-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
88 changed files
with
9,738 additions
and
0 deletions.
There are no files selected for viewing
109 changes: 109 additions & 0 deletions
109
openig-doc/src/main/docbkx/gateway-guide/OWAOnline.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| { | ||
| "heap": { | ||
| "objects": [ | ||
| { | ||
| "name": "LogSink", | ||
| "comment": "Default sink for logging information.", | ||
| "type": "ConsoleLogSink", | ||
| "config": { | ||
| "level": "DEBUG", | ||
| } | ||
| }, | ||
| { | ||
| "name": "HandlerServlet", | ||
| "type": "HandlerServlet", | ||
| "config": { | ||
| "handler": "DispatchHandler", | ||
| "baseURI":"https://65.55.171.158" | ||
| } | ||
| }, | ||
| { | ||
| "name": "DispatchHandler", | ||
| "type": "DispatchHandler", | ||
| "config": { | ||
| "bindings": [ | ||
| { | ||
| "condition": "${exchange.request.uri.path == '/owa/auth/logon.aspx'}", | ||
| "handler": "LoginChain", | ||
| }, | ||
| { | ||
| "handler": "OutgoingChain", | ||
| } | ||
| ] | ||
| } | ||
| }, | ||
| { | ||
| "name": "LoginChain", | ||
| "type": "Chain", | ||
| "config": { | ||
| "filters": ["CryptoHeaderFilter","LoginRequest"], | ||
| "handler": "OutgoingChain" | ||
| } | ||
| }, | ||
| { | ||
| "name": "CryptoHeaderFilter", | ||
| "type": "CryptoHeaderFilter", | ||
| "config": { | ||
| "messageType":"REQUEST", | ||
| "operation":"DECRYPT", | ||
| "algorithm":"DES/ECB/NoPadding", | ||
| "key":"DESKEY", | ||
| "keyType":"DES", | ||
| "charSet":"utf-8", | ||
| "headers": ["password"], | ||
| }, | ||
| }, | ||
| { | ||
| "name": "LoginRequest", | ||
| "type": "StaticRequestFilter", | ||
| "config": { | ||
| "method": "POST", | ||
| "uri": "https://65.55.171.158/owa/auth/owaauth.dll", | ||
| "headers" : { | ||
| "Host": ["red001.mail.microsoftonline.com"], | ||
| "Content-Type": ["Content-Type:application/x-www-form-urlencoded"], | ||
| } | ||
| "form": { | ||
| "destination": ["https://red001.mail.microsoftonline.com/owa/"], | ||
| "forcedownlevel": ["0"], | ||
| "trusted": ["0"], | ||
| "username": ["${exchange.request.headers['username'][0]}"], | ||
| "password": ["${exchange.request.headers['password'][0]}"], | ||
| "isUtf8": ["1"], | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "name": "OutgoingChain", | ||
| "type": "Chain", | ||
| "config": { | ||
| "filters": ["HeaderFilter","CaptureFilter"], | ||
| "handler": "ClientHandler" | ||
| } | ||
| }, | ||
| { | ||
| "name": "HeaderFilter", | ||
| "type": "HeaderFilter", | ||
| "config": { | ||
| "messageType":"REQUEST", | ||
| "remove": ["password","username"], | ||
| } | ||
| }, | ||
| { | ||
| "name": "CaptureFilter", | ||
| "type": "CaptureFilter", | ||
| "config": { | ||
| "captureEntity": false, | ||
| "file": "/tmp/gateway.log", | ||
| } | ||
| }, | ||
| { | ||
| "name": "ClientHandler", | ||
| "type": "ClientHandler", | ||
| "config": { | ||
| } | ||
| }, | ||
| ] | ||
| }, | ||
| "servletObject": "HandlerServlet", | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| { | ||
| "heap": { | ||
| "objects": [ | ||
| { | ||
| "name": "HandlerServlet", | ||
| "comment": "Transforms Servlet request to handler request.", | ||
| "type": "HandlerServlet", | ||
| "config": { | ||
| "handler": "DispatchHandler" | ||
| } | ||
| }, | ||
| { | ||
| "name": "DispatchHandler", | ||
| "type": "DispatchHandler", | ||
| "config": { | ||
| "bindings": [ | ||
| { | ||
| "condition": "${exchange.request.uri.scheme == 'http'}", | ||
| "handler": "OutgoingChain", | ||
| "baseURI": "http://TARGETIP" | ||
| }, | ||
| { | ||
| "condition": "${exchange.request.uri.path == '/login'}", | ||
| "handler": "LoginChain", | ||
| "baseURI": "https://TARGETIP" | ||
| }, | ||
| { | ||
| "handler": "OutgoingChain", | ||
| "baseURI": "https://TARGETIP" | ||
| } | ||
| ] | ||
| } | ||
| }, | ||
| { | ||
| "name": "LoginChain", | ||
| "type": "Chain", | ||
| "config": { | ||
| "filters": [], | ||
| "handler": "OutgoingChain" | ||
| } | ||
| }, | ||
| { | ||
| "name": "OutgoingChain", | ||
| "type": "Chain", | ||
| "config": { | ||
| "filters": [ | ||
| "CaptureFilter" | ||
| ], | ||
| "handler": "ClientHandler" | ||
| } | ||
| }, | ||
| { | ||
| "name": "CaptureFilter", | ||
| "type": "CaptureFilter", | ||
| "config": { | ||
| "captureEntity": false, | ||
