Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
ESOE Users
+ new post
Home
About this group
Join this group
How to SAML enable my JSP based application
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   8 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
elyas  
View profile  
 More options Sep 24 2008, 11:42 pm
From: elyas <elyas.moha...@gmail.com>
Date: Wed, 24 Sep 2008 06:42:52 -0700 (PDT)
Local: Wed, Sep 24 2008 11:42 pm
Subject: How to SAML enable my JSP based application
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Dear All,

I have a JSP application which need to be SAML enabled.

Whenever my application URL is accessed I could redirect to eso login
page and redirect back to the original application page. However i
couldn't do anything further bacuse of lacl of knowledge.

1 )What do I need to include in my application code to enable SAML
behaviour.

2) How to make the idp/SAML to understand about my application
session.

Thanks,
Elyas


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Bradley Beddoes  
View profile  
 More options Sep 25 2008, 7:56 am
From: Bradley Beddoes <bedd...@intient.com>
Date: Thu, 25 Sep 2008 07:56:53 +1000
Local: Thurs, Sep 25 2008 7:56 am
Subject: Re: [esoe-users] How to SAML enable my JSP based application
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Hi,
The easiest method is to deploy the Java SPEP and SPEP filter which is
the client side code you can use to handle all communication with the
central ESOE deployment on your behalf.

This takes care of all redirections, authentication, attribute exchange
and policy enforcement. You then simply need to write what we call an
"integrator" which is usually just another filter in your webapp to
translate details to a format your application is expecting.

Install doco here:
http://esoeproject.org/confluence/display/eu/Java+SPEP+Installation+G...

Example integrators we supply:
http://svn.esoeproject.org/repos/esoe/trunk/spepintegrators/

regards,
Bradley
--
Bradley Beddoes
Lead Software Architect
Intient Pty Ltd

http://www.intient.com

  beddoes.vcf
< 1K Download

    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
elyas  
View profile  
 More options Oct 21 2008, 12:23 am
From: elyas <elyas.moha...@gmail.com>
Date: Mon, 20 Oct 2008 07:23:36 -0700 (PDT)
Local: Tues, Oct 21 2008 12:23 am
Subject: Re: How to SAML enable my JSP based application
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi,

Need one calrification -

I am doing the setup with 2 different app server instanace(one with
tomcat for idp and the other with jboss for SPEP)

I could do the basic setup for tomcat instance.

1) What components do i need to install on jboss SPEP side??
esoemanager, spep anything else??

2) Do i need to do any configuration? if so how to do that??

3) Basically I am looking for the components need to be installed on
spep side and need more clarity on how the redirection happens from
spep machine to idp machine??
( Really Sorry - Couldn't get some finer details from java spep
installation guide)

Regards,
Elyas

On Sep 25, 2:56 am, Bradley Beddoes <bedd...@intient.com> wrote:


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Bradley Beddoes  
View profile  
 More options Oct 21 2008, 7:48 am
From: Bradley Beddoes <bedd...@intient.com>
Date: Tue, 21 Oct 2008 07:48:33 +1000
Local: Tues, Oct 21 2008 7:48 am
Subject: Re: [esoe-users] Re: How to SAML enable my JSP based application
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Hello,

elyas wrote:
> Hi,

> Need one calrification -

> I am doing the setup with 2 different app server instanace(one with
> tomcat for idp and the other with jboss for SPEP)

> I could do the basic setup for tomcat instance.

> 1) What components do i need to install on jboss SPEP side??
> esoemanager, spep anything else??

I assume you mean you want to only run the core ESOE service on the
tomcat instance?. If so yes you'll need to put ESOE Manager and a SPEP
instance on JBoss.

Normally we'd see most deployments putting the ESOE core service and
ESOE Manager (plus it's SPEP) on the one Tomcat. Other SPEP instances
can then be deployed for applications as needed.

> 2) Do i need to do any configuration? if so how to do that??

ESOE Startup as per normal, take care to insert correct URLS for the
different servers hosting ESOE core and ESOE Manager if you choose to go
this path.

> 3) Basically I am looking for the components need to be installed on
> spep side and need more clarity on how the redirection happens from
> spep machine to idp machine??

