Steffo's Echolot


Only technical stuff here.
« Integration of IDM... | Main | A standalone OpenSSO... »
Monday Sep 24, 2007

OpenSSO with OpenID (on the Mac featuring Glassfish)

I've been asked for this a couple of times. Building and getting the OpenID extension for OpenSSO running
is no rocket science but there is no clear 'how to' document available. Here is what I do; the components I'm using are:

  • Sun Java System Directory Server 6 (from Java Enterprise System 5.1, running on Solaris 10U4 (Parallels))
  • Glassfish v2
  • Java "1.5.0_07" (Apple Build)
  • NetBeans 6.0M10 (to build the OpenID endpoint for OpenSSO)
  • OpenID Client (from the Python libs at http://www.openidenabled.com/)

I assume that you have already downloaded and deployed OpenSSO in the Glassfish application server. Also, you must be able to successfully login to OpenSSO's console as 'amadmin'.

Overall Scenario

We will setup 4 (HTTP) services:

  • A site-simulator for an OpenID enabled website (OpenID client) listening at openid.init8.net:8001 (openid.init.net is an alias for 127.0.0.1 - loopback)
  • An Apache server which serves your OpenID (http://teufelchen.init8.net/steffo). The 'index.html' delivered by this service contains a reference to the OpenID endpoint (i.e. OpenID extension for OpenSSO)
  • OpenID endpoint at teufelchen.init8.net:18080/openid/service
  • OpenSSO server at teufelchen.init8.net:8080/fam

The 4 components correspond to the ones used by Sun's deployment (as described in Hubert's blog: the relying party (Python client), the OpenID Identifier Server (Apache), OpenID Extension (OpenID Endpoint at 18080), Login (OpenSSO server at 8080). There is no registration component in our example. Users are either created from the OpenSSO console or privioned to an LDAP data source.

Step 1. Download and build the OpenID extension

First, login to OpenSSO's console and create an account to be used by the OpenID extension (the OpenID extension is an OpenSSO client which tries to authenticate against the OpenSSO server).

  1. Goto http://teufelchen.init8.net:8080/fam/UI/Login?service=ldapService
  2. Next select your realm and click on the Subjects tab.
  3. You should see different sub-tabs: User, Agent, Filtered-Role etc. Click on 'Agent'
  4. Click on 'New' and create a new agent of type Webservice Security Provider. Choose e.g. 'openid' and 'password' as ID and credentials.

Second, checkout the OpenSSO source code via

cvs -d :pserver:yourlogin@cvs.dev.java.net:/cvs checkout opensso

an save the result in e.g. ~/Projects/OpenSSO/src. Next, dowload the OpenSSO ClientSDK and save the JAR famclientsdk.jar in e.g. ~/Projects/OpenSSO/clientSDK/. The client SDK is needed by the OpenID extension.

The OpenID extension is at: opensso/extensions/openid/provider/ in the OpenSSO source tree. You'll also find a build.xml with all the necessary targets there. Now copy the following JARs to opensso/extensions/openid/provider/extlib:

  • commons-codec-1.3.jar (from Apache common codecs)
  • j2ee.jar (from Glassfish libs)
  • famclientsdk.jar (you've just downloaded this one)
  • jsf-facelets.jar (jave.net site)

Setup a NetBeans project; I used 'Java Project with existing Ant script'. Make sure you add the above JARs to your NetBeans project. There are two properties files which are crucial

  • AMConfig.properties
  • Provider.properties

More information can be found the extension's README

AMConfig.properties

AMConfig.properties contains configuration information required by the OpenSSO client SDK (do not mix up this one up with the OpenSSO server configuration file which has the same name but resides somewhere at /etc/OpenSSO or /etc/SUNWam - you've been asked for the exact location during the OpenSSO installation). Make sure that everything in this file is correct. Also check that the debug directity exists and that the naming URL is correct. Here are the keys that work for my setup: 

