Integration Liferay 6.2 with OpenAM 13.0.0

留言板

paria tavana，修改在8 年前。

Integration Liferay 6.2 with OpenAM 13.0.0

New Member 帖子: 2 加入日期: 16-4-7 最近的帖子

Hello
I configured liferay 6.2 and OpenAM 13 with installation guide OpenAM 12 but it is not work correctly.
When i login to OpenAM 13, instead of login to redirect me to liferay page after login, it redirected to OpenAM details page?
Please help me for configuration between liferay 6.2 and OpenAM 13.0
Thanx

Christoph Rabel，修改在8 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

Liferay Legend 帖子: 1554 加入日期: 09-9-24 最近的帖子

Didn't work with OpenAM for some time, but OpenAM uses the goto parameter to redirect a user to some page after successful login.

Please try with your user if this still works. Simply go to the login page of opensso and append ?goto=https://www.liferay.com
After a successful login to OpenAM you should be redirected to the Liferay Homepage. It this doesn't work -> You need to look on OpenAM side.

https://YOURSERVER/opensso/UI/Login?goto=https://www.liferay.com

If this works as intended, please check your configuration for the goto parameter.

paria tavana，修改在8 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

New Member 帖子: 2 加入日期: 16-4-7 最近的帖子

Thanks So Much for your reply

Jaume Nebot，修改在7 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

New Member 帖子: 3 加入日期: 16-5-21 最近的帖子

Hello Paria,

I configured Liferay 6.2 with OpenAM 10 successfully. But now, I'm trying to do the same with OpenAM 13 and I can't, even the same configuration...

I do the following steps:

1. Enter to Liferay http://localhost:8080
2. Link to login
3. Login screen from OpenAM appears
4. Login in with user test/password
5. Liferay class OpenSSOUtil.java in method _isAuthenticated() recovers the cookie iPlanetDirectoryPro and executes:

http://localhost:9080/openam/identity/isTokenValid

6. An error 501 appears: java.io.IOException: Server returned HTTP response code: 501 for URL: http://localhost:9080/openam/identity/isTokenValid
Not Implemented

And then, broswer enters into a redirect loop.

Did you find the same error?

I really appreciate your help.

Best regards.

Christoph Rabel，修改在7 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

Liferay Legend 帖子: 1554 加入日期: 09-9-24 最近的帖子

No, I never used OpenAM 13.

Well, it seems the functionality was removed. I guess you need to ask on the OpenAM mailing list if there is a replacement. You could:

- Change the code on Liferay side to use a new interfac
- Extend OpenAM with a servlet mapped to the old path that prints data in the needed format
- Use an agent to protect your Liferay and use RequestHeaderAutoLogin.

paria tavana，修改在7 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

New Member 发布: 1 加入日期: 13-12-22 最近的帖子

Hello Jaume
This is my portal-ext.properties setting:

com.sun.identity.agents.config.response.attribute.fetch.mode = HTTP_HEADER
com.sun.identity.agents.config.response.attribute.mapping[mail] = HTTP_MAIL

siteminder.auth.enabled=true
siteminder.import.from.ldap=true
siteminder.user.header=HTTP_MAIL

open.sso.auth.enabled=true

open.sso.login.url = http://localhost:8080/OpenAM-13.0.0_3/UI/login?goto=http://localhost:8080/c/portal/login
open.sso.logout.url=http://localhost:8080/OpenAM-13.0.0_3/UI/loggedOut?goto=http://localhost:8080/web/guest/home
open.sso.service.url=http://localhost:8080/OpenAM-13.0.0_3
open.sso.screen.name.attr=uid
open.sso.email.address.attr=mail
open.sso.first.name.attr=givenname
open.sso.last.name.attr=sn
open.sso.logout.on.session.expiration=false
auto.login.hooks=com.liferay.portal.security.auth.SiteMinderAutoLogin,com.liferay.portal.security.auth.OpenSSOAutoLogin

users.reminder.queries.enabled=false
users.reminder.queries.custom.question.enabled=false

#email Address
users.email.address.required=false
users.email.address.auto.suffix=@no-emailaddress.com
users.email.address.generator=com.liferay.portal.security.auth.DefaultEmailAddressGenerator

#screename
users.screen.name.allow.numeric=true
users.screen.name.validator=com.liferay.portal.security.auth.LiberalScreenNameValidator

and when openAM login to liferay the loop happend

Vishnudas Lokhande，修改在7 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

Regular Member 帖子: 152 加入日期: 13-5-27 最近的帖子

Have you tried using domain urls instead of localhost..OpenAm works with domain name cookies.