| "file": "/tmp/gateway.log" | ||
| } | ||
| }, | ||
| { | ||
| "name": "ClientHandler", | ||
| "comment": "Sends all requests to remote servers.", | ||
| "type": "ClientHandler", | ||
| "config": {} | ||
| } | ||
| ] | ||
| }, | ||
| "servletObject": "HandlerServlet" | ||
| } |
209 changes: 209 additions & 0 deletions
209
openig-doc/src/main/docbkx/gateway-guide/chap-am-integration-tutorial.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,209 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- | ||
| ! CCPL HEADER START | ||
| ! | ||
| ! This work is licensed under the Creative Commons | ||
| ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. | ||
| ! To view a copy of this license, visit | ||
| ! http://creativecommons.org/licenses/by-nc-nd/3.0/ | ||
| ! or send a letter to Creative Commons, 444 Castro Street, | ||
| ! Suite 900, Mountain View, California, 94041, USA. | ||
| ! | ||
| ! You can also obtain a copy of the license at | ||
| ! src/main/resources/legal-notices/CC-BY-NC-ND.txt. | ||
| ! See the License for the specific language governing permissions | ||
| ! and limitations under the License. | ||
| ! | ||
| ! If applicable, add the following below this CCPL HEADER, with the fields | ||
| ! enclosed by brackets "[]" replaced with your own identifying information: | ||
| ! Portions Copyright [yyyy] [name of copyright owner] | ||
| ! | ||
| ! CCPL HEADER END | ||
| ! | ||
| ! Copyright 2011-2012 ForgeRock AS | ||
| ! | ||
| --> | ||
| <chapter xml:id='chap-am-integration-tutorial' | ||
| xmlns='http://docbook.org/ns/docbook' | ||
| version='5.0' xml:lang='en' | ||
| xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' | ||
| xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd' | ||
| xmlns:xlink='http://www.w3.org/1999/xlink' | ||
| xmlns:xinclude='http://www.w3.org/2001/XInclude'> | ||
| <title>Tutorial With OpenAM</title> | ||
|
|
||
| <indexterm> | ||
| <primary>Tutorials</primary> | ||
| <secondary>OpenAM integration</secondary> | ||
| </indexterm> | ||
|
|
||
| <itemizedlist> | ||
| <para>This tutorial walks you through OpenIG integration with OpenAM. This | ||
| tutorial involves OpenAM, OpenIG on Tomcat protected by an OpenAM policy | ||
| agent, and MediaWiki as the target application, all hosted on our ForgeRock | ||
| demo site. When you have finished this tutorial you should understand:</para> | ||
|
|
||
| <listitem> | ||
| <para>How OpenIG integrates with OpenAM</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>How an OpenAM policy agent can work with OpenIG</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>How OpenIG integrates target applications in OpenAM deployments</para> | ||
| </listitem> | ||
| </itemizedlist> | ||
|
|
||
| <section> | ||
| <title>Detailed Flow</title> | ||
|
|
||
| <para>The figure below illustrates the flow of requests for a user logging | ||
| into OpenAM, and then being automatically logged into MediaWiki.</para> | ||
|
|
||
| <mediaobject xml:id="figure-am-integration-tutorial"> | ||
| <imageobject> | ||
| <imagedata fileref="images/am-integration-tutorial.png" format="PNG" /> | ||
| </imageobject> | ||
| <textobject> | ||
| <para>This diagram shows the flow of requests during user login.</para> | ||
| </textobject> | ||
| </mediaobject> | ||
|
|
||
| <orderedlist> | ||
| <listitem> | ||
| <para>User authenticates to OpenAM establishing a session.</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>User browses to a MediWiki page requiring authentication.</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>OpenAM Agent intercepts the request, validates the user session, | ||
| and fetches user's email address and password to populate in headers.</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>Agent passes the original request with populated headers to | ||
| OpenIG.</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>OpenIG inspects the request, finds no login page, sends the request | ||
| to MediaWiki.</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>MediaWiki finds no application session and returns its login | ||
| page.</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>OpenIG intercepts, sees the login page, creates the login form with | ||
