OpenAM Single Sign On Authentication

OpenAM is an open source single sign-on solution that comes from the code base of Sun’s System Access Manager product. Liferay DXP integrates with OpenAM, allowing you to use OpenAM to integrate Liferay DXP into an infrastructure that contains a multitude of different authentication schemes against different repositories of identities.

Note that OpenAM relies on cookie sharing between applications. Thus, in order for OpenAM to work, all applications that require SSO must be in the same web domain. You should also add the following property if you have enabled HTTPOnly cookies due to the way some web containers (like Apache Tomcat™) parse cookies that contain special characters:

com.iplanet.am.cookie.encode=true

You can install OpenAM on the same or different server as Liferay DXP. Be sure to review the context path and server hostname for your OpenAM server.

If you want to install OpenAM on the same server as Liferay DXP, you must deploy the OpenAM .war, downloadable from here. Otherwise, follow the instructions at the OpenAM 13 site to install OpenAM.

Once you have it installed, create the Liferay DXP administrative user in it. Users are mapped back and forth by screen names. By default, the Liferay DXP administrative user has a screen name of test, so if you were to use that account, in OpenAM, register the user with the ID of test and the email address specified in the admin.email.from.address portal property. Once you have the user set up, log in to OpenAM using this user.

In the same browser window, log in to Liferay DXP as the administrative user (using the admin email address mentioned previously). Go to the Control Panel and click ConfigurationInstance SettingsAuthenticationOpenSSO at the top.

Figure 1: OpenSSO Configuration.

Figure 1: OpenSSO Configuration.

Modify the three URL fields (Login URL, Logout URL, and Service URL) so they point to your OpenAM server (in other words, only modify the host name portion of the URLs), check the Enabled box, and click Save. Liferay DXP then redirects users to OpenAM when they request the /c/portal/login URL *for example, when they click on the Sign In link).

Liferay DXP’s OpenAM configuration can be applied at either the system scope or at the instance scope. To configure the OpenAM SSO module at the system scope, navigate to the Control Panel, click on ConfigurationSystem SettingsSecuritySSOOpenSSO. Click on it and you’ll find these settings to configure. The values configured here provide the default values for all portal instances. Enter the in the same format as you would when initializing a Java primitive type with a literal value.

Property LabelProperty KeyDescriptionType
VersionversionOpenAM version to use (12 and below or 13)String
EnabledenabledCheck this box to enable OpenAM authentication. Note that OpenAM will work only if LDAP authentication is also enabled and Liferay DXP’s authentication type is set to screen name.boolean
Import from LDAPimportFromLDAPIf this is checked, users authenticated from OpenAM that do not exist in Liferay DXP are imported from LDAP. LDAP must be enabled.boolean
Login URLloginURLThe URL to the login page of the OpenAM serverString
Logout URLlogoutURLThe URL to the logout page of the OpenAM serverString
Service URLserviceURLThe URL by which OpenAM can be accessed to use the authenticated web services. If you are using OpenAM Express 8 or higher, you need to have the server running Java 6.String
Screen Name AttributescreenNameAttrThe name of the attribute on the OpenAM representing the user’s screen nameString
Email Address AttributeemailAddressAttrThe name of the attribute on the OpenAM representing the user’s email addressString
First Name AttributefirstNameAttrThe name of the attribute on the OpenAM representing the user’s first nameString
Last Name AttributelastNameAttrThe name of the attribute on the OpenAM representing the user’s last nameString

To override these default settings for a particular portal instance, navigate to Liferay DXP’s Control Panel, click on ConfigurationInstance Settings, and then click on Authentication at the right and then on OpenSSO at the top.

« CAS (Central Authentication Service) Single Sign On AuthenticationNTLM Single Sign On Authentication »
Este artigo foi útil?
Utilizadores que acharam útil: 0 de 0