From do-not-reply at jboss.org Fri Jan 4 10:23:43 2013
Content-Type: multipart/mixed; boundary="===============3677505435442046109=="
MIME-Version: 1.0
From: do-not-reply at jboss.org
To: gatein-commits at lists.jboss.org
Subject: [gatein-commits] gatein SVN: r9033 - in
epp/docs/branches/6.0/Reference_Guide/en-US:
modules/AuthenticationAndIdentity and 1 other directory.
Date: Fri, 04 Jan 2013 10:23:42 -0500
Message-ID: <201301041523.r04FNgLd002019@svn01.web.mwc.hst.phx2.redhat.com>
--===============3677505435442046109==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Author: ppenicka
Date: 2013-01-04 10:23:42 -0500 (Fri, 04 Jan 2013)
New Revision: 9033
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Preface.xml
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIde=
ntity/SSO.xml
Log:
BZ#886289 and BZ#886298 - Final version of OpenAM and SPNEGO single sign-on=
docs as submitted for SME review. Bonus: cleaned up File Name Conventions =
in Preface - removed unused abbreviations and made the descriptions more ac=
curate.
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Preface.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- epp/docs/branches/6.0/Reference_Guide/en-US/Preface.xml 2013-01-03 04:5=
8:33 UTC (rev 9032)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Preface.xml 2013-01-04 15:2=
3:42 UTC (rev 9033)
@@ -7,9 +7,7 @@
Preface
File Name Conventions
- The following naming conventions are used in file paths for read=
ability. Each convention is styled so that it stands out from the rest of t=
ext: =
- =
-
+ The following naming conventions are used in file paths to impro=
ve their readability. Each convention is styled so that it stands out from =
the rest of the text:
@@ -17,24 +15,25 @@
CAS_DIR
- The installation root of the Central Authentication Servic=
e (CAS) Single Sign-on Framework. This directory is an arbitrary location c=
hosen when CAS is downloaded and installed.
+
+ The installation root of the Central Authentication Service (CAS) si=
ngle sign-on framework. This directory is an arbitrary location chosen when=
CAS is downloaded and installed.
+
+
+ This convention is mainly used in .
+
- HTTPD_DIST
-
-
- The installation root of the Apache httpd server. Apache h=
ttpd is a web server used to deploy non-java based applications such as CGI=
or PHP. This directory contains the main folders that comprise the server =
such as /conf, /webapps, and /bin.
-
-
-
-
ID_HOME
-The JPP_SERVER/gatein/gatein.ear/portal.war/WEB-INF/conf/organiz=
ation/ directory, which contains identity-related configuration =
resources. This abbreviation is used primarily in .
+ The JPP_SERVER/gatein/gatein.ear/portal.war/WEB-INF/conf/o=
rganization/ directory, which contains identity-related configur=
ation resources. =
+
+
+ This convention is mainly used in .
+
@@ -42,10 +41,12 @@
JPP_DIST
- The installation root of the JBoss Enterprise Application =
Platform instance. This folder contains the application server directory, a=
s well as supplemental folders containing resources necessary for gatein-ma=
nagement and gatein-sso. that comprise the server such as /bin, /standalone, and /gatein.
-
- For example, if the JBoss Portal Platform binary is extrac=
ted to /opt/jboss/JPP/ directory, the JPP=
_DIST directory is /opt/jboss/JPP.
-
+
+ The installation root of the JBoss Portal Platform instance. For exa=
mple, if the JBoss Portal Platform distribution archive is extracted to the=
/opt/jboss/JPP/ directory, the JPP_DIST<=
/replaceable> directory is /opt/jboss/JPP. =
+
+
+ This directory contains the jboss-jpp-<VER=
SION>, gatein-management a=
nd gatein-sso directories.
+
@@ -53,28 +54,24 @@
JPP_SERVER
- The directory containing the application server, and the c=
onfiguration files necessary to run JBoss Portal Platform.
- This directory contains directories such as /bin=
, /standalone, and /gatein.