| the user name and password from the headers inserted by the agent.</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>MediaWiki validates the login form, returns an application session | ||
| and the user's home page.</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>MediaWiki home page returned to the user.</para> | ||
| </listitem> | ||
| </orderedlist> | ||
| </section> | ||
|
|
||
| <section> | ||
| <title>Setup Summary</title> | ||
|
|
||
| <itemizedlist> | ||
| <para>All of the following components of this tutorial are hosted at | ||
| demo.forgerock.com.</para> | ||
|
|
||
| <listitem> | ||
| <para>OpenIG on Tomcat at <link xlink:href="http://demo.forgerock.com:8585/" | ||
| xlink:show="new">http://demo.forgerock.com:8585/</link></para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>OpenAM Policy Agent on Tomcat protecting OpenIG in SSO only mode | ||
| configured to pass the user name and password recorded from the OpenAM | ||
| login as headers</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>OpenAM at <link xlink:href="http://demo.forgerock.com:8888/openam/" | ||
| xlink:show="new">http://demo.forgerock.com:8888/openam/</link></para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>MediaWiki at <link | ||
| xlink:href="http://demo.forgerock.com:8181/mediawiki/" | ||
| xlink:show="new">http://demo.forgerock.com:8181/mediawiki/</link></para> | ||
| </listitem> | ||
| </itemizedlist> | ||
|
|
||
| <itemizedlist> | ||
| <para>OpenAM Policy Agent Configuration</para> | ||
|
|
||
| <listitem> | ||
| <para>Installed on OpenIG host at <link | ||
| xlink:href="http://demo.forgerock.com:8585/" | ||
| xlink:show="new">http://demo.forgerock.com:8585/</link></para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>Agent filter mode set to <literal>SSO_ONLY</literal></para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>Session Attributes Processing set to | ||
| <literal>HTTP_HEADER</literal></para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>Session Attribute Mapping contains | ||
| <literal>UserToken=username</literal> and | ||
| <literal>PassWordToken=password</literal></para> | ||
| </listitem> | ||
| </itemizedlist> | ||
|
|
||
| <itemizedlist> | ||
| <para>OpenAM Configuration</para> | ||
|
|
||
| <listitem> | ||
| <para>Standard installation using internal OpenDJ for the user store</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>Sample username and passwords: <literal>george/bosco</literal> and | ||
| <literal>kramer/newman</literal></para> | ||
| </listitem> | ||
| </itemizedlist> | ||
|
|
||
| <itemizedlist> | ||
| <para>OpenAM Configuration</para> | ||
|
|
||
| <listitem> | ||
| <para>Proxying to <link | ||
| xlink:href="http://demo.forgerock.com:8181/mediawiki/" | ||
| xlink:show="new">http://demo.forgerock.com:8181/mediawiki/</link></para> | ||
| </listitem> | ||
| <listitem> | ||
| <para><link xlink:show="new" | ||
| xlink:href="http://openig.forgerock.org/AMMediaWikiLogin.json" | ||
| >AMMediaWikiLogin.json</link> configuration file</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>Configured to intercept the MediaWiki login page</para> | ||
| </listitem> | ||
| <listitem> | ||
| <para>User name and password for MediaWiki login taken from incoming | ||
| user name and password HTTP headers</para> | ||
| </listitem> | ||
| </itemizedlist> | ||
| </section> | ||
|
|
||
| <section> | ||
| <title>Logging In</title> | ||
|
|
||
| <para>Browse directly to <link | ||
| xlink:href="http://demo.forgerock.com:8181/mediawiki/" | ||
| xlink:show="new">MediaWiki</link> and click the login link. You should be | ||
| presented with the MediaWiki login page. This is because you are directly | ||
| accessing the application. Now browse to <link | ||
| xlink:href="http://demo.forgerock.com:8585/mediawiki/" | ||
| xlink:show="new">OpenIG</link> and click the login link. This time you should | ||
| be redirected to the OpenAM login page. You can login with the user name | ||
| <literal>george</literal> and password <literal>bosco</literal>. Once logged | ||
| in, the policy agent protecting OpenIG allows the request through and passes | ||
| the user name and password as headers to OpenIG. OpenIG creates and POSTs the | ||
| MediaWiki login form using the credentials from the headers.</para> | ||
| </section> | ||
| </chapter> |
Oops, something went wrong.