OpenSSO with OpenID (on the Mac featuring Glassfish)
By steffo on Sep 24, 2007
I've been asked for this a couple of times. Building and getting the OpenID extension for OpenSSO running
is no rocket science but there is no clear 'how to' document available. Here is what I do; the components I'm using are:
- Sun Java System Directory Server 6 (from Java Enterprise System 5.1, running on Solaris 10U4 (Parallels))
- Glassfish v2
- Java "1.5.0_07" (Apple Build)
- NetBeans 6.0M10 (to build the OpenID endpoint for OpenSSO)
- OpenID Client (from the Python libs at http://www.openidenabled.com/)
I assume that you have already downloaded and deployed OpenSSO in the Glassfish application server. Also, you must be able to successfully login to OpenSSO's console as 'amadmin'.
We will setup 4 (HTTP) services:
- A site-simulator for an OpenID enabled website (OpenID client) listening at openid.init8.net:8001 (openid.init.net is an alias for 127.0.0.1 - loopback)
- An Apache server which serves your OpenID (http://teufelchen.init8.net/steffo). The 'index.html' delivered by this service contains a reference to the OpenID endpoint (i.e. OpenID extension for OpenSSO)
- OpenID endpoint at teufelchen.init8.net:18080/openid/service
- OpenSSO server at teufelchen.init8.net:8080/fam
The 4 components correspond to the ones used by Sun's deployment (as described in Hubert's blog: the relying party (Python client), the OpenID Identifier Server (Apache), OpenID Extension (OpenID Endpoint at 18080), Login (OpenSSO server at 8080). There is no registration component in our example. Users are either created from the OpenSSO console or privioned to an LDAP data source.
Step 1. Download and build the OpenID extension
First, login to OpenSSO's console and create an account to be used by the OpenID extension (the OpenID extension is an OpenSSO client which tries to authenticate against the OpenSSO server).
- Goto http://teufelchen.init8.net:8080/fam/UI/Login?service=ldapService
- Next select your realm and click on the Subjects tab.
- You should see different sub-tabs: User, Agent, Filtered-Role etc. Click on 'Agent'
- Click on 'New' and create a new agent of type Webservice Security Provider. Choose e.g. 'openid' and 'password' as ID and credentials.
Second, checkout the OpenSSO source code via
cvs -d :pserver:firstname.lastname@example.org:/cvs checkout opensso
an save the result in e.g. ~/Projects/OpenSSO/src. Next, dowload the OpenSSO ClientSDK and save the JAR famclientsdk.jar in e.g. ~/Projects/OpenSSO/clientSDK/. The client SDK is needed by the OpenID extension.
The OpenID extension is at: opensso/extensions/openid/provider/ in the OpenSSO source tree. You'll also find a build.xml with all the necessary targets there. Now copy the following JARs to opensso/extensions/openid/provider/extlib:
- commons-codec-1.3.jar (from Apache common codecs)
- j2ee.jar (from Glassfish libs)
- famclientsdk.jar (you've just downloaded this one)
- jsf-facelets.jar (jave.net site)
Setup a NetBeans project; I used 'Java Project with existing Ant script'. Make sure you add the above JARs to your NetBeans project. There are two properties files which are crucial
More information can be found the extension's README
AMConfig.properties contains configuration information required by the OpenSSO client SDK (do not mix up this one up with the OpenSSO server configuration file which has the same name but resides somewhere at /etc/OpenSSO or /etc/SUNWam - you've been asked for the exact location during the OpenSSO installation). Make sure that everything in this file is correct. Also check that the debug directity exists and that the naming URL is correct. Here are the keys that work for my setup:
# This is the ID of the Webservice Security Provider you created above
# And that's the password in clear text
# And that's the encrypted password (obtained from running 'ampassword')
# Check your sever's AMConfig.properties for the next value
Make sure, that in your setup, the values of the server's and client's AMConfig.properties match.
There are only a few keys here.
# The next one is the Universal ID pattern of your OpenSSO installation
You can now build the OpenID extension by selecting the target 'war'.
I deployed the 'provider.jar' at http://teufelchen.nit8.net:18080/openid. Browse to http://teufelchen.nit8.net:18080/openid and you should see the service end point.
Step 2. Configuring your OpenID URL and create a user in OpenSSO
The OpenID URL I want to use is: "http://teufelchen.init8.net/steffo". Browsing to this URL should retrieve the document at $DOCROOT/steffo/index.html. I used Apache's standard 'index.html' (the one that gives you the 'Seeing this instead of the website you expected?') and pasted the following between th HEAD tag:
<link rel="openid.server" href="http://teufelchen.init8.net:18080/openid/service"/>
You also have to create a user in OpenSSO. The ID of that user depends on the OpenID you want to use. If you want to use "http://teufelchen.init8.net/steffo", create a user "steffo". Note that this user might reside in an external LDAP (in which case you have to configure an appropriate authentication module and data source - but that's not required for this sample).
Step 3. Download and install the OpenID client
Download the Python libs at http://www.openidenabled.com/ . Follow the installation instructions and edit the file 'consumer.py' in the examples directory. Modify the following keys:
OPENID_PROVIDER_NAME = 'OpenSSOOpenID'
You can now start the consumer from the command shell: python consumer.py --port 8001
This sets up an HTTP service. The above command outputs something like:
Server running at:
I put a fake entry to /etc/hosts which assigns 127.0.0.1 the name "openid.init8.net". Direct your browser to this URL. You can now enter your OpenID (e.g. http://teufelchen.init8.net/steffo) into the box. Next, you'll be redirected to OPenSSO's login screen. After successfully entering your credential, you'll see a message like
The website http://openid.init8.net:8001/ is requesting confirmation that your OpenID identity is http://teufelchen.init8.net/steffo.