O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required


Book Description

This is your logical, clearly written guide to implementing Single Sign-On to secure your web applications using OpenAM. It makes light work of the complexities by explaining things with real-world examples.

  • The first and the only book that focuses on implementing Single Sign-On using OpenAM
  • Learn how to use OpenAM quickly and efficiently to protect your web applications with the help of this easy-to-grasp guide
  • Written by Indira Thangasamy, core team member of the OpenSSO project from which OpenAM is derived
  • Real-world examples for integrating OpenAM with various applications

In Detail

OpenAM is an open source continuation of the OpenSSO project that was taken over, and later scrapped, by Oracle. OpenAM is the only commercial-grade, feature-rich web application that provides SSO solutions. It has a variety of features and a powerful Single Sign-On capability, but the implementation can be tricky, and the unorganized and incoherent online documentation is not very helpful.

The OpenAM book will serve as a guide to everything you need to know to get started with implementing Single Sign-On using OpenAM to protect your web applications, along with real-world examples.

The author's extensive experience in testing and troubleshooting OpenAM enables him to share insights on how the product works, its strengths, its weaknesses, and some inside information.

If you are reading this, you probably want to protect your web application using OpenAM. The book starts off with an introduction to OpenAM and describing the core features and the kind of problems that can be solved by OpenAM. Then it provides you with detailed instructions on how to protect your web applications by using OpenAM server and policy agents. You will also learn about the user interface elements in order to manage OpenAM successfully. You'll understand the concepts of identity web services provided by OpenAM. There are examples in the book that describe how the REST-based identity services can be invoked and utilized. In the final chapters, you will find detailed discussions about backup, recovery, and audit logging.

The book concludes by discussing some of the common OpenAM problems and tips to troubleshoot them. Although the project name has changed from OpenSSO to OpenAM, the product screen and file names still reflect OpenSSO. Hence, you will encounter the term "OpenSSO" throughout the book.

This practical, hands-on guide will teach you how to protect your web applications by implementing Single Sign-On (SSO) using OpenAM.

