Well, that surprises me, as the SSO doc refers to an sso.form.Action property. And this works fine in the sso webcontent portlet in 2.2.0 I successfully configured it to post my login form, using sso.form.Action, log me in, then navigate to the SRC url. Works great, except webcontent has problems rendering the page properly. Thats why I want to use SSO IFrame. The makes no distinction between IFrame and Webcontent portlets as it relates to form based auth. At any rate, I have went thru your previous responses, tried using login.htm in the src, but I still never get a post . It simply does a get on the login.htm and renders the page. I have been very careful to assure my SSO Admin properties are synced with my portlet properties, so it should map to a set of credentials, but they never get posted. The best I can do with the proxy portlets is get it to do basic auth, which of course will not work with my target url.
From: Woonsan Ko <[email protected]> To: Jetspeed Users List <[email protected]> Date: 08/18/2010 02:12 PM Subject: Re: SSO IFrame form authentication Unfortunately, the portlet or any other SSO-related portlet does not provide different form auth URL from the navigating URL. So, the SRC URL must be the form auth target URL. It's up to the form auth target URL to redirect to other contents. The SSOReverseProxyIFramePortlet is responsible only for sending credentials information to the target form auth page with specified parameter names in POST method. This limitation is because it could be complicated if it should manage some states in a general way to check if the target site has authenticated or not. On the other hand, it would be easier to add or customize a form auth target page; it can do authentication, store some session attributes and redirect to other pages. SSOReverseProxyIFramePortlet remembers the last visited page; so when you visit the page back, it will remember the navigation states during the session. Also, you could choose basic authentication if you don't want to add or customize the form auth target page. Here are some details on SSO configurations. There are two places to configure SSO configs. Firstly, the system administrator should register SSO SITEs in j2-admin's SSO Admin portlet. [1] Secondly, each user should register the SSO credentials information in my-account.psml which can be navigated by a link in the login portlet after authenticated. Thirdly, SSOReverseProxyIFramePortlet retrieves the SSO SITE information and the user's SSO credentials information, determining those from the SRC url. In your example, you need to register an SSO SITE with http://host.domainname.com:8090/ATGAdmin/ or http://host.domainname.com:8090/ with proper authentication mechanism. If the SSO SITE needs form authentication, you should provide proper form auth parameters for username and password. When you visit a portal page including the sso reverse proxy iframe portlet, the portlet will find the best matched SSO SITE from the current navigation url. So, if the current proxied url is http://host.domainname.com:8090/ATGAdmin/login.jsp, then the portlet will retrieve the SSO SITE and credentials information for the user. If it is form-auth for the SSO SITE, the portlet will send the credentials information with the specified parameter names in POST method to the target form auth page. [1] http://portals.apache.org/jetspeed-2/adminguide/sso.html#SSO_Management HTH, Woonsan ----- Original Message ---- > From: "[email protected]" <[email protected]> > To: Jetspeed Users List <[email protected]> > Sent: Wed, August 18, 2010 11:37:23 AM > Subject: Re: SSO IFrame form authentication > > Thanks for the much needed documentaton. However, I still can't seem to > tie the SSO configuration to the portlet. I can use the SSO Reverse Proxy > portlet to render the remote content, but I do not see how to get the > portlet to preemptively log into the site. My src is > http://host.domainname.com:8090/ATGAdmin/customers.htm, however, SSO > should be logging into http://host.domainname.com:8090/ATGAdmin/login.htm > I don't see how the SSO config knows that, and in my case, it certainly > does not do it. To net it out, I can get the SSO portlet to render the > site, but the login never happens. > > > > From: > Woonsan Ko <[email protected]> > To: > Jetspeed Users List <[email protected]> > Date: > 08/18/2010 12:28 PM > Subject: > Re: SSO IFrame form authentication > > > > Hi, > > For the preferences of the portlet, you can refer to this documentation: > http://portals.apache.org/applications/webcontent/index.html > > For URL related stuffs, there are three: SRC, PROXYREMOTEURL and > PROXYLOCALPATH. > The SRC preference is the same as the default IFrame portlet. > The PROXYREMOTEURL preference is for configuring the remote proxy target > url > base path. > The PROXYLOCALPATH preference is for configuring the local proxy pass base > path. > So, for example, if SRC is http://www.yourcompany.com/foo/bar/test.html > and your > reverse proxy service (servlet) is configured to map /j2-admin/rproxy/foo/ > to > http://www.yourcompany.com/foo/, then