wso2is 5.4.1 + liferay 6.2ga6 - liferay-6

I followed official documentation from : https://docs.wso2.com/display/IS541/Integrating+WSO2+Identity+Server+with+Liferay to Login in my Liferay Portal with wso2is user, but it not work for me in wso2is-5.4.1 and liferay6.2ga6. When I try login, liferay's log print "Primary URL :https://wso2is.local:9443/services/Secondary URL :null" but no call to wso2is server is done.
I added this lines into my portal-ext.properties :
auth.pipeline.pre=org.wso2.liferay.is.authenticator.WSO2ISAuthenticator auth.pipeline.enable.liferay.check=false wso2is.auth.service.endpoint.primary=https://wso2is.local:9443/services/ wso2is.auth.thrift.endpoint=localhost wso2is.auth.thrift.port=10500 wso2is.auth.thrift.connection.timeout=10000 wso2is.auth.thrift.admin.user=admin wso2is.auth.thrift.admin.user.password=admin wso2is.auth.thrift.endpoint.login=https://wso2is.local:9443/ wso2is.auth.thrift.system.trusstore=/wso2is-5.4.1/repository/resources/security/wso2carbon.jks wso2is.auth.thrift.system.trusstore.password=wso2carbon
Is there something wrong?

Unfortunately, a lot of the WSO2 documentation is very crufty, containing articles that have been pulled forward from previous versions of the documentation without regression testing on the use cases they present. In short, there's stuff in the documentation that plain doesn't work. If you look at the bottom of the article you'll see the following:
Please note that the above configuration is tested with Liferay 6.1.1
and WSO2 Identity 3.2.3/4.0.0.
I recall I tested this a long time ago, and determined that it wouldn't work with the current version, but that was so long ago that I can't remember why. In any case, the approach presented for integrating Liferay was offered at a time where Liferay didn't have the ability to use standardized authentication protocols like SAML. Now that it does, you probably want to do it in a standards compliant manner instead of using an authentication interface Liferay only promotes using for proprietary authentication systems.
My suggestion is that if you are using Liferay portal enterprise with LDAP that you use the built-in SAML connector. If you aren't using Enterprise, there are some compatible authenticator extensions in the extensions store that will also integrate with Liferay. If you configure Liferay to be a client against WSO2 and then integrate Liferay to LDAP on the backend, it also allows Liferay to be used as a user dashboard instead of the jaggery based one that comes in the product.

Related

Authentication and authorization using Google login in Drools' business-central

My organization has decided to use Drools as a decision management framework. We are using the new UI business-central which is deployed as a WAR file in WildFly server for managing the rules and the assets related to the rules.
We have licensed Gsuite for our emails and other activities. We want to use Google login for the users of the business-central system instead of the username and password-based auth provided.
One way to do it is by using a Keycloak server which will provide us a way to manage users and authentication. But we do not want to maintain an extra server just for authentication.
Can someone please help me in achieving this authentication? Also, it would be helpful if I can know in advance the pitfalls of such a type of authentication approach.
Here are the version details for the drools system:
Java: openjdk version "1.8.0_242"
Drools: 7.33.0.Final
After doing a lot of trial and error and quite a bit of googling around. I have reached the conclusion that providing social login in business-central should be done via Keycloak if you are using Wildfly.
There are a lot of security-related features that you will get out of the box and you won't have to tweak around the drools code and later on finding out that you have missed a use case.

Can we use Keycloak OTP combined with Oracle's OAM used for SSO?

We have a peculiar request from a customer who uses Oracle's Access Manager (OAM) as their SSO solution: They wish to add One-Time Password functionality, but they'd rather employ Keycloak's functionality for this.
So my question is, can one integrate Keycloak with OAM in order to leverage Keycloak's OTP functionality, while keeping the core SSO functionality served by OAM?
The One-Time Password, OTP integration in Oracle OAM is done via the Adaptive Authentication Service- refer the doc from version 12c, read section 32.2. Integration with Keycloak is not an option. Using the Adaptive Authentication Service (which is out of the box in 12c version) will provide you the One-Time Password functionality. However, if your requirement is to use Keycloak OTP then you will have to develop your own Custom Authentication plugin for integration with your third party, i.e. Keycloak. refer this doc on "Developing Custom Authentication Plugins".
Note: I have provided url for reference/docs from the latest version of Oracle Identity Management 12c since I do not know your current OAM version. There is significant development involved in writing your own custom authentication plugin. The out of the box OTP functionality with OAM (in version 12c) would be a much straightforward option.

AEM 6.2 SSO (SAML) Integration

I'm trying to integrate a SSO SAML provider into a local AEM instance for testing. First I tried this article: https://helpx.adobe.com/experience-manager/kb/simple-saml-demo.html , when starting the AEM, user is redirected to the ssocircle login page, but after the login, it stucks in an infinite recaptcha page redirects. So i assumed that the article and setup was for AEM 6. I went next to this article: http://www.aemstuff.com/blogs/july/saml.html which looks promising for AEM 6.1 and probably 6.2. In that article the identity provider has 'blogsaml.com' as it's host name. I couldn't find any provider under this domain.
my questions are:
1- How can i get rid of the recaptcha loop, and get back to AEM after the login in open circle?
2- is there the possibility to get a "IdP certificate" from ssocircle? (and what exactly is this cert?)
3- is there any other free to use / try sso provider that could be used with AEM?
4- any other tutorials/ articles for integrating a free sso in AEM is welcomed.
We get AEM 6.2 with an SSO Circle Pro account running.
Key changes from the setup in https://helpx.adobe.com/experience-manager/kb/simple-saml-demo.html
and http://www.aemstuff.com/blogs/july/saml.html were:
using the old certificate from SSO Circle: https://www.ssocircle.com/en/public-idp-configuration-deprecated/
Apache Sling Service User Mapper Service Amendment :"com.adobe.granite.auth.saml=authentication-service"
Making sure the authentication-service has all read/write permissions.
and setting the default group to 'contributor' in the SAML 2 configMgr instead of "administrators" from the config package from the first adobe docs link.

How to implement SSO for Tuleap using Shibboleth

My company is using shibboleth to perform Single sign on.
The applications we use to sign in are wordpress and Owncloud. Now, We are planning to include Tuleap Open ALM (Application Lifecycle Management) to use shibboleth to do single sign on.
So is there a plug-in to do it, A way it can be done or is it possible or impossible, Could you provide your views and thoughts to help me?
There is no explicit plugin for Tuleap to use shibboleth. However, I think shibboleth can be used with openId and that Tuleap can also be configured to use openId. The other Tuleap authentication methods are native and ldap.

External SSO and Web Application running on TOMCAT 6.0

New to JAVA. I developed Web application(JSP) successfully delpoyed on TOMCAT 6.0. Now the client want to use external SSO to authenticate users. As of now when the users are authenticated the website is displayed with Login Page where the user has to login again.
I am using the Login.jsp to bring the user roles from the SQLDB for Website.
What I want to accomplish now is when User is authenticated login.jsp should retrieve the credentials from the SSO and display the website thus accomplishing the purpose of Single sign on process.
I read a lot from this forum and other websites but kinda lost in the process.
Any help would be appreciated.
thank you
We developed a Tomcat extension (valve) which does just that. Basically you use standard J2EE security (role-ref etc) in your app and our Tomcat valve then acts as a bridge between Tomcat and our SSO platform. You can find out more at www.cloudseal.com
Of course you may not want to use our SSO platform :-( but you can still use our Tomcat valve and modify it to fit your needs. It's released under an Apache 2 license and you can grab the source from Github