For a standalone application you just setup the Java SPEP code or the
Apache/IIS spep code along with the app. Then goto ESOE Manager and
register a new service instance which gives you the configuration
details, crypto etc to apply to that specific SPEP install.

Redirection is browser based via GETS and POSTS, browser hits the app
which is spep protected, spep sees no session, redirects you to ESOE
which creates a session, redirects back to SPEP which creates an
application level session and then directs the browser into the
application itself.

Under the covers there are also several web service calls between SPEP
and ESOE for data exchange.

HTH

Bradley

--
Bradley Beddoes
Lead Software Architect
Intient Pty Ltd

http://www.intient.com

  beddoes.vcf
< 1K Download

    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
elyas  
View profile  
 More options Oct 28 2008, 5:59 pm
From: elyas <elyas.moha...@gmail.com>
Date: Mon, 27 Oct 2008 23:59:30 -0700 (PDT)
Local: Tues, Oct 28 2008 5:59 pm
Subject: Re: How to SAML enable my JSP based application
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi Brad/Shaun,

I tried to do the setup the explained stuff in a separate jboss
instance (SPEP instance) but unfortunately not able to succeed.

I tried to install just spep war on a separate jboss instance. but not
able to do it because some spep startup error occurred.
Tried installing both esoemanager.war and spep.war on jboss instance
but esoemanager failed to start as it required esoemanager.config file
to be present.

Ended up running esoestartup in jboss and then deploy esoemanager.war
and spep.war

Then went to esoemanager to configure the spep with remote
esoeidentifier

but ended up having exception and not able to succeed even with a lot
of effort.

Here is my jboss side spep config
------------------------------------------------

spep.config in SPEP instance jboss
---------------------------------

#
#
# Enterprise Sign On Engine (ESOE), Java Service Provider Enforcement
Point (SPEP) global configuration file
#
# Changing values in this file WILL effect the way the ESOE Manager
operates in production, please change with
# care and in consultation with configuration documentation.
#
# Author: Shaun Mangelsdorf
# Date: 04/12/2006
#

########################################################################### ################################
#
# Deployment specific configuration
####

# KeyStore 1
keystorePath=${spep.data}/config/spepKeystore.ks
keystorePassword=54019a6fc983ebc01e55
spepKeyAlias=388408730a414003
spepKeyPassword=e5b42af6606c57366884
metadataKeyAlias=4cc9935073e1c606

# The unique identifier of the authenticating ESOE.
esoeIdentifier=http://blr20357.as.colt:8080

# The unique identifier of the service.
spepIdentifier=http://blr20357.as.colt:7060/aptGUI

# The URL to retrieve the metadata document from
metadataUrl=http://blr20357.as.colt:7060/esoemanager/metadata/
retrieve.htm

# string description of the service
serverInfo=ESOE Manager Web Application

# Unique identifier of this service node
nodeIdentifier=46357

# Indicies of this service node
attributeConsumingServiceIndex=46357
assertionConsumerServiceIndex=46357
authzCacheIndex=46357

# Address of the service host in use without any application path e.g.
https://myserver.company.com or https://myotherserver.company.com:8443
NOT https://myserver.company.com/myapp/
serviceHost=http://blr20357.as.colt:7060

# ip addresses of this host SPEP
ipAddresses=192.168.1.100

# the URL to redirect unauthenticated users to
loginRedirect=http://blr20357.as.colt:7060/spep/sso?redirectURL={0}

# Default URL of the service
defaultURL=http://blr20357.as.colt:7060/aptGUI

# specify cookies to clear when am authentication session is destroyed
# strings are of the format: cookie_name [space] cookie_domain
(optional) [space] cookie_path (optional)
logoutClearCookie.1=spepSession

########################################################################### ################################
#
# You should not need to edit anything below this line, advanced
changes only
####

# Is the SPEP configured in lazy initialization mode
lazyInit=false

# deny | permit - Lazy Init default mode, if a lazyinit-resource is
not matched what action should the filter take on access to the
resource (inverted when there is a match as specified by resources
below)
#lazyInitDefaultAction=deny