Table of Contents

  1. OpenAM
    1. OpenAM
    2. Credits
    3. About the Author
    4. Acknowledgement
    5. About the Reviewers
    6. www.PacktPub.com
      1. Support files, eBooks, discount offers and more
        1. Why Subscribe?
        2. Free Access for Packt account holders
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Errata
        2. Piracy
        3. Questions
    8. 1. Getting Started
      1. History of OpenSSO
        1. OpenSSO vs. OpenAM
        2. OpenSSO—an overview
        3. OpenSSO services
          1. Federation services
          2. Web Services Security and Secure Token Service
          3. OpenSSO Entitlements Service
        4. What kind of problems does OpenSSO solve?
          1. Access management
          2. Federation
          3. Securing web services
          4. Entitlements
      2. Summary
    9. 2. OpenSSO Deployment and Configuration
      1. Deployment requirements for OpenSSO web application
        1. Containers and operating systems support
        2. Java SDK support
        3. Disk and memory requirements
        4. Browser requirements
      2. Configuration store versus Identity Store
        1. Configuration store
          1. Embedded configuration store
          2. External Sun Directory Server Enterprise Edition configuration store
        2. Identity store
      3. How to obtain OpenSSO
        1. Building OpenSSO from source
        2. Downloading OpenSSO binary
      4. Configuring OpenSSO
        1. Installing and configuring Apache Tomcat 6.0.20
        2. OpenSSO one click configuration
        3. Verifying OpenSSO configuration
        4. What just happened?
      5. OpenSSO configuration choices
        1. Single server configuration-using embedded configuration store
          1. Layout of the configuration directory
        2. Single server configuration-using external configuration store
        3. Multi-server configuration-embedded configuration store
          1. Prerequisites for multi-server configuration
          2. Adding OpenSSO to an existing deployment
          3. Verification of multi-server deployment
        4. Configuring using command line configurator
        5. Configuring OpenSSO with SSL/TLS
        6. Configuring command line tools
        7. Uninstalling OpenSSO
      6. OpenSSO release and support model
      7. Summary
    10. 3. Administrating OpenSSO
      1. Administration interfaces
      2. Accessing the administrative console
      3. Console views and privileges
        1. Console landing page-common tasks
        2. Access control tab
          1. General
          2. Authentication
          3. Service
          4. Data stores
          5. Privileges
          6. Policies
          7. Subjects
            1. Managing users from the command line tool
            2. Managing groups from a command line tool
          8. Agents
        3. Configuration
          1. Retrieving all the server properties
          2. Updating server configuration properties
          3. Removing properties from server configuration
        4. Sessions tab
          1. Managing sessions using ssoadm
      4. Customizing the console
        1. Extending LDAP schema
        2. Customizing OpenSSO User Service
          1. Adding attributes to amUser.xml
          2. Removing User Service schema
          3. Adding the updated User Service schema
          4. Adding the labels
          5. Adding the custom attributes to data store configurations
          6. Updating privileges
          7. Testing the changes
      5. Summary
    11. 4. Authentication and Session Service
      1. Authentication process
        1. Cookies in OpenSSO
        2. Authentication types and URL parameters
          1. Module
          2. Level
          3. Service
          4. User
          5. Role
          6. Realm
          7. Resource
        3. Other authentication URL parameters
          1. IDToken parameter
          2. goto and gotoOnFail parameters
          3. locale parameter
          4. arg parameter
          5. iPSPCookie parameter
          6. ForceAuth parameter
          7. PersistAMCookie parameter
      2. Authentication modules, instances, and chains
        1. LDAP authentication
          1. Creating an authentication instance
          2. Updating an authentication instance
          3. Reading an authentication instance
          4. Using an authentication instance
          5. Deleting an authentication instance
        2. Authentication chains
          1. Creating an authentication chain
          2. Updating an authentication chain
          3. Reading an authentication chain
          4. Using an authentication chain
          5. Performing a user-based authentication
          6. Deleting an authentication chain
      3. Authentication modules
        1. LDAP
        2. Active Directory
        3. Data store
        4. Anonymous
        5. Certificate (X.509)
      4. Configuring Tomcat in SSL using CA signed certificate
        1. HTTP basic authentication
        2. Membership
        3. JDBC
        4. HOTP
        5. SecurID
        6. SafeWord
        7. RADIUS
        8. Unix
        9. Windows NT
        10. Windows Desktop SSO
        11. Core
          1. User profile requirement
          2. Setting user profile attributes in an SSO token
      5. Adding custom authentication modules
      6. Session Service
        1. Session Service schema
          1. Updating Session Service
        2. Session life cycle
          1. Session structuring
          2. Session state transition
          3. Session properties
          4. Session change notification and polling
          5. Session persistence and constraints
      7. Summary
    12. 5. Password Reset and Account Management
      1. Account lockout
      2. Configuring account lockout
        1. Physical lockout
        2. In-memory lockout
      3. Applying a password reset
        1. Prerequisites
        2. Configuring the password reset service in OpenSSO
          1. Assigning service and update service attributes
          2. Creating and assigning OpenDS password policy
            1. Creating OpenDS policy
            2. Assigning the policy to a user
            3. Forcing password change after reset
            4. Behind the scenes
            5. Location of secret questions
      4. Summary
    13. 6. Protecting a Simple Web Application to Provide SSO
      1. OpenSSO Policy Framework
      2. Protecting a sample application on Tomcat
        1. Creating the agent profile
        2. Installing and configuring the agents
        3. Deploying and configuring the Java application
        4. Creating policies and associated identities
        5. Testing the SSO
        6. Fetching user profile attributes
      3. Summary
    14. 7. Integrating Salesforce and Google Apps
      1. Integrating OpenSSO with Salesforce applications
        1. Configuring hosted identity provider and circle of trust
        2. Configuring OpenSSO metadata for Salesforce.com
        3. Configuring users for Salesforce.com
        4. Verifying the SSO
      2. Integrating with Google Apps
        1. Configuring the hosted identity provider
        2. Configuring SSO parameters at Google Apps
        3. Configuring users for Google Apps
        4. Verifying SSO
      3. Summary
    15. 8. Identity Stores
      1. Identity store types
      2. Caching and notification
        1. Persistent search-based notification
        2. Time-to-live based notification
        3. TTL-specific properties for Identity Repository cache
      3. Supported identity stores
        1. User schema
        2. Access Manager Repository plugin
          1. Creating an Access Manager Repository plugin data store
          2. Displaying the data store properties
          3. Updating data store properties
          4. Deleting data stores
          5. Removing the Access Manager Repository plugin
        3. Oracle Directory Server Enterprise Edition
          1. Creating a data store for Oracle DSEE
          2. Updating the data store
          3. Deleting the data store
        4. Data store for OpenDS
        5. Data store for Tivoli DS
        6. Data store for Active Directory
        7. Data store for Active Directory Application Mode
        8. Datastore for OpenLDAP
        9. Configuring an OpenLDAP suffix
        10. Extending the schema
        11. Preparing the suffix with necessary entries
        12. Creating an OpenLDAP data store
        13. Testing the data store
        14. Multiple data stores
      4. Summary
    16. 9. RESTful Identity Services
      1. Prerequisites
      2. Invoking REST interfaces
        1. Authentication
        2. Authenticating with URL parameters
        3. Validating an SSO token
        4. Invalidating session (logout)
        5. Creating log events
        6. Authorization
      3. Identity CRUD operations
        1. Searching identities
          1. Searching for user identities
          2. Searching groups
          3. Searching for agents
        2. Retrieving identity attributes
        3. Creating agent identities
        4. Creating user identities
        5. Creating group identities
      4. Updating identities
        1. Deleting identities
          1. Deleting user identities
          2. Deleting group identities
          3. Deleting the agent identities
      5. Other REST interfaces
      6. Summary
    17. 10. Backup, Recovery, and Logging
      1. Backing up configuration data
        1. Backing up the OpenSSO configuration files
        2. Backing up the OpenSSO configuration data
        3. Crash recovery and restore
      2. Test to production
        1. Performing the configuration change
          1. Configuring the export test server
          2. Configuring OpenSSO on the production server
          3. Adapting the test configuration data
          4. Importing into the production system
        2. OpenSSO audit and logging
          1. Enabling debug (trace) level logging
          2. Audit logging
            1. Enabling and disabling audit logging
        3. File-based logging
        4. Database logging
          1. Remote logging
          2. Secure logging
            1. Creating the keystore
            2. How to verify
      3. Summary
    18. 11. Troubleshooting and Diagnostics
      1. OpenSSO diagnostic tools
        1. Installing and configuring the tool
        2. Invoking the tool
      2. Troubleshooting
        1. Installation and configuration
          1. Scenario 1
          2. Scenario 2
          3. Scenario 3
            1. How to Fix
          4. Scenario 4
        2. Authentication and session areas
          1. Scenario 1
          2. Scenario 2
          3. Scenario 3
          4. Scenario 4
        3. Identity repository and password reset
          1. Scenario 1
          2. Scenario 2
          3. Scenario 3
          4. Scenario 4
          5. Scenario 5
        4. Policy and agents
          1. Scenario 1
          2. Scenario 2
          3. Scenario 3
        5. Command line tools
          1. Scenario 1
          2. Scenario 2
      3. Summary