Wednesday Oct 15, 2008

How to Federate with Google Apps using OpenSSO as the Identity Provider

My colleague Pat Patterson had written a howto on how to Federate with Google Apps using an much older build of OpenSSO. At that time he had to use a custom account mapper (i.e. write code) to map the NameID in the SAML v2 response. Now with the latest OpenSSO builds the custom account mapper is no longer required as account mapping for SAML v2 is supported OOTB using the administrative console of OpenSSO thanks to Heng-Ming Hsu (another colleague) who recently added this functionality to OpenSSO's DefaultIDPAccountMapper.

Here is a simple writeup on how to federate with Google Apps using OpenSSO. I did this in less than 10 minutes but i already had Glassfish installed and opensso.war deployed. Note that this writeup is using non-SSL connections. In production it is recommended to use SSL enabled web servers.

Ingredients

OpenSSO latest nightly build
\* http://download.java.net/general/opensso/nightly/latest/opensso/opensso.zip (i used Oct 6th build)


Any OpenSSO Supported Container
\* http://opensso.dev.java.net/public/use/docs/fampdf/rn.pdf
\* I used Glassfish V2R2 http://glassfish.dev.java.net


A Premier Account for Google Applications
\* http://google.com/a


Procedure

The OpenSSO is the Identity Provider (IDP) and Google Apps is the Service Provider (SP). We will use SAML v2 as the Single Sign-On (SSO) protocol between the two and create a Circle Of Trust (COT) on the IDP.

Note your browser will need the Quicktime(TM) plugin to view the videos



1. Deploy opensso.war on your container

Download opensso.zip, extract opensso.war and deploy it on your container. For Glassfish it is very simple and done via the "asadmin deploy" command (for the feint hearted the Glassfish administrative console can also be used to deploy the war file).

Carefully read the release notes to see if your container requires any pre-deployment tasks such as modifying your container's server.policy file

-bash-3.00# ./asadmin deploy --user admin --passwordfile /var/tmp/asadmin_passwd --port 4848 --enabled=true --contextroot /opensso /var/tmp/opensso/deployable-war/opensso.war
Command deploy executed successfully.
-bash-3.00# ./asadmin stop-domain
Domain idp stopped.
-bash-3.00# ./asadmin start-domain

Starting Domain idp, please wait.Log redirected to /var/opt/glassfish/domains/idp/logs/server.log.
Redirecting output to /var/opt/glassfish/domains/idp/logs/server.log
Domain domain1 is ready to receive client requests. Additional services are being started in background.
Domain [idp] is running [Sun Java System Application Server 9.1_02 (build b04-fcs)] with its configuration and logs at: [/var/opt/glassfish/domains].
Admin Console is available at [http://localhost:4848].
Use the same port [4848] for "asadmin" commands.
User web applications are available at these URLs:
[http://localhost:8080 https://localhost:8181 ].
Following web-contexts are available:
[/web1 /__wstx-services /opensso ].
Standard JMX Clients (like JConsole) can connect to JMXServiceURL:
[service:jmx:rmi:///jndi/rmi://utopia:8686/jmxrmi] for domain management purposes.
Domain listens on at least following ports for connections:
[8080 8181 4848 3700 3820 3920 8686 ].
Domain does not support application server clusters and other standalone instances.



2. Configure OpenSSO after deploying to your container

Run though the OpenSSO configuration wizard by pointing your browser to the containers URL and opensso context. In my case it is http://idp.unopass.net/opensso

\* To download this video click here



3. Configure IDP on OpenSSO via the Workflow Wizard

One of the defining features of OpenSSO is its workflow wizards which help you to create a hosted IDP/SP or remote IDP/SP very quickly without the need to create metadata files and importing manually.

\* To download this video click here



4. Configure SP on Google Apps

\* To download this video click here



5. Define Name Identifier (NameID) mapping

Google Apps requires that the userid be sent back in the SAML response. OpenSSO does not do this by default but now provides a very simple way of mapping the nameid to any attribute in the users profile (in the ldap directory).

\* To download this video click here



6. SSO into Google Apps using your new OpenSSO IDP

Finally test the SSO by trying to access http://mail.google.com/a/<your domain>. You should NOT be prompted by the traditional Google Login screen, rather you should be redirected to IDP's (OpenSSO) Login page. You should log into OpenSSO with the same userid but password can be different (Hint: you need to create this user if it does not already exist in OpenSSO).

\* To download this video click here

After watching this video keep in mind that SSO demos are never impressive unless you show what is happening behind the scenes. One way to do so is to show the SAML 2 protocol (SOAP) messages.

The good news is that they can be grabbed from the debug logs of OpenSSO. You have to enable "message" level debugging first form the OpenSSO Administrative Console under Configuration->Sites. You will then be able to see the AuthN requests and SAML assertion in the debug log called "Federation". For example.

AuthN Request


<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="glcmf
hikbbhohichialilnnpjakbeljekmkhppkb" Version="2.0" IssueInstant="2008-10-14T00:5
7:14Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Provider
Name="google.com" IsPassive="false" AssertionConsumerServiceURL="https://www.goo
gle.com/a/unopass.net/acs"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:
assertion">google.com</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format
="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /></samlp:AuthnRequest>

Response


IDPSSOUtil.sendResponse: SAML Response content :
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec9
0665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdb
nni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.goo
gle.com/a/unopass.net/acs"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:ass
ertion">http://idp.unopass.net:80/opensso</saml:Issuer><samlp:Status xmlns:samlp="u
rn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" I
D="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z"
Version="2.0">
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer><Signature xmlns="http:
//www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#s295c56ccd7872209ae336b934d1eed5be52a8e6ec">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4hocV3nNTGSZoZjeUZaM3xrphEM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
CPCZxaNG/fF6NjncZs6JEzDNpzUNsJsJPhgffw9y8T0oR8iI8+71iW3MIPrfzD2UfSBbHR0W6HYM
fKK2Es3cSOCmfEJ/PmqrrXu2gMHD0TpNWDraXM28DqGkiQvEHJ7/yoX0gxp+KJMQnVgPfrI6kPBz
Ly1TWM6QnwqSI9l8oOg=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature><saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQua
lifier="http://idp.unopass.net:80/opensso">admin</saml:NameID><saml:SubjectConfirma
tion Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnn
i" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.
net/acs"/></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008
-10-15T17:34:46Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z" SessionIndex="s2bb816b5a88
52dcc29f3301784c1640f245a9ec01"><saml:AuthnContext><saml:AuthnContextClassRef>urn:o
asis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClas
sRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

About

wahmed

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today