When you deploy Windows Desktop SSO with OpenAM for your internal users, you may also want to offer SSO to the same applications or at least some of them, to (possibly a restricted set of) external users.

You can do so by defining an authentication chain in OpenAM, comprising the WDSSO authentication module as sufficient in first, and for example an LDAP authentication module as required in second.

A problem arises when an external user will try to authenticate: if you leave the default application server and OpenAM pages unchanged, the user will get a 401, since it can not negotiate the authenticate with SPNEGO.

Thus, the user will never be switched to the LDAP authentication page: the browser will just get the usual HTTP 401 error page and that’s all !

One way to circumvent this, which is not clearly mentioned in the OpenAM documentation, consists in modifying the OpenAM application server default behaviour, by returning a customized page in case of HTTP 401 error:

the customized page can be anything you want, so for example, you can define the JSP below, it will automatically redirect external users to the right authentication page, keeping the « gotoURL » and other parameters, if any. The inconvenient here is that the 401 error page will still be seen by end users, although most of time (depending on their network connection) they won’t notice it.

Here’s what to do:

1) Explode your OpenAM war in a temporary directory.

2) If you use Tomcat with OpenAM, add the following 401 error page definition to the OpenAM (WEB-INF/) web.xml file. The beginning of the web.xml file should look like this:

<?xml version= »1.0″ encoding= »UTF-8″?>^M
<web-app xmlns= »https://java.sun.com/xml/ns/j2ee » xmlns:xsi= »https://www.w3.org/2001/XMLSchema-instance » version= »2.4″ xsi:schemaLocation= »https://java.sun.com/xml/ns/j2ee https://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd »>^M
<display-name>OpenAM admin console</display-name>^M

3) Create the following 401.jsp in your temporary root directory:

<%@taglib uri= »/WEB-INF/jato.tld » prefix= »jato »%>
<%@taglib uri= »/WEB-INF/auth.tld » prefix= »auth »%>

response.setStatus (response.SC_UNAUTHORIZED);
response.setHeader (« WWW-Authenticate », « Negotiate »);

String FallbackServiceURI = request.getHeader(« referer »);

if (FallbackServiceURI != null) {
if (FallbackServiceURI.contains(« ? »))
FallbackServiceURI += « &module=LDAP »;
FallbackServiceURI += « ?module=LDAP »;
} else {
FallbackServiceURI= »# »;
<HTML><HEAD><TITLE>HTTP-401: Unauthorized</TITLE>
EQUIV= »refresh » content= »0;url=<%= FallbackServiceURI %> »>

<BODY><H1>HTTP-401: Unauthorized</H1>
Proper authorization is required for this area.
Either your browser does not perform authorization,
or your authorization has failed.<br>
Your browser will be redirected to
<a href= »<%= FallbackServiceURI %> »>default
authorization method</a>.

3)  Rebuild and redeploy the new OpenAM war file.


Les derniers articles par janua (tout voir)