OpenSSO Liferay Integration

掲示板

8年前に Anjali Mashalkar によって更新されました。

OpenSSO Liferay Integration

New Member 投稿: 19 参加年月日: 15/08/28 最新の投稿

Hi Everyone,

I have implemented OpenSSO Single Sign On in liferay .

single sign on is working fine vice versa.

but i m facing problem in single sign out plz give me some idea.

8年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

It's difficult to help without a little more information. "It doesn't work" doesn't really give us a lot to go on. It doesn't work as in there is an error? it doesn't work as in the user is never logged out? A little detail would be helpful.

I'll take a guess and assume that the issue is that you are logging the user out of Liferay (/c/portal/logout) but that you are not logging them out of OpenSSO. If this happens then the token for OpenSSO remains part of your cookies and then next time you access the site, the OpenSSO Auto Login kicks in and you are logged in again.

1. Can you share with us please your OpenSSO settings?

2. Can you try setting the Default Logout Page (in Control Panel > Portal Settings) to be the logout url of your OpenSSO?

We need more details if you want some help.

7年前に Anjali Mashalkar によって更新されました。

RE: OpenSSO Liferay Integration

New Member 投稿: 19 参加年月日: 15/08/28 最新の投稿

Hello Sir Thanks for your reply.
I did login & logout settings through portal.ext properties I am attaching this file here.but my requirement is like I want to redirect diffrent domain's URL in liferay using single sign on. If u have any idea plz suggest me.
Thanks

7年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

Hi Anjali,

The settings all look correct. Can you elaborate on what you mean by

but i m facing problem in single sign out plz give me some idea.

.. what specific problems are you facing? The user is not logged out?

7年前に Anjali Mashalkar によって更新されました。

RE: OpenSSO Liferay Integration

New Member 投稿: 19 参加年月日: 15/08/28 最新の投稿

Yes User is not logged out. And How to access multiple domains in liferay using single sign out.

7年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

Hi Anjali,

Ok -- so there are several things that could be happening. The logout might not be calling SSO at all, or it might be but SSO is not working properly so when you are returned to the site cookie is still present and Liferay is auto logging you in. Both of these are common issues I have see in the past.

Can you validate in the OpenSSO logs that when the user hits the logout button in Liferay that they are in fact "logged out" (i.e. their session is destroyed and the cleanup occurs) in OpenAM?

7年前に Anjali Mashalkar によって更新されました。

RE: OpenSSO Liferay Integration

New Member 投稿: 19 参加年月日: 15/08/28 最新の投稿

Hi Andrew,
Thanks For Reply, Login In is working with opensso Liferay but while clicking logout button it's not working, It shows msg like The requested resource was not found.

7年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

Ok -- I figured that much out based on your previous messages. What I was trying to establish with you is whether NONE of the logout process was working, or if some of it was working. If "some of it" is working then I was trying to figure out how much of it was working. For example, if these are the steps --

1. User is logged in. (start)

2. User hits the "logout button" (which should take them to /c/portal/logout)

3. The OpenSSOFilter is run (by default this is set to true in the portal.properties so unless you've turned it off, it runs)

4. Redirects user to the open.sso.logout.url

5. OpenAM (or whatever your provider is) does it's thing and then redirects based on the redirect parameter -- which based on your previous reply is http://localhost.anjali.com:8080/web/guest/

If your logout button is not pointing to /c/portal/logout, that could be the problem. If it is, and you can see the session being terminated in the OpenSSO log, then it seems like your redirect parameter is invalid. Try another url for your site -- a full length one perhaps. You could also validate that the redirect parameter specified is valid for non logged in users by opening a new browser (say incognito so that you know you are not logged in) and just going directly to http://localhost.anjali.com:8080/web/guest/ ... to make sure that it is a valid url and that a "guest" user has view permissions for the page.

7年前に Anjali Mashalkar によって更新されました。

RE: OpenSSO Liferay Integration

New Member 投稿: 19 参加年月日: 15/08/28 最新の投稿

Thanks Andrew emoticon

But I have one more question that I want to redirect multiple domain(Which is on diffrent server) how to redirect that multiple domains in Liferay portal using single sign on..?
Give me some idea's so that I can try.

7年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

Hmmm that is a little trickier to solve I think. What is the logic to determine which domain to take the user to? Is it based on something in Liferay? or outside of Liferay?

7年前に Anjali Mashalkar によって更新されました。

RE: OpenSSO Liferay Integration

New Member 投稿: 19 参加年月日: 15/08/28 最新の投稿

Hmmm that is a little trickier to solve I think. What is the logic to determine which domain to take the user to? Is it based on something in Liferay? or outside of Liferay?
Hi Andrew,
Yes It's some what Trickier to solve.. When User click on Sign In button on liferay then the page is redirecting to opensso there I am giving my credential's like Username & Password as Username is Joebloggs & Password is password and when I am submitting the button then that page is redirecting to Liferay.Liferay is successfully Logged In using that user Joebloggs. Now I want to redirect other domain which is on diffrent server like www.abc.com in Liferay portal using single sign on ,Means user can sign in only once and that www.abc.com should be logged In Liferay Portal this is my requirement.

