1 2 3 Previous Next 37 Replies Latest reply: Nov 4, 2011 10:15 AM by Marek Posolda RSS

GateIn + OpenAM 9.5.2

macois Newbie

Hi,

 

I'm actually trying GateIn for my firm and I don't manage to integrate OpenAM and GateIn.

 

I follow all the steps in the GateInReference Guide but I've a problem.

 

The scenarii of the problem is :

 

1) Go to http://localhost:8080/portal

 

2) Click sur Administrator

 

3) I'm redirected to : http://openam.vauban.com:2080/openam_s952/UI/Login?realm=gatein&goto=http://localhost:8080/portal/private/classic

 

4) I filled in the form with root / gtn

 

5) I'm redirected to http://localhost:8080/portal/private/classic and the page is blank and the main fact is : The system seems to redirect me to this page infinitely..

 

 

 

Does Someone know an issue for this infinite loop ?

 

 

For information, I configured my OpenAM  :

  • to encode the cookies,
  • to use c66encode.

 

Thanks&Regards,

 

François

  • 1. GateIn + OpenAM 9.5.2
    macois Newbie

    Hi,

     

    The guide is wrong on one point :

    => The modification on the jaas.conf file :

     

    The guide says to uncomment this :

      // Uncomment the following part (and comment the other part for CAS integration

      org.gatein.sso.agent.login.SSOLoginModule required

      org.exoplatform.services.security.j2ee.TomcatLoginModule required

      portalContainerName=portal

      realmName=gatein-domain

     

    But the syntax is false, we just need that (be careful on the ';' :

     

      // Uncomment the following part (and comment the other part for CAS integration

    org.gatein.sso.agent.login.SSOLoginModule required;

      org.exoplatform.services.security.j2ee.TomcatLoginModule required;

  • 2. GateIn + OpenAM 9.5.2
    macois Newbie

    Hi, after few tests,

     

    I've no error in my logs (good point) but I stil have my infinite loop on the blank page. It's a matter with the cookies, isn't it ???

     

    Please help me, thanks

  • 3. GateIn + OpenAM 9.5.2
    Steve Pamer Newbie

    OpenAM doesnt like localhost.  You need to use FQDN.

     

    -steve

  • 4. GateIn + OpenAM 9.5.2
    macois Newbie

    Thanks for answering me Steve !

     

    Do you think I can use the same domain so (openam.vauban.com) for my GateIn and my OpenAM even if the two applications are on the same machine but on two tomcat different ?

     

    thanks,

     

    regards,

     

    françois.

  • 5. GateIn + OpenAM 9.5.2
    macois Newbie

    Hi,

     

    I've tried with the same FQDN for OpenAM and GateIn and with two different FQDN and the both are KO (on the same machine).

     

    Do you have another idea ?

     

    Thanks,

     

    F.

  • 6. GateIn + OpenAM 9.5.2
    Steve Pamer Newbie

    You should be able to use the same FQDN for both.  When you installed openAM you set the cookie domain. 

    Whe you access the system do not use localhost in the URL use the FQDN.

    If you look at the cookies in your browser, where do you find the OpenAM cookie?

    It should be under the cookie domain that you installed with.

     

    I had this problem when I first installed and there are articles around regarding this.

    You found the other issue with the cookie encoding.

     

    -steve

  • 7. GateIn + OpenAM 9.5.2
    macois Newbie

    Hi Steve,

     

    Oki for the fqdn, so it's the matter anymore (since I used two different fqdn : domain.agent.com (for gatein) and openam.vauban.com (for openam)). And I do my tests all the time with the domain domain.agent.com or openam.vauban.com.

     

    In my brother the cookie is called : iPlanetDirectoryPro under the domain .vauban.com


    In my OpenAm, I found this :

     

    For the cookie : Configuration > Server and Sites > Server default configuration > Security > The cookie is called too : iPlanetDirectoryPro

    (and the same for my server)

     

    For the domain : Access Control > Domain : GateIn > Domain/Alias DNS : .vauban.com, vauban


    Does it seem correct for you ?