-
- Using the example in JPP_DIST, =
the JPP_SERVER directory is /opt/jbos=
s/JPP/jboss-jpp-&VY;/.
+
+ The JPP_DIST/jboss-jpp-<VERSION> directory, which contains the application server and the=
configuration files necessary to run JBoss Portal Platform.
+
- PORTAL_SSO
+ TOMCAT_HOME
- The directories and files located in the JPP_DIST/gatein-sso directory of the JBoss Portal =
Platform binary package. Used throughout .
+
+ The installation root of the Apache Tomcat server. Apache Tomcat is =
a simple Java-based web server that can host servlets or JSP applications. =
It is not a part of JBoss Portal Platform, however, it is used in various e=
xamples in this guide to host single sign-on authentication services.
+
+
+ This convention is mainly used in .
+
-
-
- TOMCAT_DIST
-
-
- The installation root of the Apache Tomcat server. Apache =
Tomcat is a simple Java-based web server that can host servlet or JSP appli=
cations. This directory contains the main folders that comprise the server =
such as /bin, /conf, /w=
ebapps, and /lib.
-
-
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-0=
1-03 04:58:33 UTC (rev 9032)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-0=
1-04 15:23:42 UTC (rev 9033)
@@ -8,6 +8,20 @@
+ 6.0.0-27
+ Fri Jan 4 2012
+
+ Petr
+ Penicka
+
+
+
+
+ BZ#886289 and BZ#886298 - Final version of OpenAM and =
SPNEGO single sign-on docs as submitted for SME review. Bonus: cleaned up F=
ile Name Conventions in Preface - removed unused abbreviations and made the=
descriptions more accurate.
+
+
+
+
6.0.0-26
Mon Dec 21 2012
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/Authenticatio=
nAndIdentity/SSO.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndId=
entity/SSO.xml 2013-01-03 04:58:33 UTC (rev 9032)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndId=
entity/SSO.xml 2013-01-04 15:23:42 UTC (rev 9033)
@@ -64,10 +64,6 @@
All the packages required for SSO setup can be found in the JPP_DIST/gatein-sso directory of th=
e JBoss Portal Platform binary package.
=
-
- In the following scenarios this directory will be referred to =
as PORTAL_SSO.
-
- =
Users are advised to not run any portal extensions that cou=
ld override the data when manipulating the gatein.ear =
file directly.
@@ -83,7 +79,7 @@
<remark>BZ#856430</remark>Central Authentication Service (=
CAS)
=
- The CAS single sign-on (SSO) plug-in enables seamless integrat=
ion between the platform and the CAS SSO framework. General information abo=
ut CAS can be found on the Jasig we=
bsite .
+ The CAS single sign-on (SSO) plug-in enables seamless integrat=
ion between the platform and the CAS SSO framework. General information abo=
ut CAS can be found on the Jasig we=
bsite.
=
@@ -295,7 +291,7 @@
=
- Open CAS_DIR/cas-server-webapp/src/main/weba=
pp/WEB-INF/deployerConfigContext.xml .
+ Open CAS_DIR/cas-server-webapp/src/main/weba=
pp/WEB-INF/deployerConfigContext.xml.
=
@@ -306,7 +302,7 @@
=
- This configuration is available in the PORTAL_SSO/cas.war/WEB-INF/deployerConfigContext.x=
ml. If you choose to take this configuration file, ensure the defaul=
t host, port and context parameters are adjusted to match the values corres=
ponding to the remote portal instance.
+ This configuration is available in the JPP_DISTgatein-sso/cas/plugin/WEB-INF/deployerConf=
igContext.xml file. If you choose to take this configuration file, e=
nsure the default host, port and context parameters are adjusted to match t=
he values corresponding to the remote portal instance.
@@ -324,7 +320,7 @@
=
- Copy all jars from PORTAL_SSO/cas/plugin/WEB=
-INF/lib/ to the CAS_DIR/cas-server-webapp/src/main/webapp/WEB=
-INF/lib directory.
+ Copy all jars from JPP_DISTgatein-sso/cas/plugin/WEB-INF/lib/ to the CAS_DIR/ca=
s-server-webapp/src/main/webapp/WEB-INF/lib directory.
