Single Sign on - OpenSSO

Single Sign on using OpenSSO.

OpenSSO was earlier called as access manager.
OpenFM is openSSO + federation (Cross domain support?)

It was a herculian effort to get it going with openfm/OpenSSO.

1. Access Manager(opensso/openfm) configuration:

Mainly it seems to be having bugs in the user interface of the webapp it provides.

• First thing I came across when deploying the openfm.war on linux was as below:

• 
  -First time when we go to http://localhost:8080/openfm and try to
  configure the openfm, it gives a error with no stack trace nothing . It
  misleads you with a path to log file which you can find in their(sso
  developers) dreams.GRRRR.
• Had to search around
  in Red hat linux Enterprise edition 5. Later figured that it creates a
  folder with name @BASEDIR@ under tomcat/bin/... Who can imagine a
  cryptic folder for logging sso errors that too under tomcat/bin/...
  Wasted almost 1.5 days on that ....
• In another version of linux, the above didn't work out. It was in tomcat logs catalina.out. Lucky!!
  
• The
  problem usually tends to be due to wrong JDK. The Sun JCE comes as
  default with Sun JDK but not with IBM JDK. The Sun JCE is used for
  encryption of password by open SSO.
  

• 
  Another important thing. First time you setup access manager you should
  be careful. Next time, if you try setting it up(by deploying new
  openfm.war) , it complains. Under windows u can simply delete the
  access manager folder created during installation (default is C:\Doc and settings\user name\)...

• Under linux it should be somewhere under /home/ by default. Search using locate access manager. The custom path would be the one which you setup openSSO using Configurator.jsp.
  

• If
  you mess up access manager by configuring authentication chain or data
  store, the work around is use the default module=DataStore as URL parameter eg: http://localhost:8080/openfm/UI/Login?module=DataStore

Then you can login as amAdmin

• By
  default the openfm ships with set of authentication plugin like JDBC,
  LDAP based , etc .Our requirement needed to compare the user entered
  auth password with MD5 encrypted password. Hence had to build a custom
  authentication plugin. Luckily sun provide service provider
  interface(SPI).Implementing this was a major effort as there is hardly
  any documentation or forum talking about it.Took a short cut by
  extending the sun provided com.sun.identity.authentication.modules.jdbc.JDBC.java and over riding transform() method. It works smooth
  
  

To add a custom authentication plugin, follow the below steps:

1. Move the custom
   
   authentication jar which you wrote (opensso_xmp_plug_v1.0.1.jar) into
   the ~/openfm/WEB-INF/lib folder.All the related property files should
   be on class path.
   

3. Copy the custom
   Authentication JDBC configuration file. amAuthxmpJDBC.xml into ~/openfm/WEB-INF/classes
   folder.Refer amAuthJDBC.xml in the same folder for creating a similar one for your custom auth module.
   

4. Register the module in
   serviceNames.properties abailable under openfm/WEB-INF/classes to have
   amAuthXMPJDBC.xml. (Add amAuthxmpJDBC.xml at the end)
   

8. Copy XMPJDBC.xml into ~/openfm/config/auth/default
9. Restart tomcat.
10. Login to Access Manager, Goto
    Configuration -- Authentication --Core
11. Enter com.xmp.security.plugin.XMPJDBC as New Value and click on Add to configure
    the new service.
12. Go to Access Control and
    select the realm (opensso). Click on Authentication > Module Instances
    and Add the previously configured XMPJDBC module to the authentication
    chain as shown below: Save the information.
13. Now the Login of opensso will use xmpJDBC module as default for
    authentication. If you want to login with the amAdmin user,
    module=DataStore need to be added to login URL (like
    http://localhost/openfm?module=DataStore)
14. Login with a valid userId and password (sample xello@xello.com/xello)
    The user is taken to the successful login page.
    

NOTE:

• Once a user is logged in successfully, the access manager by default
  looks for the user's profile through Id repo. This is the default
  behaviour. This can be over ridden by setting the property in
  realm(opensso) -- Authentication -- Advanced (look profile) to ignored.

• Using custom com.sun.identity.agents.filter.SSOTaskHandler class, we can
  insert a session attribute which is used by the SSO agent/application
  for auto login (discussed later , for now agent is like a client to
  open sso). The sample code is below:
  

public class SSOTaskHandler extends AmFilterTaskHandler implements ISSOTaskHandler

{...
public AmFilterResult process(AmFilterRequestContext amfilterrequestcontext) throws AgentException
{

.........
amfilterrequestcontext.getHttpServletRequest().getSession().setAttribute("SSO_VALIDATION_RESULT",ssovalidationresult);
.............
}
........
}

TODO: J2EE agent
The agent J2ee 007 would be hiding in the web application root web.xml(as AmAgentFilter) to provide secured access. ;)
AMAgent.properties is where the whole good behaviors of the badly behaving J2ee agent is configured. This is generated by amadmin tool and updated later. Check it below for only the important parameters to manually update
----------------------------------------------------------------------------------------------------------

#
# CDSSO PROCESSING PROPERTIES
com.sun.identity.agents.config.cdsso.enable = true
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://172.20.41.39:6060/openfm/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://172.20.41.39:6060/openfm/cdcservlet

#
# LOGOUT PROCESSING PROPERTIES
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[DefaultWebApp] =/web/xmpXMS/logout
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[DefaultWebApp] =/web/xmpXMS/home
#
# NOT-ENFORCED URI PROCESSING PROPERTIES
# - notenforced.uri: A LIST of URIs for which protection is not enforced
# by the Agent.
# - notenforced.uri.invert: A flag that specifies if the list of URIs
# specified by the property notenforced.uri should be inverted. When
# set to true, it indicates that the URIs specified should be enforced
# and all other URIs should be not enforced by the Agent. Entries in
# this list can have wild card character '*'.
# Example of notenforced.uri:
# com.sun.identity.agents.config.notenforced.uri[0]=*.gif
# com.sun.identity.agents.config.notenforced.uri[1]=/public/*
# com.sun.identity.agents.config.notenforced.uri[2]=/images/*
#
com.sun.identity.agents.config.notenforced.uri[0] =
com.sun.identity.agents.config.notenforced.uri.invert = false
com.sun.identity.agents.config.notenforced.uri.cache.enable = true
com.sun.identity.agents.config.notenforced.uri.cache.size = 1000

#
# DEBUG SERVICE PROPERTIES
# - com.iplanet.services.debug.level: Specifies the debug level to be used.
# The value is one of: off, error, warning, message. ******** Funny thing, debug is missing but it actually is very useful for developers********
com.iplanet.services.debug.level=debug
--------------------------------------------------------------------------------------------------------------

TODO: Web Agent

Powered by ScribeFire.