7年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

Hi Anjali,

Ok -- so basically you want a user to enter credentials one time and be logged into multiple systems. I am guessing that abc.com hasn't been connected to the open sso, and Liferay makes it so easy to connect to OpenSSO that you are leveraging the toolkit that they provide. This is certainly one approach to solving this problem, but it's a bit of a hack (imho). Really what you should be doing here is something more along the lines of SSO using SAML where you can place multiple service providers (SPs), i.e Liferay and abc.com, into the same grouping. OpenSSO becomes your Identify Provider (IdP) and can be configured such that when you log into one of the systems, you are granted access to all (that are in the same group). That would certainly be a much cleaner solution -- and still leverage the OpenSSO system and SSO model.

But! you don't have that! so in your case. If all users, post login, should be redirected to www.abc.com, then you could write a PostLogin Hook that can be used to redirect the user. If you need a different url per user based on some rule then you will have to do a little magic in that hook. One option would be to use a Custom Field for the User model object and then in the PostLogin Hook get the User, read the value from the custom field, and redirect accordingly.

Either way, based on what you described, I think the place you want to start is with a PostLogin hook.

7年前に Anjali Mashalkar によって更新されました。

RE: OpenSSO Liferay Integration

New Member 投稿: 19 参加年月日: 15/08/28 最新の投稿

Thanks Andrew for Reply.. emoticon

But as u said about PostLogin using hook we can redirect the URL 's in Liferay only not other server URL we can I think so,As I told u before www.abc.com which will be on diffrent server not like in Liferay server so how can we use PostLogin hook for that www.abc.com..???

7年前に Christoph Rabel によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 1554 参加年月日: 09/09/24 最新の投稿

OpenSSO supports a goto parameter for the target url. So, you can do a redirect to login using the following url:
https://yourserver/opensso/UI/Login?goto=http://www.abc.com

It might be necessary for you to create your own login button per site. Of course, this only works if the person indeed clicks the login button and isn't automatically redirected to /c/portal/login which in turn redirects to the "static" url.

I had a similar problem a few years back and my solution was to always redirect to a custom "servlet".
https://yourserver/opensso/UI/Login?goto=http://myserver/redirector.jsp

And this servlet looked at the user and redirected it to the correct page. But my requirements were probably different than yours.

7年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

Hey Christoph,

The only problem with your suggestion is that you never come back to Liferay, so while the user is redirected to abc.com, they don't have a authenticated session in OpenSSO -- which I think is one of the requirements mentioned on the thread. You need to come back to Liferay to trigger the OpenSSOAutoLogin.

7年前に Christoph Rabel によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 1554 参加年月日: 09/09/24 最新の投稿

I am not sure what you mean. There is no need at all to trigger OpenSSOAutoLogin if the requirement is to have an OpenSSO session. OpenSSO redirects you to the url in the goto parameter after login. Or, to be more correct: It ensures that you are authenticated and then it redirects you. This has nothing to do with Liferay.

Maybe you are sent there from Liferay, maybe not. Doesn't matter. The only problem in a multi-host environment is to specify a fitting goto url. Liferay opensso config only allows you to enter a fixed url but in a deployment with virtual hosts you need to add the goto parameter dynamically. You don't want to always redirect to the same url after login.

If you return later to Liferay, OpenSSOAutoLogin is always triggered when you are not authenticated in Liferay and access a Liferay page. It basically calls https://OPENSSOSERVER/opensso/identity/attributes to determine who you are. Opensso Server returns then a list of configured user attributes which are parsed.

This is handled quite bad in my opinion, but it should suffice for simple environments/requirements.

7年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

Hi Christoph,

I think you misunderstood what I wrote. I wasn't suggesting that it was a requirement for OpenSSO to auth through Liferay, I was reiterating only what Anjali had said the requirement was to auth the user through OpenSSO and Liferay before going to abc.com. I don't understand WHY exactly, but I have seen all manner of idiotic requirements in my career. There is certainly no argument on my side about the quality of the solution. Seems to me that if the goal is to have abc.com authenticated through OpenSSO, then the code to trigger this login should be done when you hit OpenSSO. Forcing the user through Liferay feels like nothing more than a dirty hack -- no doubt dreamt up by someone who doesn't understand how any of this stuff works.

7年前に Anjali Mashalkar によって更新されました。

RE: OpenSSO Liferay Integration

New Member 投稿: 19 参加年月日: 15/08/28 最新の投稿

Hi Christoph,
Thanks for ur reply I will try it . emoticon

7年前に Andrew Jardine によって更新されました。

RE: OpenSSO Liferay Integration

Liferay Legend 投稿: 2416 参加年月日: 10/12/22 最新の投稿

Hi Anjali,

There are a lot of examples in Liferay's source. In fact if you look at the OOTB portal.properties yuou'll find a property --

loginevents.post

In the list of classes you will find one called com.liferay.portal.events.DefaultLandingPageAction. This is the action class that Liferay uses to redirect the user to a configured landing page. I don't think you have to use the same mechanism that class is using -- its been a while to be honest so I can't totally recall, but I think you can simply do a response.sendRedirect to abc.com from there.