This article will demonstrate how to integrate OpenSSO/OpenAM with Liferay Portal to achieve single-signon.

Liferay Portal and OpenSSO both require a minimum 1.5 JVM, but I would recommend using Java 6 (as Java 1.5 reached its End of Service Life in October, 2009). Make sure that your JAVA_HOME environment variable is correctly set to point to your Java 6 installation.

For OpenSSO to work correctly with Liferay Portal, both servers need to be running in the same domain.  To solve this issue while running both servers on a single machine, edit the hosts file (/etc/hosts or %SystemRoot%system32driversetc) and add/update your localhost entry: 127.0.0.1 localhost localhost.example.com where example.com is your actual domain.

Install Liferay Portal Liferay Portal is an open source portal. Liferay comes in two editions, Enterprise Edition (EE) and Community Edition (CE). For a full discussion on the differences, see this. Downloads are available here. For this article, I used Liferay Portal 5.2.3 CE bundled with Tomcat 6.0 (6.0.18).

Installation consisted of:

1. Unzip liferay-portal-tomcat-6.0-5.2.3.zip to a directory. This will create a liferay-portal-5.2.3 folder.

   • On Linux/MacOS, you will need to add execute permissions to all of the shell scripts in the bin directory: chmod +x *.sh
2. In liferay-portal-5.2.3/tomcat-6.0.18/bin/, executing startup.sh (or startup.bat) will start Tomcat, and deploy Liferay Portal.
3. Open a browser to http://localhost.example.com:8080, and you will see the Liferay login page. You can login with test@liferay.com/test.

Install OpenSSO/OpenAM OpenSSO is an open source access management and federation server platform. Announced by Sun Microsystems in July 2005, OpenSSO was based on Sun Java System Access Manager, and was the core of Sun’s commercial access management and federation product, OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager). Oracle completed their acquisition of Sun Microsystems in February 2010 and announced that OpenSSO would no longer be their strategic product. OpenSSO will continue to be developed and supported by ForgeRock under the name of OpenAM (see this).

I downloaded the latest OpenAM build (OpenAM Snapshot 9.5.1 RC1) from here. For consistency, I will refer to OpenSSO as OpenAM for the remainder of this article.

As OpenAM also requires a servlet container, I downloaded the latest Tomcat (6.0.29) from here. Installation of the Tomcat server consisted of:

1. Unzip apache-tomcat-6.0.29 zip file. This will create an apache-tomcat-6.0.29 folder.

2. As both Liferay Portal and OpenAM will be running on the same machine, I needed to update the ports that the OpenAM Tomcat server was using.

   • Edit apache-tomcat-6.0.29/conf/server.xml. I changed all of the ports from 8xxx to 9xxx. For example, 8080 to 9080, 8443 to 9443, etc.
   • On Linux/MacOS, you will need to add execute permissions to all of the shell scripts in the bin directory: chmod +x *.sh
3. Edit catalina.sh (or catalina.bat) and add the following line to the start of the file, after the comment block listing the various Environment Variable Prequisites: Linux/MacOS: JAVA_OPTS="$JAVA_OPTS -Xmx1024m -XX:MaxPermSize=256m" Windows: set JAVA_OPTS="%JAVA_OPTS% -Xmx1024m -XX:MaxPermSize=256m"

Installation of OpenAM consisted of:

1. Unzip openam_snapshot_951RC1.zip to a directory. This will create an opensso folder.
2. Copy the opensso.war from opensso/deployable-war/ to apache-tomcat-6.0.29/webapps/.

3. In apache-tomcat-6.0.29/bin/, execute startup.sh (or startup.bat) to start Tomcat and deploy OpenAM.

   • After Tomcat has deployed OpenAM, you will see the exploded war file as apache-tomcat-6.0.29/webapps/opensso.
4. Open a browser to http://localhost.example.com:9080/opensso, which should redirect you to http://localhost.example.com:9080/opensso/config/options.htm, to complete the OpenAM configuration.