@@ -435,13 +431,13 @@
=
- Extract and install the binary on the server that is =
required to host CAS. This directory is now referred to as TOM=
CAT_DIST.
+ Extract and install the binary on the server that is =
required to host CAS. This directory is now referred to as TOM=
CAT_HOME.
=
- Edit TOMCAT_DIST/conf/server.xml=
and change port 8080 to 8888 to avoid a conflict with the default JBoss Po=
rtal Platform listen port.
+ Edit TOMCAT_HOME/conf/server.xml=
and change port 8080 to 8888 to avoid a conflict with the default JBoss Po=
rtal Platform listen port.
BZ#856430 - jmorgan - Added the new ports from =
the Confluence SSO Server Setup section =
@@ -663,7 +659,7 @@
=
- Copy CAS_DIR/cas-server-webapp/target/cas.w=
ar to TOMCAT_DIST/webapps.
+ Copy CAS_DIR/cas-server-webapp/target/cas.w=
ar to TOMCAT_HOME/webapps.
=
@@ -1246,15 +1242,15 @@
OpenAM
- OpenAM is an open source access management, entitlements and federatio=
n server platform. It is a successor of OpenSSO, the access management and =
federation server platform by Oracle. Integration with OpenSSO is supported=
in JBoss Enterprise Portal Platform 5. As the development of OpenSSO has b=
een discontinued, the OpenSSO integration has been replaced with OpenAM int=
egration in JBoss Portal Platform 6.
+ OpenAM is an open source access management, entitlements and federatio=
n server platform. It is a successor of OpenSSO, the access management and =
federation server platform whose integration was available in JBoss Enterpr=
ise Portal Platform 5. As the development of OpenSSO has been discontinued,=
the OpenSSO integration has been replaced with OpenAM integration in JBoss=
Portal Platform 6.
Login and Logout Workflow
- When the OpenAM integration is configured and a user clicks the Sign in link on a JBoss Portal Platform page, they are redi=
rected to the OpenAM login screen, where they provide their login credentia=
ls. Authentication on the OpenAM server side is performed by the JBoss Port=
al Platform SSO Authentication Plugin. The plugin sends a REST request to J=
Boss Portal Platform, obtains a response and authenticates the user on the =
OpenAM side based on the response.
+ When the OpenAM integration is configured and a user clicks the Sign in link on a JBoss Portal Platform page, they are redi=
rected to the OpenAM login screen, where they provide their login credentia=
ls. Authentication on the OpenAM server side is performed by the JBoss Port=
al Platform SSO Authentication Plugin. The plugin sends a REST request to J=
Boss Portal Platform, obtains a response, and authenticates the user on the=
OpenAM side based on the response.
- After successful authentication with OpenAM, an OpenAM authentication t=
icket is stored in the iPlanetDirectoryPro cookie =
in the client browser and the user is redirected back to the portal page. W=
hen the portal page is requested, the InitiateLoginFilter iterceptor delegates validation of the OpenAM ticket to the OpenSSOAgent component. The component uses the OpenAM RES=
T API to perform validation of the ticket with the OpenAM server via a back=
channel. After successful validation, user identity is established and the=
user is logged in to JBoss Portal Platform.
+ After successful authentication with OpenAM, an OpenAM authentication t=
icket is stored in the iPlanetDirectoryPro cookie =
in the client browser and the user is redirected back to the portal page. W=
hen the portal page is requested, the InitiateLoginFilter iterceptor delegates validation of the OpenAM ticket to the OpenSSOAgent component. The OpenSSOAgent then uses the OpenAM REST API to perform back channel validation o=
f the ticket with the OpenAM server. After successful validation, user iden=
tity is established and the user is logged in to JBoss Portal Platform.
When logout is requested by clicking the Sign out button on a portal page, the OpenSSOLogoutFilt=
er interceptor performs logout on both JBoss Portal Platform and=
the OpenAM server.