# Forced Initialization Queries. MUST start from lazyInit-resource-1
and MUST progress in numerical order upto a maximum value of 10000
(lazyInit-resource-10000)
# This is only populated when SPEP is acting in a lazy mode, regex
patterns may be applied here
# Extreme caution to carefully validate your web application access
requirements is recommended with the system is in lazyInit mode
# Name/Value parameters from the query string make up part of the
matching, /secure.jsp.* should be used to match for example /
secure.jsp?custID=1234
#
# Values here should only contain the path and query string of your
application, eg for https://myspep.company.org/myapp you would enter /
secure.jsp.* to match any request for resources
# located at https://myspep.company.org/myapp/secure.jsp

#lazyInit-resource-1=
#lazyInit-resource-2=

# SSO web application redirect (relative)
ssoRedirect=/spep/sso?redirectURL={0}

# authentication token names
spepTokenName=spepSession
# Identifier name for site wide identifier indicating ESOE knows about
this users session
commonDomainTokenName=_saml_idp

# interval in seconds between polling the metadata URL for the
metadata document
metadataInterval=120

# allowed time in seconds that a document will remain valid from the
time of creation
allowedTimeSkew=60

# time in seconds between polling the identifier cache for expired
identifiers
identifierCacheInterval=3600

# time in seconds that an identifier will remain active
identifierCacheTimeout=36000

# Time that sessions which have yet to complete an authentication
event are considered valid
sessionCacheTimeout=120

# Time in seconds that session cache cleanup will run looking for
expired unauthenticated sessions
# and sessions which have expired as dictated by the ESOE
sessionCacheInterval=120

# Default authorization policy to apply when due to problems with PDP
or other unusal situations occurs access control result can't be
computed
defaultPolicyDecision=deny

esoe at ESOE instance tomcat
------------------------------------

#
#
# Enterprise Sign On Engine (ESOE) global configuration file
#
# Changing values in this file WILL effect the way the ESOE operates
in production, please change with
# care and in consultation with configuration documentation.
#
# VALUES IN THIS FILE WERE AUTOMATICALLY POPULATED BY ESOESTARTUP.
#
# Author: Bradley Beddoes
# Date: 22/11/2006
#

########################################################################### ################################
#
# Deployment specific configuration
####

## Database Server 1 Connection
databaseDriver-1=com.mysql.jdbc.Driver
databaseURL-1=jdbc:mysql://blr20357.as.colt/esoedb6?useUnicode=true
databaseUsername-1=root
databasePassword-1=admin
databaseRemoveAbandoned-1=true
databaseRemoveAbandonedTimeout-1=300
databaseLogAbandoned-1=true
databaseMaxIdle-1=5
databaseMaxActive-1=25

## LDAP Server 1 Connection
ldapURL-1=ldap://blr20357:10389
ldapServer-1=blr20357:10389
ldapServerPort-1=10389
baseDN-1=o=sevenSeas
identifier-1=uid
recursive-1=true
disableSSL-1=true
adminUser-1=uid=admin,ou=system
adminPassword-1=secret

## Keystore 1
keystorePath-1=${esoe.data}/config/esoeKeystore.ks
keystorePassword-1=cb0f8bfecced87244a39
keyAlias-1=5b84d473581f0567
keyPassword-1=9f1e34af75720229f4ad
keyAlias-2=9c00070268bbb847

## Active Directory SSO
# Identifier name for browsers integrated into Active Directory
#activeDirectoryBrowserId=
# Identifier for server principal in Active Directory
#serverPrincipal=
# Keytab for communication with Active Directory
#keyTab=

## ESOE trusted identifier for this deployment
esoeIdentifier=http://blr20357.as.colt:8080

## Trusted URL to recieve metadata files from
metadataURL=http://blr20357.as.colt:8080/esoemanager/metadata/
retrieve.htm

