Integrating OpenSSO/OpenAM with Liferay Portal on Tomcat

This article will demonstrate how to integrate OpenSSO/OpenAM with Liferay Portal to achieve single-signon.

Liferay Portal and OpenSSO both require a minimum 1.5 JVM, but I would recommend using Java 6 (as Java 1.5 reached its End of Service Life in October, 2009). Make sure that your JAVA_HOME environment variable is correctly set to point to your Java 6 installation.

For OpenSSO to work correctly with Liferay Portal, both servers need to be running in the same domain.  To solve this issue while running both servers on a single machine, edit the hosts file (/etc/hosts or %SystemRoot%system32driversetc) and add/update your localhost entry:
127.0.0.1 localhost localhost.example.com
where example.com is your actual domain.

Install Liferay Portal
Liferay Portal is an open source portal. Liferay comes in two editions, Enterprise Edition (EE) and Community Edition (CE).
For a full discussion on the differences, see this. Downloads are available here. For this article, I used Liferay Portal 5.2.3 CE bundled with Tomcat 6.0 (6.0.18).

Installation consisted of:

  1. Unzip liferay-portal-tomcat-6.0-5.2.3.zip to a directory. This will create a liferay-portal-5.2.3 folder.
    • On Linux/MacOS, you will need to add execute permissions to all of the shell scripts in the bin directory: chmod +x *.sh
  2. In liferay-portal-5.2.3/tomcat-6.0.18/bin/, executing startup.sh (or startup.bat) will start Tomcat, and deploy Liferay Portal.
  3. Open a browser to http://localhost.example.com:8080, and you will see the Liferay login page. You can login with test@liferay.com/test.

Install OpenSSO/OpenAM
OpenSSO is an open source access management and federation server platform. Announced by Sun Microsystems in July 2005, OpenSSO was based on Sun Java System Access Manager, and was the core of Sun’s commercial access management and federation product, OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager). Oracle completed their acquisition of Sun Microsystems in February 2010 and announced that OpenSSO would no longer be their strategic product. OpenSSO will continue to be developed and supported by ForgeRock under the name of OpenAM (see this).

I downloaded the latest OpenAM build (OpenAM Snapshot 9.5.1 RC1) from here. For consistency, I will refer to OpenSSO as OpenAM for the remainder of this article.

As OpenAM also requires a servlet container, I downloaded the latest Tomcat (6.0.29) from here.
Installation of the Tomcat server consisted of:

  1. Unzip apache-tomcat-6.0.29 zip file. This will create an apache-tomcat-6.0.29 folder.
  2. As both Liferay Portal and OpenAM will be running on the same machine, I needed to update the ports that the OpenAM Tomcat server was using.
    • Edit apache-tomcat-6.0.29/conf/server.xml. I changed all of the ports from 8xxx to 9xxx. For example, 8080 to 9080, 8443 to 9443, etc.
    • On Linux/MacOS, you will need to add execute permissions to all of the shell scripts in the bin directory: chmod +x *.sh
  3. Edit catalina.sh (or catalina.bat) and add the following line to the start of the file, after the comment block listing the various Environment Variable Prequisites:
    Linux/MacOS: JAVA_OPTS="$JAVA_OPTS -Xmx1024m -XX:MaxPermSize=256m"
    Windows: set JAVA_OPTS="%JAVA_OPTS% -Xmx1024m -XX:MaxPermSize=256m"

Installation of OpenAM consisted of:

  1. Unzip openam_snapshot_951RC1.zip to a directory. This will create an opensso folder.
  2. Copy the opensso.war from opensso/deployable-war/ to apache-tomcat-6.0.29/webapps/.
  3. In apache-tomcat-6.0.29/bin/, execute startup.sh (or startup.bat) to start Tomcat and deploy OpenAM.
    • After Tomcat has deployed OpenAM, you will see the exploded war file as apache-tomcat-6.0.29/webapps/opensso.
  4. Open a browser to http://localhost.example.com:9080/opensso, which should redirect you to http://localhost.example.com:9080/opensso/config/options.htm,
    to complete the OpenAM configuration.
  5. You should see the OpenAM configuration options page. Under Custom Configuration click Create New Configuration. Enter the following:
    • Default User Password — password
    • Server Settings — default entries are ok
    • Configuration Data Store Settings — select First Instance, select OpenAM as Configuration Data Store, leave other entries
    • User Data Store Settings — select OpenAM User Data Store
    • Site Configuration — select No
    • Default Policy Agent User — policy01
    • Configurator Summary Details – click Create Configuration. This will create the configuration for your OpenAM server under ~/opensso (or c:Documents and Settings{username}opensso).
  6. When this completes, in the Configuration Complete dialog, click Proceed to Login, which should now redirect you to http://localhost.example.com:9080/opensso/UI/Login.
    Type amAdmin as the username, password as the password, and click Log In. You should now see the OpenAM Console.

