[gatein-issues] [JBoss JIRA] Created: (GTNPORTAL-995) OpenSSO integration issues

Marek Posolda (JIRA) jira-events at lists.jboss.org
Fri Mar 26 11:47:44 EDT 2010 

OpenSSO integration issues
--------------------------

                 Key: GTNPORTAL-995
                 URL: https://jira.jboss.org/jira/browse/GTNPORTAL-995
             Project: GateIn Portal
          Issue Type: Sub-task
      Security Level: Public (Everyone can see)
          Components: Documentation
    Affects Versions: 3.0.0-GA
         Environment: GateIn-3.0.0-GA + JBoss 5.1 bundle,
OpenSSO 8.0 on Tomcat 6.0.18, OpenSSO 8.0-Update1 on Tomcat 6.0.18 ( I tried both),

            Reporter: Marek Posolda
            Assignee: Luc Texier


OpenSSO integration was most problematic and I was not able to integrate without doing any additional steps in my environment. 

So here it is. I did this in clean environment: 

- I deployed OpenSSO 8.0-update1 to Tomcat 6.0.18, 
- I did all instructions in reference guide - section 3.4 
- I created "Default configuration" when I first accessed http://localhost:8888/opensso 

Even if I did this I didn't have gatein realm in my OpenSSO and I was not able to use authentication module called „AuthenticationPlugin" which is  used to GateIn authentication. So I also did these steps: 

1) Login to OpenSSO as amadmin and then go to tab "Configuration" -> tab "Authentication" -> link "Core" -> add new value and I fill the class "org.gatein.sso.opensso.plugin.AuthenticationPlugin". This step is really important. Without it is AuthenticationPlugin not available among other OpenSSO authentication modules. 

2)  Go to tab "Access control" and create new realm called "gatein". 

3) Go to my gatein realm and click to tab "Authentication". And click to "ldapService" at the bottom of the page in section Authentication chaining. Then I change "Datastore", which is default module in authentication chain, to "AuthenticationPlugin". This enable authentication of realm "gatein" with GateIn REST service and not with OpenSSO LDAP server. 

4) In authentication of realm "gatein" - I went to "Advanced properties" and I changed UserProfile from "Required" to "Dynamic". This step is needed because gatein users are not in OpenSSO Datastore (LDAP server) and so their profile can't be obtained if "Required" is active. With using of "Dynamic" are all authenticated users automatically created to OpenSSO datastore after successfull authentication. 

5) User privileges needs to be increased in OpenSSO. Otherwise method org.gatein.sso.agent.opensso.OpenSSOAgent.getSubject will fail in GateIn when obtaining data from OpenSSO RESTful interface due to insufficient privileges. 
So in OpenSSO console, I went to "Access control" -> Top level realm -> "Privileges" tab -> All authenticated users -> Check last two checkboxes: 
- Read and write access only for policy properties 
- Read and write access to all realm and policy properties 

I did the same for both top level realm and gatein realm.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the gatein-issues mailing list