Single Sign-On (SSO) Deployment Guide for iMeet® Central?
Single Sign-On allows a network user to log into an environment once without having to login to different services using different set of credentials.
iMeet® Central? Single Sign on is compatible with SAML v2. We do, however, recommend Microsoft's ADFS 2.0 as your bridge between your existing Active Directory network and iMeet® Central?. SAML and OpenAM are very complicated, it's important that you follow the directions very carefully. It is a very good idea to read and understand the SAMLv2 Wikipedia entry and the OpenAM user manual before you begin. While OpenAM is free to use and likely to work for you after following the instructions below, we'd recommend purchasing support for it to ensure the smoothest and most trouble free experience. Complete OpenSSO documentation is available here.
Below is a guide on how to configure OpenAM and integrate Single Sign on between iMeet® Central? and Active Directory. More user guides are forthcoming. Please feel free to add/augment this guide as appropriate.
These guides on how to integrate with Google Docs and SugarCRM may also help you understand the process further:
- http://developers.sun.com/identity/reference/techart/google-apps.html (includes video)
- http://developers.sun.com/identity/reference/techart/sugarCRM.html
General Requirements:
1x Server (physical or virtual) available to the internet via a public IP address (Identity Provider).
A public DNS entry for that server. example: sso.examplecompany.com or login.examplecompany.com
This server MUST have access to your directory server (Active Directory or LDAP) but it need not reside on the same server or virtual machine.
Your directory service MUST contain your user's email address, this is the link between your directory and our service.
iMeet® Central? servers must be able to reach this machine.
All users attempting to log in must be able to reach this machine.
This server must be able to communicate with your directory service (Microsoft ActiveDirectory, Generic LDAPv3, Database, etc)
This server MAY be the same system your directory services runs on but this IS NOT a recommended configuration as that server should not be available to the internet.
If you will be using OpenAM as your bridge the system recommendations for OpenAM are:
- 1 GB RAM
- 60MB of Disk Storage
- Java 6 Runtime
It's VERY important that the time is always correct on the machine running the SAML interface. Please be sure to use NTP or similar to keep the clocks synchronized with nist.gov
Download and install the latest Java JRE from http://java.sun.com/javase/downloads/index.jsp
Install Servlet Container
Download and install Apache Tomcat 6.0
http://tomcat.apache.org/download-60.cgi
Right click on the apache tray app. Click "Java" Tab. Set maximum memory to 1024 or higher. Add -XX:MacPermSize=256m to "Java Options."
Note on Tomcat on 64bit Windows:
Tomcat services wrappers are currently built/distributed as 32bit binaries. If on a windows 64 bit platform do the following:
Install the Sun 64 bit Windows JRE
Install Tomcat 6.0.18 normally (manually point the installer to your 64 bit JRE install path - use browse...)
Replace the existing tomcat6.exe and tomcat6w.exe with the Tomcat 6 64bit binaries from here:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/tags/TOMCAT_6_0_18/res/procrun/amd64/
The service should then be capable of starting normally.
The latest versions of Tomcat 6.0.x have no issues with 64-bit support.
Download OpenAM
Save the zip file then unzip. Copy "deployable-war/opensso.war" to $TOMCAT_HOME/webapps.
www.forgerock.com/downloads.html
Many of the screen shots below demonstrate OpenSSO Build 7, build 9 includes the latest bug fixes and enhancements and is therefor the recommended version even though screens may vary slightly.
Once you have installed Apache Tomcat and copied the opensso.war to $Tomcat_Home/webapps, start the server by either double clicking on the 'Apache Tomcat' Icon or right click on the Icon and press configure. Now click on start button which will start the server(If you don't see the Apache Tomcat Icon , click on the start menu and click on 'Monitor Tomcat' tab.
The Apache tomcat Icon will turn green indicating that the server is up. If you get any errors while starting the server, check the log files in tomcat directory(Tomcat_home/logs). If you can't connect check your Firewall settings to be sure you are able to connect on that port.
Install OpenAM
Go to http://the-externally-accessible-hostname-of-your-server.com:8080/openam/ (important, do not use localhost, local or any sort of IP address, use the public DNS name for this server)
Click on 'Custom configuration' link. The 'Custom Configuration option' window opens.
Step 1: Enter password for amAdmin super user.(This is the one which you will be accessing the OpenAM).
Step 2: Keep the default values and press next.(server settings) (Be sure that the directory you are installing to (For example: C:openam) has permissions that allow it to be written into.
Step 3: Keep the default values and press next.(configuration store settings)
Step 4:In the User Data store settings:
Change the following fields: Root suffix and Login ID
To figure out your root suffix take a look at your active directory domain name. Check out your "User and Computers" administrative tool as pictured.