    • For detailed information about the OpenAM Console, see this and this. A detailed discussion of all of the functionality of OpenAM is beyond the scope
      of this article.
  7. You can now delete the opensso.war file from apache-tomcat-6.0.29/webapps/ directory.

Additional OpenAM Configuration
To get OpenAM to work correctly with Liferay, you need to set Encode Cookie Value to Yes. This will prevent infinite redirection between Liferay and OpenAM on login.

  1. In the OpenAM Console, select the Configuration tab.
  2. Select the Servers and Sites tab.
  3. Click Default Server Settings.
  4. Select the Security tab.
  5. In the Cookie section, select the Yes checkbox beside Encode Cookie Value.
  6. Click Save.

Other people have reported having to set the com.iplanet.am.cookie.c66Encode property to true as well, to resolve the infinite redirection problem:

  1. In the OpenAM Console, select the Configuration tab.
  2. Select the Servers and Sites tab.
  3. Click Default Server Settings.
  4. Select the Advanced tab.
  5. Find the com.iplanet.am.cookie.c66Encode property, and set the value to true.
  6. Click Save.

Before updating Liferay to use OpenAM, I recommend adding the default Liferay user, test@liferay.com, to OpenAM.

  1. In the OpenAM Console, select the Access Control tab.
  2. Click the / (Top Level Realm) realm.
  3. Select the Subjects tab.
  4. Click New…
  5. Setup the default Liferay user:
    • ID — joebloggs
    • First Name — Joe
    • Last Name — Bloggs
    • Full Name — Joe Bloggs
    • Password — password
    • Click OK to create the user.
  6. Click Joe Bloggs to add the email address. Enter test@liferay.com for the Email Address, and click Save.

Integrate Liferay Portal with OpenAM
Now you are ready to update Liferay Portal to integrate with OpenAM for authentication.

  1. If Liferay is running, shut it down (bin/shutdown).
  2. Create a new file, called portal-ext.properties, in your Liferay directory, under liferay-portal-5.2.3/tomcat-6.0.18/webapps/ROOT/WEB-INF/classes/.
  3. Edit this file, and add the following properties:
    open.sso.auth.enabled=true
    open.sso.login.url=
    http://localhost.example.com:9080/opensso/UI/Login?goto=
    http://localhost.example.com:8080/c/portal/login
    open.sso.logout.url=
    http://localhost.example.com:9080/opensso/UI/Logout?goto=
    http://localhost.example.com:8080/web/guest/home
    open.sso.service.url=http://localhost.example.com:9080/opensso
    open.sso.screen.name.attr=uid
    open.sso.email.address.attr=mail
    open.sso.first.name.attr=givenname
    open.sso.last.name.attr=sn
  4. Start Liferay (bin/startup).
  5. Once Liferay has started, open a browser to http://localhost.example.com/8080, and you should be redirected to the OpenAM login page
    (http://localhost.example.com:9080/opensso/UI/Login). Enter joebloggs for the User Name, and password for the Password. Click Log In.

You will be authenticated against OpenAM, and redirected to Liferay.

Now that Liferay is using OpenAM for authentication, if you create a new user in OpenAM, that user will also be created in Liferay on the first log in. That newly created user in Liferay will only have the basic information filled in – First Name, Last Name, Screenname, Email Address – and will have the default Roles, Groups, and Organizations assigned.