# Domain in which esoe cookie should be available - should NEVER be
set institution wide
sessionDomain=blr20357.as.colt

# Domain in which discovery cookie should be available - MUST be set
institution wide
commonDomain=as.colt

## URL to redirect unauthenticated principal to
authenticationURL=http://blr20357.as.colt:8080/signin

## URL for SAML SSO endpoint supported by this instance
ssoURL=http://blr20357.as.colt:8080/sso

## Authentication Identifiers
# URL to redirect authenticated principal to logout
logoutURL=http://blr20357.as.colt:8080/web/logout.htm

# URL to redirect principal to for manual authentication processes
usernamePasswordURL=http://blr20357.as.colt:8080/web/login.htm

# Value to append to usernamePasswordURL when authentication fails
authenticationFailedNameValue=rc=authnfail

# URLS to redirect client to when authn has completed successfully and
there is no dynamic URL
successURL=http://blr20357.as.colt:8080/web/loginsuccess.htm

# URLS to redirect client to when logout has completed successfully
and there is no dynamic URL
logoutSuccessURL=http://blr20357.as.colt:8080/web/logoutsuccess.htm

# URL to redirect client to for a critical failure
criticalfailureURL=http://blr20357.as.colt:8080/web/failure.htm

##
# Identifier Attribute Mappings
identifier.unspecified.value=unmapped
identifier.emailAddress.value=mail
identifier.X509SubjectName.value=unmapped
identifier.windowsDomainQualName.value=umapped
identifier.kerberos.value=unmapped
identifier.persistent.value=unmapped

########################################################################### ################################
#
# You should not need to edit anything below this line, advanced
changes only
####

# Should ESOE try to process non signed AuthnRequests
acceptUnsignedAuthnRequests=false

# Identifier name for esoe session identifier
sessionTokenName=esoeSession

# Identifier name for site wide identifier indicating ESOE knows about
this users session
commonDomainTokenName=_saml_idp

## Authorization Identifiers

# Seconds between attempting to send cache updates to SPEPs
cacheupdatefailuremonitor.retryInterval=20

# Seconds that an authz cache update failure can remain in the
repository before being removed
cacheupdatefailuremonitor.maxFailureAge=3600

# Time in seconds to attempt to refresh updated policies from data
repository
authorizationPollInterval=120

# Time between retrying to send logout failures in seconds
sso.failedlogoutmonitor.retryInterval=60

# Seconds that a Logout failure can remain in repository in seconds
sso.failedlogoutmonitor.maxFailureAge=600

## SAML Identifiers
# Time in seconds to ...

read more »


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Bradley Beddoes  
View profile  
 More options Nov 3 2008, 12:07 pm
From: Bradley Beddoes <bedd...@intient.com>
Date: Mon, 03 Nov 2008 11:07:54 +1000
Local: Mon, Nov 3 2008 12:07 pm
Subject: Re: [esoe-users] Re: How to SAML enable my JSP based application
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi,
Apologies for the delayed response here, we've all been very busy.

You've introduced a lot of variables of the standard deployment here and
I can't easily debug this kind of thing over email, it's more the sort
of task we'd work with you on as part of a professional services
package, whilst having actual access on the hosts themselves.

My theory is your Metadata document is invalid or doesn't contain your
SPEP identity provider details, perhaps you haven't activated it in ESOE
Manager? (Which I assume works? If not then your probably best advised
to start over with esoe startup).

regards,
Bradley

...

read more »


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Mohamed Elyas  
View profile  
 More options Nov 3 2008, 7:10 pm
From: "Mohamed Elyas" <elyas.moha...@gmail.com>
Date: Mon, 3 Nov 2008 13:40:00 +0530
Subject: Re: [esoe-users] Re: How to SAML enable my JSP based application
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Hi Bradely et all,

I have few queries.

1) Is it mandatory to have ESOE and SPEP URL's as https?

2) What are the essential components required at SPEP instance???

A) Only SPEP and SPEP filter jar???

B) SPEP, SPEP filter and esoemanager???

C) SPEP,SPEP filter,esoemanager and esoestartup??

3) If the answer for the above question can be A or B then how to just
install the SPEP alone or SPEP with esoemanager in a j2ee instance( with
little bit explanation please...). Because when i only have SPEP and
esoemanager then I end up in getting SPEP startup error?? Is that anything
fundametally wrong in the product or am I missing something??

