Wednesday, December 2, 2009

Federated SSO - Google Apps in OpenSSO


With OpenSSO users can implement federation for such applications as the widely-adopted Google Apps, for single sign-on (SSO) in just a few steps.
The article leads readers through the federation process, in which OpenSSO acts as the identity provider (IdP) and Google Apps as the service provider (SP). Security Assertion Markup Language (SAML) version 2 serves as the SSO protocol for creating a Circle of Trust on the IdP.
For the convenience of their readers, the authors point out videos that demonstrate the several steps involved in the subject process, noting that each requires the installation of the Apple QuickTime plug-in:

Prerequisites
As a first step, one must have a premier account for Google Apps and download the following software:
  • Sun OpenSSO Enterprise 8.0, the latest commercial release of OpenSSO; or the latest Sun OpenSSO Express stable build (build 6 or later)
  • An OpenSSO-supported Web container (see "Supported Web Containers" on page 11 of the Sun OpenSSO Enterprise 8.0 Release Notes for the choices)
The authors note that the example in their article uses GlassFish v2 Update Release 2 as the container.

Procedure
The five-step procedure involves the following actions, preceded by performing the predeployment tasks for one's container, which is detailed in the OpenSSO Enterprise Release Notes. Then, perform the following steps:
  • Step 1: Deploy the OpenSSO WAR File. This involves becoming root and typing in the code the authors provide. Next, one must start and stop GlassFish. Once again, code is provided.
  • Step 2: Configure OpenSSO, using the configuration wizard on one's browser (access the container and the OpenSSO context). The video provides the configuration steps.
  • Step 3: Configure the IdP on OpenSSO, using the OpenSSO workflow wizard in the Administration Console. Steps in the procedure are demonstrated in the video.
  • Step 4: Configure the SP on Google Apps. Again, the video demonstrates the process.
  • Step 5: Map the Name Identifier. The video shows how to accomplish this.

Testing
It is possible to test the federation by going to ttp://mail.google.com/a/domain_name. If SSO works, the authors continue, you will be redirected to the OpenSSO login screen instead of the traditional Google login screen. Simply sign in with the appropriate user ID and password. The article shows how to view the behind-the-scenes exchanges of SAML v2-based SOAP messages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)