OpenSSO Authentication with Active Directory (Part 1)
By bounds on Mar 02, 2009
One of the common requests that I get is for a tutorial on how to use Active Directory in conjunction with OpenSSO. The documentation does what I think is a fantastic job. I'm going to try and build upon it to provide a step by step tutorial. Part 2 will be using Active Directory as the User Store and using Authorization services with AD
This assumes that you have already installed and configured a basic install of OpenSSO. This configuration uses OpenSSO Express B5, Glassfish v2u2, & Windows 2000. The FQ hostname for the OpenSSO install is www.idp.com
- In the OpenSSO Administration Console, click realm for which you want to add the new authentication chain.
- Click the Authentication tab.
- Create a new module instance with the following data:
- Primary Active Directory server: ADServer:ADServerPort
- DN to Start User Search: dc=example,dc=com
- DN for Root User Bind: cn=Administrator,cn=users,dc=RootUser,dc=com
- Password for Root User Bind: AdministratorPassword
- Attribute Used to Retrieve User Profile: sAMAccountName
- Attributes Used to Search for a User to be Authenticated: sAMAccountName
- Search Scope: SUBTREE
Server and Port
(Optional) Create a new Authentication chaining instance:
Add a new instance for the authentication instance created in the previous step.
Set the criteria to Sufficient.
(Optional) Change Default Authentication Chain to the new authentication chain you just created.
Either Logout or use a different browser. In this example I have a sample application already installed. If you opt not to use the Authentication Chain, you will need to specify the Authentication module directly. You would need to configure the agent to use a url like http://www.idp.com/opensso/UI/Login?AuthenticationModule=ActiveDirectory
If you've done everything as this tutorial describes you will get this message after you authenticate with your active directory credentials.
The error message above is created because there is no corresponding user in the OpenSSO user store. You can remove this error by changing the profile configuration in OpenSSO. This is located in the Advanced Properties page located under the Authentication tab. By default this is set to required. You can change to ignore or dynamic. Dynamic will automatically create a corresponding user in the OpenSSO datastore based upon the Active Directory credentials.