Home › Monthly Archives › October 2008

How to Federate with Google Apps using OpenSSO as the Identity Provider

My colleague Pat Patterson had written a howto on how to Federate with Google Apps using an much older build of OpenSSO.  At that time he had to use a custom account mapper (i.e. write code) to map the NameID in the SAML v2 response.  Now with the latest OpenSSO builds the custom account mapper is no longer required as account mapping for SAML v2 is supported OOTB using the administrative console of OpenSSO thanks to Heng-Ming Hsu (another colleague) who recently added this functionality to OpenSSO's DefaultIDPAccountMapper.


Here is a simple writeup on how to federate with Google Apps using OpenSSO.  I did this in less than 10 minutes but i already had Glassfish installed and opensso.war deployed. Note that this writeup is using non-SSL connections.  In production it is recommended to use SSL enabled web servers.




OpenSSO latest nightly build
* http://download.java.net/general/opensso/nightly/latest/opensso/opensso.zip  (i used Oct 6th build)

Any OpenSSO Supported Container
* http://opensso.dev.java.net/public/use/docs/fampdf/rn.pdf
* I used Glassfish V2R2 http://glassfish.dev.java.net

A Premier Account for Google Applications 
* http://google.com/a




The OpenSSO is the Identity Provider (IDP) and Google Apps is the Service Provider (SP).  We will use SAML v2 as the Single Sign-On (SSO) protocol between the two and create a Circle Of Trust (COT) on the IDP.


Note your browser will need the Quicktime(TM) plugin to view the videos


1.  Deploy opensso.war on your container


Download opensso.zip, extract opensso.war and deploy it on your container.  For Glassfish it is very simple and done via the “asadmin deploy” command (for the feint hearted the Glassfish administrative console can also be used to deploy the war file).


Carefully read the release notes to see if your container requires any pre-deployment tasks such as modifying your container's server.policy file


-bash-3.00# ./asadmin deploy –user admin –passwordfile /var/tmp/asadmin_passwd  –port 4848  –enabled=true –contextroot /opensso /var/tmp/opensso/deployable-war/opensso.war
Command deploy executed successfully.
-bash-3.00# ./asadmin stop-domain 
Domain idp stopped.
-bash-3.00# ./asadmin start-domain


Starting Domain idp, please wait.Log redirected to /var/opt/glassfish/domains/idp/logs/server.log.
Redirecting output to /var/opt/glassfish/domains/idp/logs/server.log
Domain domain1 is ready to receive client requests. Additional services are being started in background.
Domain [idp] is running [Sun Java System Application Server 9.1_02 (build b04-fcs)] with its configuration and logs at: [/var/opt/glassfish/domains].
Admin Console is available at [http://localhost:4848].
Use the same port [4848] for "asadmin" commands.
User web applications are available at these URLs:
[http://localhost:8080 https://localhost:8181 ].
Following web-contexts are available:
[/web1  /__wstx-services /opensso ].
Standard JMX Clients (like JConsole) can connect to JMXServiceURL:
[service:jmx:rmi:///jndi/rmi://utopia:8686/jmxrmi] for domain management purposes.
Domain listens on at least following ports for connections:
[8080 8181 4848 3700 3820 3920 8686 ].
Domain does not support application server clusters and other standalone instances.


2.  Configure OpenSSO after deploying to your container


Run though the OpenSSO configuration wizard by pointing your browser to the containers URL and opensso context.  In my case it is http://idp.unopass.net/opensso


* To download this video click here



3.  Configure IDP on OpenSSO via the Workflow Wizard


One of the defining features of OpenSSO is its workflow wizards which help you to create a hosted IDP/SP or remote IDP/SP very quickly without the need to create metadata files and importing manually.


* To download this video click here



4.  Configure SP on Google Apps


* To download this video click here



5.  Define Name Identifier (NameID) mapping


Google Apps requires that the userid be sent back in the SAML response.  OpenSSO does not do this by default but now provides a very simple way of mapping the nameid to any attribute in the users profile (in the ldap directory).


* To download this video click here



6.  SSO into Google Apps using your new OpenSSO IDP


Finally test the SSO by trying to access http://mail.google.com/a/<your domain>.  You should NOT be prompted by the traditional Google Login screen, rather you should be redirected to IDP's (OpenSSO) Login page.  You should log into OpenSSO with the same userid but password can be different (Hint: you need to create this user if it does not already exist in OpenSSO).


* To download this video click here



After watching this video keep in mind that SSO demos are never impressive unless you show what is happening behind the scenes.    One way to do so is to show the SAML 2 protocol (SOAP) messages. 


The good news is that they can be grabbed from the debug logs of OpenSSO.  You have to enable “message” level debugging first form the OpenSSO Administrative Console under Configuration->Sites.  You will then be able to see the AuthN requests and SAML assertion in the debug log called “Federation”.  For example.


AuthN Request


<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="glcmf
hikbbhohichialilnnpjakbeljekmkhppkb" Version="2.0" IssueInstant="2008-10-14T00:5
7:14Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Provider
Name="google.com" IsPassive="false" AssertionConsumerServiceURL="https://www.goo
gle.com/a/unopass.net/acs"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:
assertion">google.com</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format
="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /></samlp:AuthnRequest>




IDPSSOUtil.sendResponse: SAML Response content :
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec9
0665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdb
nni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.goo
gle.com/a/unopass.net/acs"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:ass
ertion">http://idp.unopass.net:80/opensso</saml:Issuer><samlp:Status xmlns:samlp="u
<samlp:StatusCode  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
</samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" I
D="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z"
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer><Signature xmlns="http:
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#s295c56ccd7872209ae336b934d1eed5be52a8e6ec">
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQua
tion Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnn
i" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.
</saml:Subject><saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008
<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z" SessionIndex="s2bb816b5a88