@@ -1275,7 +1271,12 @@
=
OpenAM Server Setup
- This section contains procedures that need to be followed to set up =
an OpenAM server for authentication against JBoss Portal Platform. The auth=
entication set up by these procedures is ensured by the JBoss Portal Platfo=
rm SSO Authentication Plugin. The plugin will be installed in OpenAM and co=
nfigured to to perform authentication against the portal using a REST callb=
ack.
+ This section contains procedures that need to be followed to set up =
an OpenAM server for authentication against JBoss Portal Platform. The auth=
entication set up by these procedures is ensured by the JBoss Portal Platfo=
rm SSO Authentication Plugin. The plugin will be installed in OpenAM and co=
nfigured to to perform authentication against the portal using a REST callb=
ack.
+
+
+ Using the REST callback as presented in this section is not mandator=
y. You can achieve authentication on the OpenAM side by any other means acc=
ording to your preference.
+
+
To achieve the setup, perform the procedures in the following order:
@@ -1323,12 +1324,12 @@
Adding the Authentication Plug-in
- Copy the contents of the GATEIN_SSO_HOME/opensso/plugin/ directory to TOMCAT_HOME/webapps/opensso/. This will add:
+ Copy the contents of the JPP_DIST/gatein-sso/opensso/plugin/ directory to TOMCAT_HOME/webapps/opensso/. This will add:
- the AuthenticationPlugin.xml file TOM=
CAT_HOME/webapps/opensso/config/auth/default/ directory. The fil=
e contains the following configuration:
+ the AuthenticationPlugin.xml file to the TOMCAT_HOME/webapps/opensso/config/auth/default/ directory. =
The file contains the following configuration:
@@ -1354,12 +1355,12 @@
- the sso-open=
sso-plugin-<VERSION>.jar and commons-httpclient-=
<VERSION>.jar archives to the TOMCAT_HOME/webapp=
s/opensso/WEB-INF/lib directory.
+ the sso-opensso-plugin-<VERSION>.jar an=
d commons-httpclient-<VERSION>.jar archives to t=
he TOMCAT_HOME/webapps/opensso/WEB-INF/lib directory.
- the gatein.properties file to the TOM=
CAT_HOME/webapps/opensso/WEB-INF/classes/ directory. You may nee=
d to configure the host, port, protocol, and other properties in this file =
according to your JBoss Portal Platform location. These values will be used=
by the authentication plugin to establish the REST connection to the porta=
l over the HTTP protocol.
+ the gatein.properties file to the TOM=
CAT_HOME/webapps/opensso/WEB-INF/classes/ directory. You may nee=
d to change the values specified in this file to match the configuration of=
the JBoss Portal Platform instance. The values will be used by the authent=
ication plugin to establish the REST connection to the portal.
@@ -1435,7 +1436,7 @@
=
JBoss Portal Platform Setup as OpenAM Client
- On the JBoss Portal Platform server, you need to ensure proper configur=
ation of single sign-on properties in the JPP_DIST/standalone/configu=
ration/gatein/configuration.properties file. Locate the SSO section =
in this file and change/add properties in the section as follows:
+ On the JBoss Portal Platform server, you need to ensure proper configur=
ation of single sign-on properties in the JPP_SERVER/standalone/confi=
guration/gatein/configuration.properties file. Locate the SSO sectio=
n in this file and change/add properties in the section as follows:
# SSO
gatein.sso.enabled=3Dtrue
@@ -1868,7 +1869,7 @@
Configuring SPNEGO Integration with JBoss Portal Pla=
tform =
- Modify the # SSO section of the JPP_DIST/standalone/configuration/gatein=
/configuration.properties file, replacing the original content w=
ith the following properties:
+ Modify the # SSO section of the JPP_SERVER/standalone/configuration/gate=
in/configuration.properties file, replacing the original content=
with the following properties:
@@ -1912,7 +1913,7 @@
gatein.sso.filter.login.sso.url
- This value ensures that clicking the S=
ign in link will redirect users to the /portal/dologin=
URL, which is a secured URL declared in the security-c=
onstraint section of JPP_DIST/gatein/gatein.ear/portal.war/WEB-INF/web.xml<=
/filename> file, allowing the GateInNegotiationAuthenticator valve to intercept the HTTP request.