This article demonstrated a basic integration with OpenAM and Liferay Portal. Now you are ready to explore more advanced topics include configuring OpenAM to use an existing LDAP or other user datastore, creating a custom datastore plugin (e.g. JDBC) for OpenAM, setting up a separate realm for Liferay users, as well as taking advantage of OpenAM for incoming and outbound SSO in conjuction with Liferay Portal. Enjoy!

One thought on “Integrating OpenSSO/OpenAM with Liferay Portal on Tomcat

  1. anoop says:

    I have also refered to other articles which discuss the integration with Open AM, i see that all the details mentioned above are intact apart from the fact that you have not mentioned about any liferay authentication filter to be used to by-pass liferay authentication. Can you please let me know what is the role of this filter, when it is needed and when not.

  2. Steve Banks says:

    The SSO Open SSO Filter is used to protect Liferay resources, based on the URL pattern, and redirect to OpenSSO if the user is not logged in. So, for example, if you don’t want to force a login for guest pages, you would comment out the filter-mapping element for filter-name SSO Open SSO Filter and url-pattern /web/*.

  3. anoop says:

    Thanks Steve. Overall a nice documentation to start of the integration.

  4. Anthony says:

    Great article steve. Can you put up an article on integrating it with oc4j, using db for authentication. I am new to opensso, and your example implementations, are pretty much the best I have come across.

  5. Steve Banks says:

    I’m not familiar with oc4j at all. But, I do have plans to post another article detailing how to create your own custom JDBC plugin, to read users from an existing database schema.

  6. Shiny says:

    I followed the same steps mentioned ablove. But only diffeence is, I have already configured the datasource to our user table and then followed your steps. When i hit the liferay URl, i am redirected to opensso login page, but when i gave the username/password it is not taking me to liferay page. I can see nothing in concole. But i can see debug.out running infinetly.
    In confuguration log, i can see this – isAllowed() returns false for user:token.getPrincipal().getName()

    Please let me know how to resolve this issue.

  7. Shiny says:

    I deleted the customized datasource and then followed your steps. But I had to give bruno@7cogs.com because my liferay won’t detect test@liferay.com.
    The changes I did from your steps are:
    ◦ID — bruno
    ◦First Name — Bruno
    ◦Last Name — Admin
    ◦Full Name — Bruno Admin
    ◦Password — password

    Updated email as bruno@7cogs.com

    When i hit liferay url, it redirects to opensso login page, bu after entering
    username – bruno
    password – password
    Progressbar keeps running, debug.out grows infinetly where it throws some exception as below
    amAuthUtils:08/25/2010 06:04:57:867 PM GMT+05:30: Thread[http-9090-4,5,main]
    query org is .. : wm10sflmfr-011.corp.mphasis.com
    amLoginViewBean:08/25/2010 06:04:57:867 PM GMT+05:30: Thread[http-9090-4,5,main]
    Session is Valid / already authenticated
    amAuthUtils:08/25/2010 06:04:57:867 PM GMT+05:30: Thread[http-9090-4,5,main]
    forwardSuccessExists : false
    amSession:08/25/2010 06:04:57:867 PM GMT+05:30: Thread[http-9090-1,5,main]
    SessionID(HttpServletRequest) : is forward = null
    amSSOProvider:08/25/2010 06:04:57:867 PM GMT+05:30: Thread[http-9090-1,5,main]
    could not create SSOToken from HttpRequest
    com.iplanet.dpro.session.SessionException: Service URL not found:session
    at com.iplanet.dpro.session.Session.getSessionServiceURL(Unknown Source)

    But will not redirect to liferay.. 🙁

  8. Karthick says:

    Hi Steve,

    Nice documentation. I am facing an issue when i create the user. I am unable to create the user in OpenAM console.

    Getting error like “Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered an ldap exception. LDAP Error 53: The LDAP server is unable to perform the specified operation” .

    Note: I am using Active Directory as User profile store.

    Please sugest me to resolve this issue.

    Thanks & Regards,
    Karthick

  9. Vinita says:

    On Intranet – want to integrate Liferay/OpenSSO with Open DS combination.

    Since I want to expose the portal on internet. Will keep web server SSL enabled on Internet server.
    Can you please suggest the steps for same and also if this is the desired approach.

  10. Divyang Patel says:

    Nice Documentation. It really helps me.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*