5. You should see the OpenAM configuration options page. Under Custom Configuration click Create New Configuration. Enter the following:

   • Default User Password — password
   • Server Settings — default entries are ok
   • Configuration Data Store Settings — select First Instance, select OpenAM as Configuration Data Store, leave other entries
   • User Data Store Settings — select OpenAM User Data Store
   • Site Configuration — select No
   • Default Policy Agent User — policy01
   • Configurator Summary Details - click Create Configuration. This will create the configuration for your OpenAM server under ~/opensso (or c:Documents and Settings{username}opensso).

6. When this completes, in the Configuration Complete dialog, click Proceed to Login, which should now redirect you to http://localhost.example.com:9080/opensso/UI/Login. Type amAdmin as the username, password as the password, and click Log In. You should now see the OpenAM Console.

   • For detailed information about the OpenAM Console, see this and this. A detailed discussion of all of the functionality of OpenAM is beyond the scope of this article.
7. You can now delete the opensso.war file from apache-tomcat-6.0.29/webapps/ directory.

Additional OpenAM Configuration To get OpenAM to work correctly with Liferay, you need to set Encode Cookie Value to Yes. This will prevent infinite redirection between Liferay and OpenAM on login.

1. In the OpenAM Console, select the Configuration tab.
2. Select the Servers and Sites tab.
3. Click Default Server Settings.
4. Select the Security tab.
5. In the Cookie section, select the Yes checkbox beside Encode Cookie Value.
6. Click Save.

Other people have reported having to set the com.iplanet.am.cookie.c66Encode property to true as well, to resolve the infinite redirection problem:

1. In the OpenAM Console, select the Configuration tab.
2. Select the Servers and Sites tab.
3. Click Default Server Settings.
4. Select the Advanced tab.
5. Find the com.iplanet.am.cookie.c66Encode property, and set the value to true.
6. Click Save.

Before updating Liferay to use OpenAM, I recommend adding the default Liferay user, test@liferay.com, to OpenAM.

1. In the OpenAM Console, select the Access Control tab.
2. Click the / (Top Level Realm) realm.
3. Select the Subjects tab.
4. Click New…

5. Setup the default Liferay user:

   • ID — joebloggs
   • First Name — Joe
   • Last Name — Bloggs
   • Full Name — Joe Bloggs
   • Password — password
   • Click OK to create the user.
6. Click Joe Bloggs to add the email address. Enter test@liferay.com for the Email Address, and click Save.

Integrate Liferay Portal with OpenAM Now you are ready to update Liferay Portal to integrate with OpenAM for authentication.

1. If Liferay is running, shut it down (bin/shutdown).
2. Create a new file, called portal-ext.properties, in your Liferay directory, under liferay-portal-5.2.3/tomcat-6.0.18/webapps/ROOT/WEB-INF/classes/.
3. Edit this file, and add the following properties: open.sso.auth.enabled=true open.sso.login.url= http://localhost.example.com:9080/opensso/UI/Login?goto= http://localhost.example.com:8080/c/portal/login open.sso.logout.url= http://localhost.example.com:9080/opensso/UI/Logout?goto= http://localhost.example.com:8080/web/guest/home open.sso.service.url=http://localhost.example.com:9080/opensso open.sso.screen.name.attr=uid open.sso.email.address.attr=mail open.sso.first.name.attr=givenname open.sso.last.name.attr=sn
4. Start Liferay (bin/startup).
5. Once Liferay has started, open a browser to http://localhost.example.com/8080, and you should be redirected to the OpenAM login page (http://localhost.example.com:9080/opensso/UI/Login). Enter joebloggs for the User Name, and password for the Password. Click Log In.

You will be authenticated against OpenAM, and redirected to Liferay.

Now that Liferay is using OpenAM for authentication, if you create a new user in OpenAM, that user will also be created in Liferay on the first log in. That newly created user in Liferay will only have the basic information filled in - First Name, Last Name, Screenname, Email Address - and will have the default Roles, Groups, and Organizations assigned.

This article demonstrated a basic integration with OpenAM and Liferay Portal. Now you are ready to explore more advanced topics include configuring OpenAM to use an existing LDAP or other user datastore, creating a custom datastore plugin (e.g. JDBC) for OpenAM, setting up a separate realm for Liferay users, as well as taking advantage of OpenAM for incoming and outbound SSO in conjuction with Liferay Portal. Enjoy!