://host:port/opensso/identity/istokenvalid

Single Sign-On and Single Sign-out (SSO)

There are 4 possible scenarios:
  1. User logs in via Liferay
  2. User logs in via some other application using OpenSSO or at OpenSSO itself
  3. User logs out at Liferay
  4. User logs out at some other application using OpenSSO or at OpenSSO itself
The first two use cases are definitely needed and the user does not have to re-login, once authenticated by OpenSSO.
If it is desired to keep user singed into Liferay even after having performed logout elsewhere, then the following mapping in web.xml needs to be removed. 
    <filter-mapping>
        <filter-name>Open SSO Filter</filter-name>
        <url-pattern>/user/*</url-pattern>
    </filter-mapping>
If this is removed, then the user will need to explicitly logout from Liferay and that will perform a single logout from OpenSSO.

There is also another side-effect of this filter mapping during configuration. When the admin enables OpenSSO, and clicks save, a redirect happens immediately since the OpenSSO filter kicks in. This is the reason why it is advisable to first create the admin user (like Joe Bloggs) in OpenSSO (and login) before enabling OpenSSO in Liferay.

Configuration parameters and sample values

  1. Login URL=http://openssohost:port/opensso/UI/Login?goto=http://portalhost:port/c/portal/login
  2. Logout URL=http://openssohost:port/opensso/UI/Logout?goto=http://portalhost:port/portal/
  3. Service URL=http://openssohost:port/opensso
  4. <strike> Cookie Name=iPlanetDirectoryPro</strike> - Will Not be required anymore
  5. First Name=cn
  6. Last Name=sn
  7. ScreenName=uid
  8. Email=mail

Configuration Steps

  1. http://download.java.net/general/opensso/nightly/latest/opensso/opensso.zip or any stable build after Wed May 14 07:09:55 PDT 2008
  2. Make sure you read the release notes for OpenSSO. Currently (as of 5/16/08), it is not supported on Tomcat versions 5.5.26 and 6.0.16
  3. Since OpenSSO does yet work with some versions of Tomcat, deploy Liferay on the containers as supported by OpenSSO. Otherwise, it encounters cookie encoding problems.
    • Hint: This was tested on Glassfish V3 TP2
  4. Install OpenSSO on the same host/server as portal or any other host
    • For example, on Glassfish, drop the war in autodeploy dir
    • Access http://host:port/opensso
    • Select default configuration and go through the steps and you are done
  5. Login to opensso as amadmin
  6. Create the user Joe Bloggs by giving "ID=joebloggs" and "Email=test@liferay.com" (Hint: First create the user, then edit to set email).
  7. Logout and login to OpenSSO as joebloggs
  8. Now in the same browser window, login to Liferay as test@liferay.com (Joe Bloggs)
  9. Goto EnterpriseAdmin > Organizations > Settings > Authentication > OpenSSO tab
  10. Set the values as described earlier and click Save
  11. Here onwards, you will be redirected to OpenSSO for login

FAQ

1. Why do I need to be logged in to OpenSSO as joebloggs before enabling OpenSSO?
As soon as you enable and click Save, OpenSSO filter kicks in and redirects to OpenSSO. If you are already logged in as joebloggs, then auth validation succeeds and the redirect back to Liferay works smoothly. If you are not already logged in, then you will be presented a login screen. If you login as joebloggs now, then after redirect back, you will see error in Enterprise admin portlet. The logs show an error message as "This URL can only be invoked using POST". Although this error message can be ignored, we will fix it soon.

2. After enabling OpenSSO, I see a success message but no redirect to OpenSSO login screen. Also a logout and re-login never redirects to OpenSSO or logout shows page not available or similar.
Most likely, the urls in the configuration are incorrect. Check the logs. Verify the urls for login, logout and service.

3. I was logged in to OpenSSO as joebloggs when enabling open sso, also saw a success message on save. But now, after logout, can not login?
Does it say "Server not found" or similar? If yes, then you most likely entered incorrect login url. How to fix it since you can not login? Goto directly to open sso login url and login as joebloggs. Then goto to Liferay and you will be single signed-on. Fix the login url now.

Bugs fixed:

  1. LEP-4076
  2. LEP-5943
  3. LEP-5187
16236 Views , 0 Attachments 0 Attachments

Average (0 Votes)
Comments Flat View

OpenSSO user uid should be set to test, or Liferay test account screen name must be set to joebloggs. Choose one of the two option.

Posted on 10/20/08 7:10 AM.

Top Top
OpenSSO does work on Tomcat. All you need to do is follow the steps described at http://docs.sun.com/app/docs/doc/820-3320/ggwyv?a=view.

In short: you need to set the system property com.iplanet.am.cookie.c66Encode=true

Posted on 3/4/09 11:49 PM.

Top Top
can someone tell me how to configure lr 5.2 so that I have a public viewable area where anonymous visitors don't have to login after I have enabled opensso I always become redirected to the opensso login screen

Posted on 3/13/09 5:49 AM.

Top Top
Can somebody tell me where this information is stored so i can disable/enable manually? After i enable if something goes wrong i have to re install everything.

Posted on 5/11/09 9:50 AM.

Top Top
To enable or disable OpenSSO manually, search for 'open.sso.auth.enabled' inside lportal.script (i'm using WebLogic 10.3, so i found it inside my ..user_projects\domains\data\hsql\lportal.script). Set this to true or false to switch on or off oSSO.

Posted on 5/11/09 11:54 PM in reply to Jose 67z.

Top Top
Thanks a lot, i found it, to be more specific the value exists on a table called portletpreferences

In order to find the row with that info you can use(replace lportal with your DB schema name):
SELECT * FROM lportal.portletpreferences p where preferences like '%open.sso%'

Posted on 5/12/09 9:47 AM in reply to Nikhil Francis.

Top Top
I am also having issues in getting this done. If you have found the solution let me know
Regards
Rajiv

Posted on 5/13/09 6:45 AM in reply to Gerhard Hofweber.

Top Top
To remove OpenSSO settings, in case:
1) shutdown the portal
2) Run script: delete from PortletPreferences where portletId = 'LIFERAY_PORTAL';
3) re-start the portal

Posted on 8/13/09 4:38 PM.

Top Top
When OpenSSO and Liferay are in the same domain (e.g., localhost) with setting (default configuration) "Encode Cookie Value = True ", then it is working fine.

And When OpenSSO and Liferay are in the same domain (e.g., localhost) with setting (custom configuration) "Encode Cookie Value = True"
with LDAP settings:
ldap://docs.cignex.com:10389
ou=users,ou=system
uid=admin,ou=system

Then it is working fine, too.

That is, OpenSSO and Liferay portal must be in the same domain.

Posted on 9/9/09 10:38 AM in reply to Jonas Yuan.

Top Top
OpenSSO and Liferay portal must be in the same domain.
The issue as reported as
http://issues.liferay.com/browse/LPS-4896

Posted on 11/11/09 5:27 AM in reply to Jonas Yuan.

Top Top
Can we use the same login portlet for login openSSO by customizing.

I dont need to go opensso page ..

Is there any way..
Please help me...

Posted on 1/20/10 8:13 AM in reply to Jonas Yuan.

Top Top