com.iplanet.services.debug.level=warning
com.iplanet.services.debug.directory=/tmp
com.iplanet.am.notification.url=http://teufelchen.init8.net:8080/fam/notificationservice
# This is the ID of the Webservice Security Provider you created above
com.sun.identity.agents.app.username=openid
# And that's the password in clear text
com.iplanet.am.service.password=password
# And that's the encrypted password (obtained from running 'ampassword')
com.iplanet.am.service.secret=AQICJZXYu2vVsQ/WAwEdJh/x3+m2+daOUe3Y
# Check your sever's AMConfig.properties for the next value
am.encryption.pwd=AQICJZXYu2vVsQ/WAwEdJh/x3+m2+daOUe3Y
com.sun.identity.client.encryptionKey=AQICJZXYu2vVsQ/WAwEdJh/x3+m2+daOUe3Y
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.sun.identity.idm.remote.notification.enabled=true
com.iplanet.am.sdk.remote.pollingTime=1
com.sun.identity.sm.notification.enabled=true
com.sun.identity.sm.cacheTime=1
com.iplanet.am.server.protocol=http
com.iplanet.am.server.host=teufelchen.init8.net
com.iplanet.am.server.port=8080
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.iplanet.am.session.client.polling.enable=true
com.iplanet.am.session.client.polling.period=180
com.iplanet.am.admin.cli.certdb.dir=@CONTAINER_CERTDB_DIR@
com.iplanet.am.admin.cli.certdb.prefix=@CONTAINER_CERTDB_PREFIX@
com.iplanet.am.admin.cli.certdb.passfile=@BASEDIR@/@PRODUCT_DIR@/config/.wtpass
com.sun.identity.agents.server.log.file.name=/tmp/amRemotePolicyLog
com.sun.identity.agents.logging.level=NONE
com.sun.identity.agents.notification.enabled=false
com.sun.identity.agents.notification.url=@NOTIFICATION_URL@
com.sun.identity.agents.polling.interval=3
com.sun.identity.policy.client.cacheMode=subtree
com.sun.identity.liberty.ws.soap.supportedActors=http://schemas.xmlsoap.org/soap/actor/next

Make sure, that in your setup, the values of the server's and client's AMConfig.properties match.

Provider.properties

There are only a few keys here. 

openid.provider.service_url=http://teufelchen.init8.net:18080/openid/service
openid.provider.identity_pattern=http://teufelchen.init8.net/(.+)
# The next one is the Universal ID pattern of your OpenSSO installation
openid.provider.principal_pattern=id=(.+),ou=user,dc=init8,dc=net
openid.provider.encryption_key=mXiwLS8bsVBjQJ+dw13lTw==
openid.provider.login_url=http://teufelchen.init8.net:8080/fam/UI/Login?goto=
openid.provider.simple_registration=true
openid.provider.external_target=_blank
openid.provider.strict_protocol=false

You can now build the OpenID extension by selecting the target 'war'.

I deployed the 'provider.jar' at http://teufelchen.nit8.net:18080/openid. Browse to http://teufelchen.nit8.net:18080/openid and you should see the service end point.

Step 2. Configuring your OpenID URL and create a user in OpenSSO

The OpenID URL I want to use is: "http://teufelchen.init8.net/steffo". Browsing to this URL should retrieve the document at $DOCROOT/steffo/index.html. I used Apache's standard 'index.html' (the one that gives you the 'Seeing this instead of the website you expected?') and pasted the following between th HEAD tag:

<link rel="openid.server" href="http://teufelchen.init8.net:18080/openid/service"/>

You also have to create a user in OpenSSO. The ID of that user depends on the OpenID you want to use. If you want to use "http://teufelchen.init8.net/steffo", create a user "steffo". Note that this user might reside in an external LDAP (in which case you have to configure an appropriate authentication module and data source - but that's not required for this sample).

Step 3. Download and install the OpenID client

Download the Python libs at http://www.openidenabled.com/ . Follow the installation instructions and edit the file 'consumer.py' in the examples directory. Modify the following keys: 

OPENID_PROVIDER_NAME = 'OpenSSOOpenID'
OPENID_PROVIDER_URL ='http://teufelchen.init8.net:18080/openid/service'

You can now start the consumer from the command shell: python consumer.py --port 8001

This sets up an HTTP service. The above command outputs something like:

Server running at:
http://openid.init8.net:8001/

I put a fake entry to /etc/hosts which assigns 127.0.0.1 the name "openid.init8.net". Direct your browser to this URL. You can now enter your OpenID (e.g. http://teufelchen.init8.net/steffo) into the box. Next, you'll be redirected to OPenSSO's login screen. After successfully entering your credential, you'll see a message like

The website http://openid.init8.net:8001/ is requesting confirmation that your OpenID identity is http://teufelchen.init8.net/steffo.

Done.

Posted at 06:44PM Sep 24, 2007 by steffo in Sun  |  Comments[1]

Comments:

Hi Steffo,

I followed your guide to set up an openid provider. I ran into an issue and need your help. When I enter my uri in openid client's box, it redirected me to opennsso login page as expected. After I enter my credentials I got "verification cancelled"
Can you shed some light on this issue. Thank you very much.

Best reqards,

Robert

Posted by Robert Nguyen on December 10, 2008 at 01:10 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed
Archives
« October 2009
SunMonTueWedThuFriSat
    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       
Today


Links



Referrers

Today's Page Hits: 39