2

I have a requirement for cross domain sso. So, i chose OpenAM with SAML. I have two applications hosted in different servers and host for which i need to implement SSO. Now i read about OpenAM with SAML but could get the core idea about the setup. LDAP is used as user data store. Now i have something in mind and want to verify if it meets my requirement.

  1. Since i have two applications(AppA and AppB) in need of SSO implementation. I need two OpenAM configured as service provider? and should be deployed in different tomcat containers? Should the each service providers be deployed in AppA and AppB?
  2. I need another separate tomcat container for identity provider OpenAM?
  3. The sp should be registered to idp and idp should be registered to sp within same Circle of trust?

Do i have to do anything else? Again do i have to configure separate LDAP for each idp and sp ? Anyway, what can be the ideal setup in my case?

nebula
  • 3,932
  • 13
  • 53
  • 82

2 Answers2

1

You need one IdP, your apps have to implement the SP. If your apps are Java based you could leverage OpenAM's Fedlet or use Spring Security SAML extension (works like a charm).

There's also a PHP SAML SP and even an Apache http server SAML module ...

Or you could use OpenIG as a reverse-proxy (but it's a java web app) which also implements a SAML SP.

-Bernhard

Bernhard Thalmayr
  • 2,674
  • 1
  • 11
  • 7
  • Actually, the both applications are java based applications(Liferay). Actually liferay supports out of the box sso with openAM but not cross domain(liferay's inability to share cookies across cross domain ). So, i was trying to OpenAM with SAML.I have very little knowledge regarding openAM. Can you explain a bit in detail. If i use OpenAM's Fedlet i don't have to implement SP? – nebula Aug 29 '13 at 10:26
  • OpenAM's Fedlet is library that is implementing SAML protocol for SP (ServiceProvider) side. Each of yours apps (AppA and AppB) have to use Fedlet to perform SP intiated SSO and SLO. IdP (OpenAm) should be installed on server side environment with LDAP (OpenDJ). Details for installation and setting on could be found on ForgeRock's wiki sites. – Rastko Sep 21 '13 at 13:29
0

One more possible solution in which you can use OpenAM out of the box is by using OpenAM identity federation:

  1. Use the standard OpenAM Identity federation setup (with IDP and SP) as explained in this post: http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html
  2. You will need to have an IDP for AppA and SP for AppB or vice versa. IDP will be connected to your user store.
  3. On SP side create a dummy user store using something like OpenDS.
  4. Import all the users from IDP to SP (using a scheduled daily batch job)
  5. Implement auto federation based on one or more of the user attributes.
  6. Use OpenAM authorization features on SP side to give access to SP side App
Apoorve
  • 165
  • 3
  • 9