External authentication example using OpenSSO

Version 2

    Introduction

     

    PicketLink has a Seam module that enables developers to connect their Seam applications to external identity providers. SAMLv2 as well as OpenID based providers are supported. There is a sample application called seam-sp, which can be used to play around with a very simple Seam application that enables users to login at an OpenID or SAML identity provider.

     

    This article describes how to setup a simple OpenSSO identity provider and connect to it using the seam-sp sample application, which plays the role of the service provider.

     

    Install Glassfish and OpenSSO

     

    First you need to download Glassfish and OpenSSO. I recommend to use Glassfish as the application server for OpenSSO when testing. Using another application server is possible, but needs tweaking.

     

     

    Check that your default Java runtime is a JDK 1.6 VM. Then unzip the glassfish installation file. Open the file

     

    domains/domain1/config/domain.xml

     

    and change port 8080 to port 8888 (we'll use port 8080 later on for JBoss AS). Go to the glassfish/bin directory, and start the server with the command

     

    ./asadmin start-domain domain1

     

    You'll see the server starting up and reporting about the port where the admin console is running:

     

    Waiting for DAS to start .....

    Started domain: domain1

    Domain location: /Users/marcel/Documents/projects/PicketLink/glassfishv3/glassfish/domains/domain1

    Log file: /Users/marcel/Documents/projects/PicketLink/glassfishv3/glassfish/domains/domain1/logs/server.log

    Admin port for the domain: 4848

    Command start-domain executed successfully.

     

    Start a browser and direct it to "http://localhost:4848". The admin console will show up after a while:

     

    glassfish_console.tiff

     

    Choose "Deploy an Application" and select the opensso.war file. Accept all default settings and just choose OK.

     

    Surf to "http://localhost:8888/opensso". You'll see a configuration screen:

    opensso_conf.tiff

    Choose to create a default configuration. Choose passwords and wait until the configuration is complete. Now proceed to the login screen, and sign on with username "amAdmin" and with the admin password that you've just chosen. In the console that appears, choose "Create hosted entity provider". Choose "test" as the signing key, and enter the name "mycircle" for the new circle of trust and accept all other settings without a change. Press the "configure" button and your identity provider has been configured:

     

     

    idp_configured.tiff

    Now click "finish". We'll move on to the service provider part now.


    Deploy and configure seam-sp application on JBoss AS 5.1

     

    We assume you know how to install JBoss AS 5.1 (for SDK 1.6)  and how to deploy the seam-sp war file that is attached to this article. You should deploy it in exploded form (as a directory). If you like to know more about the contents of the seam-sp sample application, you could read this article:

     

    How to add SAML and OpenID authentication to your Seam application

     

     

    Now open the following configuration file in your editor:

     

    deploy/seam-sp.war/WEB-INF/classes/saml-entities.xml

     

    The file that contains the metadata of the trusted SAML identity providers that are used by the application. You'll find an EntityDescriptor element for OpenSSO and one for SSOCircle. Now download the metadata for the OpenSSO IDP that you just installed. It is available at the following URL:

     

    http://localhost:8888/opensso/saml2/jsp/exportmetadata.jsp

     

    Replace the EntityDescriptor element in the saml-entities.xml file with the contents of the metadata file that you downloaded from OpenSSO. By doing this, you are sure that the application uses the correct identity provider metadata.

     

    You can start the application now. Check that the seam-sp application runs by surfing to "http://localhost:8080/seam-sp/PublicPage.seam":

    publicpage.tiff

     

    Configure seam-sp as a service provider in OpenSSO

     

    You still have to tell the OpenSSO identity provider about the service provider that you want to connect. Move back to the OpenSSO admin console. Choose "register remote service provider". It will prompt you for a URL where the metadata of the service provider is located. Fill in the following URL:

     

    http://localhost:8080/seam-sp/MetaDataService.seam

     

    Click on "Configure" and the SP has been added to the circle of trust. Federation setup is complete now.

     

     

    Test login and logout

     

    Move back to the seam-sp sample application and choose to view one of the private pages. You'll be directed to a login page, where you choose to use the OpenSSO identity provider. You'll be redirected to an OpenSSO login window:

     

    opensso_login.tiff

     

    There you sign on with user name "amAdmin" and your administrator password. You're redirected back to the service provider, where you'll see information about your verified identity:

     

    privatepage.tiff

    Choose "Single logout" and you'll be logged out from the seam-sp application as well as from OpenSSO. You can also do a single logout instead, and check that your OpenSSO session is still valid in that case.

     

    Another test you can do is to login at your seam-sp application using OpenSSO, and then, in another tab of the browser, start an IDP initiated single logout by fetching the following URL:

     

    http://localhost:8888/opensso/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=http://localhost:8080/seam-sp

     

    When you move back to the seam-sp tab, and refresh the private page, you'll be redirected to the login page again, because your session has gone.

     

    There are lots of other things to try, such as attribute exchange, signing of authentication requests, connecting a second service provider to the circle of trust, etcetera. I leave that up to your imagination.