Tuesday, October 1, 2013

Configure OpenSSO for WSO2 Business Activity Monitor

In this blog post you can find how to configure OpenSSO for WSO2 Business Activity Monitor.

First of all you have to download WSO2 Business Activity Monitor and OpenAM. You can download WSO2 Business Activity Monitor from here and OpenAM from here. Make sure to download the war file for OpenAM. Also make sure to get standalone tomcat rather using tomcat by sudo apt-get install tomcat7.

As the first step you have to deploy the OpenAM webapp in the tomcat. It's easier to rename OpenAM war file as openam.war and deploy in tomcat.

After that you have to restart the tomcat. Then you can configure openam by accessing http://localhost:8080/openam

I have tried with default configurations.

After configure OpenAM, you have to create the Hosted Identity Provider by clicking on Hosted Identity provider button in Common Task Tab.


You can provide what ever name you wanted. Here I put as openamIDP and Singing key as test and circle of trust as sample.


After that you have to register Remote Service Provider. You can do it by uploading SP.xml file. Following you can find sample SP.xml file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/acs/fedletSloRedirect" ResponseLocation="https://localhost:9443/acs/fedletSloRedirect"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/acs/fedletSloPOST" ResponseLocation="https://localhost:9443/acs/fedletSloPOST"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:9443/acs/fedletSloSoap"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/acs"/>
        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:9443/acs"/>
 </SPSSODescriptor>
 <RoleDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="query:AttributeQueryDescriptorType">
 </RoleDescriptor>
 <XACMLAuthzDecisionQueryDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="false" />
</EntityDescriptor>

You have to provide same circle of trust for Remote Service Provider as well.

After that you have to do some more configurations for Hosted IDP and the Remote Service Provider. To do that you have to click on Federation tab and select the created IDP. Remove all the NameID value Map items under the created IDP and insert the following to the created IDP's NameID value Map and save it.

"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=cn"


After that you have to configure Remote Service Provider. Click on the remote service provider created by you and tick on Authentication Requests Signed, Assertions Signed and Post Response Signed and save it.


Now you have finish the configurations of OpenAM. Now you have to configure the WSO2 Business Activity Monitor. To do that open the authenticators.xml in <BAM_HOME>/repository/conf/security and do the following changes to SAML2SSOAuthenticator section.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<!-- Authenticator Configurations for SAML2SSOAuthenticator -->
<Authenticator name="SAML2SSOAuthenticator" disabled="false">
  <Priority>10</Priority>
  <Config>
    <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
    <Parameter name="ServiceProviderID">carbonServer</Parameter>
    <Parameter name="IdentityProviderSSOServiceURL">http://localhost:8080/openam/SSOPOST/metaAlias/idp</Parameter>
    <Parameter name="IdPCertAlias">opensso</Parameter>
  </Config>
</Authenticator>

Now you have successfully configured OpenAM and WSO2 BAM. As the final step you have to export the OpenAM certificate to WSO2 BAM. You can do it by using Java keytool.
  • You can find OpenAM public key in /home/openam/openam/keystore.jks
  • Here we will be using the default shipped openSSO keystore certificate. It has the alias name of ‘test’. The default password is ‘changeit’. To export the public key of ‘test’ you can use "keytool -export -keystore keystore.jks -alias test -file test.cer"
  • The public key will get stored in ‘test.cer’ file. you can view the certificate content with the command, "keytool -printcert -file test.cer"
  • Now import the ‘test.cer’ into Carbon key stores found under <BAM_HOME>/repository/resources/security/wso2carbon.jks by using  "keytool -import -alias opensso -file test.cer -keystore wso2carbon.jks". Password is wso2carbon.
  • You can view the imported certificate using the command  "keytool -list -alias opensso -keystore wso2carbon.jks -storepass wso2carbon"
Now you are ready to test. Try accessing the carbon management console. (https://localhost:9443) The call will redirect you to IDP (openSSO login page). Enter username and the password in the openSSO login page. Once you properly authenticated you will redirect back you to the WSO2 Carbon product login page as a logged in user. Please note: The authenticated user has to be in the Carbon servers’ user-store for authorization (permission) purposes. Since the above described test environment does not share the same user store between IDP (openSSO server) and SP (Carbon server) i created a user called ‘amAdmin’ in Carbon server user store. Otherwise there will be a authorization failure during the server login.

No comments:

Post a Comment