This is intended as a How-To for OpenSSO integration with MS SharePoint and Active Directory. I found that there are subtle differences between OpenSSO & Access Manager for this integration. This was written to show the steps used by myself and Gary Shellenbarger while creating a working lab environment.
Pre-requisites:
- OpenSSO Enterprise 8.x
- SharePoint 2007 A trial virtual machine image for SharePoint is available here.
- Active Directory (Windows Server 2003 was used in this example)
- Java 1.4 or later installed on the SharePoint Server
This How-To assumes you have installed SharePoint 2007, Active Directory and OpenSSO.
NOTE: As of this time, Windows DesktopSSO and Certificate
Authentication modules require a custom plug-in as they do NOT work with
the ReplayPasswd Plug-in.
Download the Agent software to the SharePoint server:
- Be sure to download the appropriate agent (for SharePoint 2007).
OpenSSO Configuration
- Create an Agent Profile to be used by the Policy Agent.
- Login to OpenSSO as amadmin
- Click "Access Control" -> "Top Level realm" -> Agents
- Click "2.2 Agents"
- Click "New" button
- Enter Agent Name (i.e. spAgent)
- Enter Password (i.e. changeit)
- Click "Create"
- Generate Password Key
- Set JAVA_HOME to oyur JDK (1.4 or higher)
- Eecute DESGenKey:
- # java -classpath <path to amserver.jar> com.sun.identity.common.DESGenKey
- Output will be similar to: /yTr4IWcF0k=
- Write this down as you will need to later in this instruction.
- Add Advanced Properties
- Login to OpenSSO as amadmin
- Click "Configuration"
- Click "Servers and Sites"
- Select the OpenSSO server from the list
- Click "Advanced"
- Add the following properties
- Property: com.sun.am.replaypasswd.key
- Value: Enter the value of the DESGenKey (i.e. /yTr4IWcF0k=)
- Property: com.sun.am.sharepoint_login_attr_name
- Value: Enter the SHarePoint-login-value where,SharePoint-login-value is a placeholder that represents an attribute in the user
repository used by SharePoint to authenticate. In this case, enter saMAccountName. - Click "Save"
- Add Post Authentication Plug-in
- Login to OpenSSO as amadmin
- Click "Access Control" -> "Top Level realm"-> "Authentication"
- Click "Advanced"
- Scroll down to "Authentication Post Processing Classes"
- Add: com.sun.identity.authentication.spi.ReplayPasswd
- Click "Save"
- Add Active Directory Authentication Module with the following Values (use defaults unless otherwise stated here):
- Primary Active Directory Server: IP or DNS name and port of AD server (i.e. 192.168.0.13:389)
- DN to Start User Search: <root suffix of AD> (i.e. dc=company,dc=com)
- DN for Root User Bind: cn=administrator,cn=users,dc=company,dc=com
- Password for Root User Bind: <administrator password>
- Password for Root User Bind (confirm):<administrator password>
- Attribute Used to Retrieve User Profile: saMAccountName
- Attributes Used to Search for a User to be Authenticated: saMAccountName
- Search Scope: SUBTREE
- Return User DN to Authenticate: UNCheck this Box
- Click "Save"
- Create AD Auth Chain
- The AD Auth Chain should contain: AD -> Required
- Make this the default authentication chain
- restart OpenSSO
Agent Installation
This step only needs to be done once, as the resulting file (C:\amconfig.txt) may be copied to other servers, edited as appropriate, and reused in the next section.
- Copy the Agent to the SharePoint server and Unzip it (i.e. c:\web_agents)
- Open a Command window and change directory:
- cd c:\web_agents\iis6_agent\bin
- Run the following script (Case Sensitive):
- cscript IIS6CreateConfig.vbs c:\amconfig.txt
- Accept the default on the first question.(“ Enter the Agent Resource File Name [IIS6Resource.en] :”)
- Enter the FQDN of the SharePoint Server
- Select the number pertaining to the SharePoint website. The default is identifier 1. In this step the configuration script will provide a list of IIS web sites hosted in the IIS instance and it will number each website with a corresponding number identifier. In this example, the number looked something like: "1701188044"
- Enter the protocol with which the web site can be accessed.
- Enter the correct port number for SharePoint website
- Accept the default for the next question (“Agent Deployment URI [/amagent] :”).
- Enter the hostname of the first OpenSSO server.
- Enter the protocol with which OpenSSO can be accessed.
- Enter the correct port number for OpenSSO
- Enter the deploy URL for OpenSSO (i.e. /opensso)
- Enter the URL for the OpenSSO console (i.e. /opensso)
- For Shared Secret, enter the password for the Agent Profile created above (i.e. changeit)
- Re-Enter the Shared Secret
- Deploy the Agent
- cd c:\web_agents\iis6_agent\bin
- cscript IIS6AuthAdmin.vbs -config c:\amconfig.txt
- NOTE: The above command is Case Sensitive
- When asked for “Enter the Agent Resource File Name [IIS6Resource.en]:”, accept the default.
- Modify AMAgent.properties
- Edit c:\web_agents\iis6_agent\Identifier_<unique identifier>\config\AMAgent.properties
- Change the value of the property com.sun.am.policy.am.username from UrlAccessAgent to the name of the 2.2 Agent profile created earlier (i.e. spAgent).
- Add a new line to the file: com.sun.am.replaypasswd.key = <value of DESGenKey created earlier> (i.e. /yTr4IWcF0k=)
- Change the value of the property com.sun.am.policy.agents.config.do_sso_only = true (This is not required, but will eliminate the need to create policies to get this working)
- Restart IIS
Test
Verify AD Authentication works:
- In a browser, go to: http://<fqdn of OpenSSO Server>/<deploy URI> (i.e. http://opensso.company.com/opensso)
- You should get prompted to enter your AD credentials. Enter credentials (saMAcocuntname & Password).
- If authentication fails, go back and troubleshoot the AD Auth Module configuration.
Test SharePoint Login
- in a browser, go to: http://sharepoint.company.com
- You should get redirected to the OpenSSO login page.
- Enter saMAccountName & Password & Click Login
- You should get redirected back to the SharePoint server and see content.
This document uses some information from others as well as original content. For reference, please see the following documents:
Jeff Nesters How-To for SharePoint & Access Manager 7.x
Robertis Tongbrams Reference Documentation for SharePoint Integration