     

    Thanks by advance,

     

    François

  • 8. GateIn + OpenAM 9.5.2
    Marek Posolda Apprentice

    Hello,

     

    I think that you can have problem with validation of OpenAM ticket. You can look at sources of class OpenSSOAgent http://anonsvn.jboss.org/repos/gatein/components/sso/tags/1.0.1-GA/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java which is doing validation . You can enable DEBUG log for this class in server/default/conf/jboss-log4j.xml and it's possible that then you will see in server.log what is wrong .

     

    You can also try to debug this class in your IDE, that may give you more informations.

     

    Hope this helps,

    Marek

  • 9. GateIn + OpenAM 9.5.2
    Steve Pamer Newbie

    Hi Francois,

    Hmmm.  That all *seems* to be ok.

     

    Don tknow if it matters but I have everything in one domain (in your case it would be openam.vauban.com, and domain.vauban.com).

     

    From my experience, the infinite redirect is either from the agent not finding the cookie because of a mismatch in domains

    or cannot interpret it (encoding issue) so it keeps going back to the openam server but the openam server can see it just fine

    so it sends it right back.

     

    You will probably have to turn up the logging on the agent side to message level and wade through that.  There is a

    forum on forgerock.com that might be able to help.

     

    Sorry, but I dont have any more ideas at the moment.

     

    Best Regards,

    Steve

  • 10. GateIn + OpenAM 9.5.2
    macois Newbie

    Thanks for the two answers, it's cool to have some helps when you've a tricky problem...like this one.

     

    For the logging part in DEBUG, I modified the file  GateInHOME\conf\logging.properties and I pass all the logs in DEBUG.

    I still have no log when I reproduce the problem.

     

    So, is-it the good file ?

    Or it confirms the cookie problem ?

     

    Thanks by advance,

     

    F.

  • 12. Re: GateIn + OpenAM 9.5.2
    macois Newbie

    Hi !

     

    Oki it's a very good news for me, it's possible

     

    I've just to manage it on my local PC.

    So I will follow your documentation and test it !

     

    Did you use two different PCs ? Two domains ? Which version of the sso gate in packaging did you use ?

    Did you configure OpenAM in order to encode the cookies ? or to use the c66encode ?

    Did you add some others configurations ?

     

    Did you have a problem with the modification of the jaas.conf file ?

    On my PC, I just kept the two first lines with a semi colon at the end of each line.

     

     

    Thanks for your help,

     

    François.

  • 13. GateIn + OpenAM 9.5.2
    Steve Pamer Newbie

    Hi,

     

    I am using two Linux machines, one for openAM running in Tomcat 6, and the other with GateIn installed in JBoss 5.

    One domain.

    My gateIn package was 1.0.1-GA found here:

         https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging/1.0.1-GA/

    I used the default c66encode.  OpenAM 9.5.2 by default is now c66Encode=true.

    No other special configuration that I am using that would effect this.

         I have a seperate OpenDS for my OpenAM, and use additional read only LDAP in GateIn against that directory (which doesnt work correctly, yet)

         but am able to authenticate against users created in GateIn (root, mary, etc)

     

    I am running GateIn in JBoss, not Tomcat, so I did not have to configure jaas.conf.

     

    the instructions seem to assume that you are running on the same host so step 5 didnt mention that you

    need to edit gatein.properties and put in the host and port for your GateIn host.

     

    Good Luck,

     

    Steve

  • 14. GateIn + OpenAM 9.5.2
    Prabhat Jha Master

    Hi Steve,

     

    We appreciate your active contributions to GateIn community on OpenAM integration. Thanks a lot.

     

    Is is possible for you to create a wiki/how-to doc on this topic assuming that a user has just downloaded GateIn? We have created few similar docs such as http://community.jboss.org/wiki/Createanewportalusingextension

     

    Thanks,

    Prabhat

1 2 3 Previous Next