Monday Mar 02, 2009

OpenSSO Authentication with Active Directory (Part 1)

One of the common requests that I get is for a tutorial on how to use Active Directory in conjunction with OpenSSO.   The documentation does what I think is a fantastic job.   I'm going to try and build upon it to provide a step by step tutorial.  Part 2 will be using Active Directory as the User Store and using Authorization services with AD

 This assumes that you have already installed and configured a basic install of OpenSSO.    This configuration uses OpenSSO Express B5, Glassfish v2u2, & Windows 2000.    The FQ hostname for the OpenSSO install is

  1. In the OpenSSO Administration Console, click realm for which you want to add the new authentication chain.
  2. Click the Authentication tab.
  3. Create a new module instance with the following data: 
    1. Primary Active Directory server: ADServer:ADServerPort
    2. DN to Start User Search: dc=example,dc=com
    3. DN for Root User Bind: cn=Administrator,cn=users,dc=RootUser,dc=com
    4. Password for Root User Bind: AdministratorPassword
    5. Attribute Used to Retrieve User Profile: sAMAccountName
    6. Attributes Used to Search for a User to be Authenticated: sAMAccountName
    7. Search Scope: SUBTREE

      Module Name

      Server and Port


  4. (Optional) Create a new Authentication chaining instance:

    1. Add a new instance for the authentication instance created in the previous step.

    2. Set the criteria to Sufficient.

  5. (Optional) Change Default Authentication Chain to the new authentication chain you just created.

  6. Click Save.

  7. Either Logout or use a different browser. In this example I have a sample application already installed. If you opt not to use the Authentication Chain, you will need to specify the Authentication module directly. You would need to configure the agent to use a url like

  8. If you've done everything as this tutorial describes you will get this message after you authenticate with your active directory credentials.

  9. The error message above is created because there is no corresponding user in the OpenSSO user store. You can remove this error by changing the profile configuration in OpenSSO. This is located in the Advanced Properties page located under the Authentication tab.  By default this is set to required. You can change to ignore or dynamic. Dynamic will automatically create a corresponding user in the OpenSSO datastore based upon the Active Directory credentials.

Monday Jun 09, 2008

Verisign Identity Protection and OpenSSO

I've owned a Paypal Security Key for some time now. I was recently asked by a customer if Sun Access Manager/OpenSSO can use Verisign Identity Protection, which is really what the Paypal key uses behind the scenes. The answer is YES! While OpenSSO doesn't have a ready out-of-the-box authentication module for VIP, its very easy to create one. I'm not sure if OpenSSO will ever add one since a large portion of VIP is Token Management.  Which tokens are associated with which users is something I would consider out of the scope of OpenSSO. Even if we made it customizable with a configuration page, I can guarantee we won't cover every option. I'm planning on making a simple interface to try this, I'll post when I finish.

This is based upon the steps provided by Terry Gardner on the site.   I've added my own entry

  1. Download all the Software you will need: Glassfish, Netbeans, OpenSSO, and VIP Test Drive. I used Glassfish V2U2, Netbeans 6.1, and OpenSSO v2 B4. I also used JDK 1.6u6
  2. Install the Software. I'll leave this exercise up to you, since I don't want to write all the install steps
  3. You'll need to create a Web Service reference from the vip_testdrive.wsdl. In Netbeans 6.1, go to the Services Tab, New WebService, and point to the WSDL file.
  4. Create the We only need the Validate method for Authentication. VIP provides a very rich set of services for enabling, disabling, and synchronizing tokens
  5. Create
  6. Create VIPLoginModule.xml
  7. Create For my interface I only use Validate() and expect the end-user to provide username, tokenID, and the OTP. In a real deployment, you would most likely use the username to discover what Tokens are registered with the user. Then use that information so the user doesn't have to remember their tokenID. You may also notice that I'm not using a password. I really just wanted to prove that Access Manager/OpenSSO could integrate with VIP. So, THIS IS NOT 2-FACTOR AUTHENTICATION!   You only get "Something you have" with this module. I'll leave it up to you to build the "Something you know". And NO, I don't consider username to be something you know. 
  8. Move VIPLoginModule.xml to the config/auth/default directory
  9. Package the .class files into a jar file and place it in WEB-INF/lib
  10. You will need to add the Client Cert to the application server keystore. That was a pain in itself since java expects JKS type keys and VIP provided P12. I'll cover this in another post
  11. Restart Application Server
  12. Visit

  13. Generate a OTP using the VIP utils provided.   The TokenID for this example is VSST57152657 and the OTP is 000138.   This is a time based token.   VIP also contains event based tokens.

  14. Once you've filled in the correct values, you should be authenticated to OpenSSO


Building an Authentication Module for OpenSSO was easier than I thought. I spent most of my time trying to import the Client cert. The other issue I battled was Verisign's Web Service. It uses different URIs depending on what you are doing. These are NOT defined in the WSDL, but at run time. The Sample code they provide inserts them. For example /mgmt/soap is for activation or deactivation, and /val/soap is for validation. The VIP sample uses AXIS, but I wanted to use JAX-WS.

If you get a chance, I recommend getting the "Football" token for Paypal. Its a great second factor for security.




« June 2016

No bookmarks in folder