4) When you say esoemanager configuration do you mean it on SPEP side or
esoe side??

5) Does running esoe and SPEP on different ports or on different instance of
j2ee server on the same physical machine give error???

I am working on the option to get professional service support but have to
justify some fundamental queries to the concerned people to set it right. I
hope you understand it.

Regards,
Elyas

...

read more »


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Bradley Beddoes  
View profile  
 More options Nov 3 2008, 9:23 pm
From: Bradley Beddoes <bedd...@intient.com>
Date: Mon, 03 Nov 2008 20:23:20 +1000
Local: Mon, Nov 3 2008 9:23 pm
Subject: Re: [esoe-users] Re: How to SAML enable my JSP based application
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi,

Answers inline.

Mohamed Elyas wrote:
> Hi Bradely et all,

> I have few queries.

> 1) Is it mandatory to have ESOE and SPEP URL's as https?

No but we recommend it given the added security it does provide. In a
test environment I use http endpoints as does the rest of the team which
reduces complexity.

> 2) What are the essential components required at SPEP instance???

This is covered at
http://esoeproject.org/confluence/display/eu/Java+SPEP+Installation+G...
which assumes a totally stand alone application instance. Essentially
this converts to A below along with the jars which require endorsement.

> A) Only SPEP and SPEP filter jar???

> B) SPEP, SPEP filter and esoemanager???

> C) SPEP,SPEP filter,esoemanager and esoestartup??

> 3) If the answer for the above question can be A or B then how to just
> install the SPEP alone or SPEP with esoemanager in a j2ee instance( with
> little bit explanation please...). Because when i only have SPEP and
> esoemanager then I end up in getting SPEP startup error?? Is that
> anything fundametally wrong in the product or am I missing something??

I feel there is some confusion here which I will note down to address in
documentation in due course, probably for 1.0.

There are 3 core components in an ESOE deployment:
* ESOE Core - contained within ROOT.war
* ESOE Manager - contained within esoemanager.war
* SPEP's - These are available for Java, IIS and Apache 1.x, 2.x. 2.2.x.

ESOE Manager as a Java application utilizes a Java SPEP. This means that
the container running ESOE Manager must also contain an SPEP instance.
Usually we, as the dev team, will refer to 'ESOE Manager' as the actual
pairing of these components. I appreciate this complicates things for
new comers.

This pairing along with ESOE Core is configured using ESOE Startup (or
in the new model from trunk ESOE deployer which is now console based not
web based to reduce confusion). If you wish to run ESOE Core and the
ESOE Manager pairing on different hosts this is fine, you simply need to
plug the correct values for host/port into ESOE Startup when asked.

Once this base configuration is running you can go into the ESOE Manager
application and register additional SPEP instances for your
applications, activate them and be on your way to extending your
authentication network.

You've mentioned JBoss previously. As I've mentioned we've not had any
local experience running ESOE Core / ESOE Manager in a J2EE container,
we've simply not had the call for it. Having said that it should work
fine, the only real hurdle I can see is getting the endorsed/shared jars
into the environment correctly.

With standalone Java SPEP instances we've had it operating in both JBoss
and OC4J. Both times I've had feedback saying that there were some
initial hurdles due to container layout but that things work quite
nicely once these are dealt with. Unfortunately I don't have written
documentation on what these issues were, again I would suggest that the
endorsed jars would be the biggest complication here.

> 4) When you say esoemanager configuration do you mean it on SPEP side or
> esoe side??

As above this will usually refer to the pairing. The two files in
question being esoemanager.config and spep.config

> 5) Does running esoe and SPEP on different ports or on different
> instance of j2ee server on the same physical machine give error???

No this should be fine, infact on my laptop I run ESOE Core, ESOE
Manager (and it's spep pair) in one tomcat instance on 8080. A second
Java SPEP/Application in another Tomcat instance on 9080 and an Apache
2.x instance on port 80.

> I am working on the option to get professional service support but have
> to justify some fundamental queries to the concerned people to set it
> right. I hope you understand it.

Feel free to contact me off list if you need additional information
surrounding this.

regards,
Bradley

...

read more »


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google