PROXYREMOTEURL should be set > to http://www.yourcompany.com/foo/ and PROXYLOCALPATH should be set > to /j2-admin/rproxy/foo/ or $[contextPath}/rproxy/foo/. > Also, please see the following documentation on how to configure reverse > proxy > service: > http://portals.apache.org/applications/webcontent/rproxy.html > > Regards, > > Woonsan > > > ----- Original Message ---- > > From: "[email protected]" <[email protected]> > > To: Jetspeed Users List <[email protected]> > > Sent: Wed, August 18, 2010 7:22:38 AM > > Subject: Re: SSO IFrame form authentication > > > > I was able to successfully get form-based auth to work with your example > > > scenario, however, my own test case does not. I still simply go > directly > > to the login screen. I'm sure it has to do with the proxyremoteurl and > > > proxylocalpath args, but I have not seen any detailed doc on how they > > work. > > > > > > > > From: > > David Sean Taylor <[email protected]> > > To: > > Jetspeed Users List <[email protected]> > > Date: > > 08/17/2010 07:19 PM > > Subject: > > Re: SSO IFrame form authentication > > > > > > > > On Tue, Aug 17, 2010 at 1:40 PM, <[email protected]> wrote: > > > How did your testing go? I compared SSO Webcontent (which works, > sort > > of) > > > to SSO IFrame classes and I see a method for preemptive login in the > > > webcontent class but no reference at all in the SSO IFrame class. > Does > > > this just mean it is being done differently, or is something amiss in > > > the > > > SSO IFrame class? > > > > There are two SSOIFrame classes: > > > > 1. SSOIFramePortlet > > 2. SSOReverseProxyIFramePortlet > > > > Suggest using the second one, SSOReverseProxyIFramePortlet as it gives > > you features not available in the older SSOIFramePortlet such as > > auto-resizing and form-based authentication (what you are after) > > > > I tested with SSOReverseProxyIFramePortlet and it worked in the > > example that comes with Jetspeed, but it takes a little bit of > > configuration. > > > > First, ensure your Tomcat will need this attribute set in the > > <Connector> element of server.xml: > > > > emptySessionPath="true" > > > > more detail here: > > > > http://portals.apache.org/applications/webcontent/index.html > > > > If you had to change server.xml setting, then restart your server > > > > I took these steps to verify SSO with the example form-based login > > that comes with Jetspeed: > > > > 1. login as admin > > 2. navigate to the Jetspeed Administration space, SSO Management page, > > or just go here: > > > > http://localhost:8080/jetspeed/ui/Administrative/sso-admin.psml > > > > Add a new Site with following parameters: > > > > Site Name: Form Example > > Site URL: http://localhost:8080/j2-admin/examples/formauth.jsp > > Field name for User ID: user > > Field name For Password value: pass > > > > Press Save > > > > Add a new credential for this site in the portlet on the right side > > (SSO Details): > > > > Portal Principal: admin > > Remote Principal: admin > > Remote Credential: admin > > > > Press Add > > > > You can verify that the remote credential was added for the admin > > user by going here: > > > > http://localhost:8080/jetspeed/ui/my-account.psml > > > > see the portlet on the right "SSO Change Passwords", a remote site > > entry should be there named "Form Example" > > > > Next, you can use the Toolbox to find the Reverse Proxy Iframe Portlet > > by searching on "iframe" and then selecting it from there and adding > > to a page. To make things simple, I just added a page and then added > > the Reverse Proxy Iframe Portlet there. At first this portlet seems to > > want to use Basic Authentication, so just hit cancel when challenged. > > I then switched to edit mode (pencil icon), and entered the following > > preferences: > > > > TITLE: My SSO Test > > SRC: http://localhost:$ {serverPort}${contextPath}/examples/formauth.jsp > > > > Press Save > > > > You should see in your portlet content something like: > > > > "Hello, admin. You have been authorized by form-based authentication > !!!" > > > > Give that a try and see if it works. Then, move on to your specific > > IFrame source and let us know how it goes... > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean (mailgw2:E659D1E6FC.D1395). > > > > > > > > > > This communication and any attachments are confidential, protected by > > Communications Privacy Act 18 USCS § 2510, solely for the use of the > > intended recipient, and may contain legally privileged material. If you > > > are not the intended recipient, please return or destroy it > immediately. > > Thank you. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean (mailgw2:8B67A1E701.EB059). > > > > > This communication and any attachments are confidential, protected by > Communications Privacy Act 18 USCS § 2510, solely for the use of the > intended recipient, and may contain legally privileged material. If you > are not the intended recipient, please return or destroy it immediately. > Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean (mailgw2:AB8841E700.50A86). This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