Split the name on period and join all parts with a "dc=" prefix. Append those results to the end of "cn=Users". See below for an example:
Root suffix:cn=Users, dc=imeetcentral,dc=local
Login ID:Is cn=Administrator in front of your Root Suffix.You may create a different user to use here but please make sure they have all the appropriate permissions to access and modify your directory.
cn=Administrator,cn=Users,dc=centaldesktop,dc=local
For user data store type: Select "Generic LDAP"
The directory name is the hostname of your Active Directory or LDAP server. This may or may not be installed on the same server as OpenAM.
Step 5: Check radio button for 'no'(Site configuration).
Step 6: Give UrlAgent Password. Make something up, we won't be using this feature(Agent information).
Click on 'create configuration' button.
It will display the configurator summary details page which will look like:
Configure OpenAM
Log in to OpenAM using the amAdmin user you created in the setup wizard.
(http://hostname:8080/openam/UI/Login)
For Active Directory:
Click on 'Access Control' tab. In the access control page click on /(Top level Realm) link.
Now navigate to Data Stores--> generic LDAPv3
In the generic LDAPv3 page change the following attributes:
- LDAP Users Search Attribute: sAMAccountName
- LDAP Users Search Filter: (objectclass=person)
- Attribute Name of User Status: userAccountControl
- Click 'Save' button at the top right of the page.
Now Navigate to the Data stores page by clicking on 'Back to Data stores' button. Then click on the 'Authentication' tab.
Now click on 'LDAP' link in the Authentication page in the Module Instances section.
Change these:
- Attribute Used to Retrieve User Profile: sAMAccountName
- Attributes Used to Search for a User to be Authenticated: sAMAccountName
- Click "Save" in the top right of the page.
Navigate back to Authentication--->Access control.
Create Circle of Trust
Now click on 'Federation' tab. Then click on the 'New' button in the 'Circle of trust' section. Name it whatever you like and keep the defaults for the rest of the fields and click finish.
Enable SSO in iMeet® Central?:
Log into iMeet® Central? as a company administrator. Go to
Account -> Company Setup -> SSO Settings
Enable SSO.
Fill out the forms with the URLs for your new SSO installation as per the examples above the fields.
To get your certificate fingerprint, change directories to place you installed OpenAM and run the \"keytool\" command to list the certificates you\'ve registered. \"keytool\" is part of your java distribution and may not be in your path.
example: c:\opensso\opensso> keytool -list -keystore keystore.jks -v
Note: If you receive a “\'keytool\' is not recognized as an internal or external command” message then navigate to your java bin directory in the command window :
eg type “cd C:\\Program Files\\Java\\jre7\\bin” (This may be different to your setup)
example: keytool -list -keystore c:\opensso\opensso\keystore.jks -v
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: test
Creation date: Jul 17, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=test, OU=OpenSSO, O=Sun, L=Santa Clara, ST=California, C=US
Issuer: CN=test, OU=OpenSSO, O=Sun, L=Santa Clara, ST=California, C=US
Serial number: 478d074b
Valid from: Wed Jan 16 00:49:39 IST 2008 until: Sat Jan 13 00:49:39 IST 2018
Certificate fingerprints:
MD5: 8D:89:26:BA:5C:04:D8:CC:D0:1B:85:50:2E:38:14:EF
SHA1: DE:F1:8D:BE:D5:47:CD:F3:D5:2B:62:7F:41:63:7C:44:30:45:FE:33
Signature algorithm name: MD5withRSA
Version: 1
*******************************************
*******************************************
Make sure you get the certificate associated with the circle of trust you have associated with the hosted identity provider you intend on using with iMeet® Central?. (by default will be the certificate with the alias of 'test'). You can change this any time.
Save the form.
Create HOSTED Identity Provider (this is the customer)
Now click on 'Common Tasks' tab and click on 'Create hosted Identity provider' tab.
Select 'test' from the "Signing Key" drop-down menu or follow the OpenAM manual to create a new key.
Select the circle of trust we created earlier.
Click "Configure" in the top right of the page.
Create REMOTE Service Provider (this is imeetcentral.com)
click Register a Remote Service Provider link. You will be taken to the following page:
Your service provider meta data is located as http://YOURCOMPANY.imeetcentral.com/saml2-metadata.php
Click "Configure".
In order to check the configuration errors:
Enable debug logging in OpenAM console.
Configuration > Servers & Sites > Select your Server > Default server settings > Debugging .
Make debug logging is not off
Put debug level to warning.
And you can get the debug file from openam/debug.
Now click on "Federation" tab. Click the Service Provider with imeetcentral.com/saml2-metadata.php in the name.
Click "Assertion Processing" tab.
Profile mapping:
See full list of fields available for mapping
Sample mapping for a run of the mill LDAP install
address1=street
phone=telephoneNumber
fullname=cn
state=1
memberof=memberof
address1=postaladdress
state=st
zipcode=postalCode
state=state
member=member
notes=description