+ This value ensures that clicking the S=
ign in link will redirect users to the /portal/dologin=
URL, which is a secured URL declared in the security-c=
onstraint section of JPP_SERVER/gatein/gatein.ear/portal.war/WEB-INF/web.xm=
l file, allowing the GateInNegotiationAuthenticator<=
/systemitem> valve to intercept the HTTP request.
@@ -1929,7 +1930,7 @@
gatein.sso.valve.enabled
- SPNEGO integration requires a custom Tomcat valve=
to intercept HTTP requests for secured URLs. The SSODelegateVa=
lve is defined in the JPP_DIST/gatein/gatein.ear/por=
tal.war/WEB-INF/jboss-web.xml file and is used only if this opti=
on is set to true. The purpose of the valve is to delega=
te the real work to another valve declared in the gatein.sso.valve=
.class property. This eliminates the need to edit configuration i=
n the jboss-web.xml file.
+ SPNEGO integration requires a custom Tomcat valve=
to intercept HTTP requests for secured URLs. The SSODelegateVa=
lve is defined in the JPP_SERVER/gatein/gatein.ear/p=
ortal.war/WEB-INF/jboss-web.xml file and is used only if this op=
tion is set to true. The purpose of the valve is to dele=
gate the real work to another valve declared in the gatein.sso.val=
ve.class property. This eliminates the need to edit configuration=
in the jboss-web.xml file.
@@ -1946,7 +1947,7 @@
=
- Modify configuration of the security subsystem in the JPP_DIST/sta=
ndalone/configuration/standalone.xml file:
+ Modify configuration of the security subsystem in the JPP_SERVER/s=
tandalone/configuration/standalone.xml file:
@@ -2053,7 +2054,7 @@
As demonstrated in , users trying to =
sign in without a valid Kerberos ticket are automatically redirected to the=
JBoss Portal Platform logon page. There, they can perform standard FORM au=
thentication using their user name and password. =
- If you want to disable FORM authentication to allow only users wi=
th a valid Kerberos ticket to sign in, you need to comment out the usernamePasswordDomain option in the SPNEGOLoginMod=
ule configuration in the JPP_DIST/standalone/configuration/standalone.xml file.
+ If you want to disable FORM authentication to allow only users wi=
th a valid Kerberos ticket to sign in, you need to comment out the usernamePasswordDomain option in the SPNEGOLoginMod=
ule configuration in the JPP_SERVER/standalone/configuration/standalone.xml file.
@@ -2067,7 +2068,7 @@
Enabling Logging
- To enable logging of events related to SPNEGO authentication, you=
can add the following entries to the logging subs=
ystem in the JPP_DIST/standalone/confi=
guration/standalone.xml file:
+ To enable logging of events related to SPNEGO authentication, you=
can add the following entries to the logging subs=
ystem in the JPP_SERVER/standalone/con=
figuration/standalone.xml file:
@@ -2105,7 +2106,7 @@
Default Configuration
=
- The JBoss SSO valve is enabled by default. The enablement i=
s ensured by the following JBoss Web subsystem configuration entry in the <=
filename>JPP_DIST/standalone/configuration/standalon-ha.xml file:
+ The JBoss SSO valve is enabled by default. The enablement i=
s ensured by the following JBoss Web subsystem configuration entry in the <=
filename>JPP_SERVER/standalone/configuration/standalon-ha.xml fi=
le:
@@ -2147,7 +2148,7 @@
=
- On both servers, open the JPP_=
DIST/standalone/configuration/standalone-ha.xml fi=
le. Add the domain parameter to the sso entry and specify the name of the shared DNS domain in its value.
+ On both servers, open the JPP_=
SERVER/standalone/configuration/standalone-ha.xml =
file. Add the domain parameter to the sso=
entry and specify the name of the shared DNS domain in its val=
ue.
--===============3677505435442046109==--