Chapter 8. Single Sign On

Portal as an integration and aggregation platform provides some form of SSO by itself. When you log into the portal you gain access to many systems through portlets using a single identity. Still in many cases you need to integrate the portal infrastructure with other SSO enabled systems. There are many different Identity Management solutions on the market. In most cases each SSO framework provides its own way to plug into Java EE application.

8.2. CAS - Central Authentication Service

This Single Sign On plugin enables seamless integration between GateIn Portal and the CAS Single Sign On Framework. Details about CAS can be found here

8.2.1. Integration

8.2.1.1. From source

Check out the GateIn SSO component from SVN using the following command:

	                  
svn co http://anonsvn.jboss.org/repos/gatein/components/sso/tags/<appropriate sso component version>

Update packaging/profiles.xml to reflect the directories where your local JBoss AS 5.1.0.GA and Tomcat 6.0.2 are installed

8.2.1.2. Install CAS plugin into a designated CAS (3.3.4) server

	                  
	                  mvn -Pplugin-cas-install install

8.2.1.3. Install CAS GateIn Agent into the designated GateIn server

	                  
	                  mvn -Pgatein-cas-install install

8.2.2. CAS Server Plugin Configuration

The CAS Server Plugin makes secure authentication callbacks to a RESTful service installed on the remote GateIn server in order to authenticate a user. In order for the plugin to function correctly, it needs to be properly configured to connect to this service. This configuration is done via the cas.war/WEB-INF/deployerConfigContext.xml file.

	                  	            
			    <!--
			    	Note: Modify the Plugin Configuration based on the actual information of a GateIn instance.
			    	The instance can be anywhere on the internet...Not on localhost where CAS is running 
			     -->    				
				<bean class="org.gatein.sso.cas.plugin.AuthenticationPlugin">
					<property name="gateInHost"><value>localhost</value></property>
					<property name="gateInPort"><value>8080</value></property>
					<property name="gateInContext"><value>portal</value></property>
				</bean>

8.2.3. GateIn Agent Configuration

In a Single Sign On usecase, the GateIn server re-directs all "private" resource requests to the CAS server for authentication first. The CAS server can be located anywhere on the Internet, and this information must be properly configured within the GateIn instance. This configuration needs to be done in 3 files

gatein.ear/02portal.war/groovy/portal/webui/UILoginForm.gtmpl

				                  	            
			  <script>
				<%=uicomponent.event("Close");%>
				window.location = 'http://localhost:8888/cas/login?service=http://localhost:8080/portal/private/classic';			
			  </script>

gatein.ear/02portal.war/login/jsp/login.jsp

				                  	            
			 <html>
				<head>
					<script type="text/javascript">
					    window.location = 'http://localhost:8888/cas/login?service=http://localhost:8080/portal/private/classic';			
					</script>
				</head>
				<body>
				</body>
			</html>

gatein.ear/02portal.war/WEB-INF/web.xml

				                  	            
			  <servlet>
			    <servlet-name>InitiateLoginServlet</servlet-name>
			    <servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
			    <init-param>
			    	<param-name>casServerUrl</param-name>    	
			    	<param-value>http://localhost:8888/cas</param-value>
			    </init-param>    
			  </servlet>