ex openam.example.com
liferay.example.com

Nick James，修改在7 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

New Member 发布: 1 加入日期: 08-6-13 最近的帖子

Hi,
It turns out that OpenAM have deprecated the REST api used by the opensso plugin.
The OpenAM version 12.0 documents detail a new API to validate the token https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide#rest-api-token-validation
It seems like the "legacy" API was then disabled in OpenAM 13.0
The new API is:

curl \
--request POST \
--header "Content-Type: application/json" \
http://openam.example.com:8080/openam/json/sessions/AQIC5...?_action=validate

which yields either

{"valid":true,"uid":"demo","realm":"/myRealm"}

{"valid":false}

Without code changes to the opensso plugin, the latest compatible version of OpenAM will be 12.0 (probably 12.x if you have a subscription from ForgeRock)

Nick

Jaume Nebot，修改在7 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

New Member 帖子: 3 加入日期: 16-5-21 最近的帖子

Hi Nick James,

Effectively, there is a new API.

We solved this integration creating a hook with a custom SSO Filter and SSO Autologin, using the new call.

Thank you!

Jason Lehmer，修改在7 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

New Member 帖子: 3 加入日期: 11-8-2 最近的帖子

Hi Jaume,

We're actually trying to solve this same problem (on 6.1) but have run into issues trying to add it as a hook. Do you have to disable the Liferay OpenSSO filter explicitly? Also, did you specify a "before-filter" or "after-filter" as part of your liferay-hook.xml?

Thanks!

Jaume Nebot，修改在7 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

New Member 帖子: 3 加入日期: 16-5-21 最近的帖子

Hi Jason,

Do you have to disable the Liferay OpenSSO filter explicitly? -> Yes. And you need to create your CustomSSFilter.
com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=false

And then, add to your hook an OpenSSOToolsImpl.java modifiyng the new call to openAM, instead the deprecated call:

private static final String _VALIDATE_TOKEN = "/json/sessions/";
...
String url = serviceUrl.concat(_VALIDATE_TOKEN).concat(URLEncoder.encode(CookieKeys.getCookie(request, _COOKE_NAME), "UTF-8")).concat("?_action=validate");

...

if (responseCode == HttpURLConnection.HTTP_OK) {
				String data = StringUtil.read(httpURLConnection.getInputStream());

				if (StringUtil.toLowerCase(data).contains("\"valid\":true")) {
					authenticated = true;
				}
}

did you specify a "before-filter" or "after-filter" as part of your liferay-hook.xml? -> No.

liferay-hook.xml:

<servlet-filter>
		<servlet-filter-name>CustomSSOFilter</servlet-filter-name>
		<servlet-filter-impl>xxx.yyyy.filters.sso.opensso.CustomSSOFilter</servlet-filter-impl>
	</servlet-filter>
	<servlet-filter-mapping>
		<servlet-filter-name>CustomSSOFilter</servlet-filter-name>
		<url-pattern>/c/portal/login</url-pattern>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>REQUEST</dispatcher>
	</servlet-filter-mapping>
	<servlet-filter-mapping>
		<servlet-filter-name>CustomSSOFilter</servlet-filter-name>
		<url-pattern>/c/portal/logout</url-pattern>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>REQUEST</dispatcher>
	</servlet-filter-mapping>

Tina Agrawal，修改在6 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

Expert 帖子: 297 加入日期: 08-1-3 最近的帖子

Hey,

I am facing the exact same issue. I tried your solution but even still OpenAM is returning 400 error.
The URL is -

https://xxx.yyy.zzz.com/openam/json/sessions/AQIC5wM2LY4SfcyYDgkMf5t0GbYLKz_gGznB45VJxIqtkzQ.*AAJTSQACMDEAAlNLABMzOTgwMTMyMDA3MjkyNzYxOTk3AAJTMQAA*?_action=validate

and the response is -

{"code":400,"reason":"Bad Request","message":"Unrecognized request parameter '_action'"}

As a result the user is not logged into Liferay.

Tina

Christoph Rabel，修改在6 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

Liferay Legend 帖子: 1554 加入日期: 09-9-24 最近的帖子

You probably have to ask this question on the forgerock forums.
What happens if you remove the parameter and just call "https://xxx.yyy.zzz.com/openam/json/sessions/AQIC5..."?
Or when you try other calls?
https://backstage.forgerock.com/docs/openam/13/dev-guide/#rest-api-tokens

Denis Signoretto，修改在6 年前。

RE: Integration Liferay 6.2 with OpenAM 13.0.0

Expert 帖子: 375 加入日期: 09-4-21 最近的帖子

Actually Lifeary is working on OpenAM 13 support. If you're interested you can follow and vote the issue: https://issues.liferay.com/browse/LPS-68220