Intalio and Liferay Hand in Hand: Nicolas Modrzyk
Intalio and Liferay Hand in Hand: Nicolas Modrzyk
Intalio and Liferay Hand in Hand: Nicolas Modrzyk
CONFIDENTIAL
Agenda
1 2 3 4 5 6
Vision Tempo Liferay features Single Sign-on with CAS What we learned Demo
CONFIDENTIAL
CONFIDENTIAL
CONFIDENTIAL
Liferay Version 5
Query integration j irect portlet publishing to the D MySpace and Facebook networks bility to leverage iGoogle A gadgets directly within portal deployment
CONFIDENTIAL
What is Tempo
CONFIDENTIAL
What is Tempo
Intalio Tempo is a set of runtime components that support human workflow within an service-oriented architecture (SOA). Our main goal is to provide a complete and extensible workflow solution with a bias towards interoperable technologies (BPEL, BPEL4People, XForms, REST, and web services) as a default implementation.
CONFIDENTIAL
SSO in Tempo
RBAC (Role-based access control) http://csrc.nist.gov/groups/SNS/rbac/ -Simple plugin -LDAP plugin Token Service No credentials sent around Plugged with CAS .. can now supports, basic CAS, OpenID, GoogleSAML
CONFIDENTIAL
What is CAS ?
CAS provides enterprise single sign on service An open and well-documented protocol An open-source Java server component, also a ruby one: http://code.google.com/p/rubycas-server/ A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others Community documentation and implementation support An extensive community of adopters
CONFIDENTIAL
CAS Basics
Login
Redirect to CAS
User
CONFIDENTIAL
10
CONFIDENTIAL
11
Step Two
(a): verify the ticket and be done So, playing the role of the first application (not a proxying application at this stage - lets just see if we can get our application authenticated without proxying for now), you need to take the ticket and turn it into a username: https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http:/localhost/ bling which will produce a result like: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>endjs</cas:user> </cas:authenticationSuccess> </cas:serviceResponse>
This is the end of the road for normal applications that don't need to proxy other applications.
CONFIDENTIAL
12
Step Two (b): verify the ticket and enable further proxying
If instead you do want to be able to proxy other applications you need to also supply a pgtUrl to your validation request so that CAS can callback with the Proxy Granting Ticket. This is where life gets complicated, especially if you forget that service tickets are one-time-only tickets and that once you've used them with serviceValidate, you have to go back to CAS and get a new one (so if you've done Step One and Step Two (a) you'll need to do Step One again before you can do Step Two (b)). The choice of pgtUrl here is fairly arbitrary except that it needs to be an https url and it needs to be on a server on which you can access the log files. https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http:// localhost/bling&pgtUrl=https://foo.bar.com/pgtCallback results in: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>endjs</cas:user> <cas:proxyGrantingTicket>PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2td</ cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse>
CONFIDENTIAL
13
foo.bar.com - - [10/Dec/2003:09:28:15 +0000] "GET /pgtCallback? pgtIou=PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2 td &pgtId=PGT-330-CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS HTTP/1.1" 200 13079
CONFIDENTIAL
14
CONFIDENTIAL
15
CONFIDENTIAL
16
CONFIDENTIAL
17
public String getTokenFromTicket(String proxyTicket, String serviceURL) ProxyTicketValidator pv = new ProxyTicketValidator(); pv.setCasValidateUrl(_validateURL); pv.setService(serviceURL); pv.setServiceTicket(proxyTicket); pv.validate(); if (pv.isAuthenticationSuccesful()) { String user = pv.getUser(); return createToken(user); We now have a tempo service ticket !!
CONFIDENTIAL
18
Being able to display Tasks from a portal Intalio UI-FW Also the Intalio console, Business Monitoring (BAM) Integrate with SSO We started with pluto, as the open source portal Were happy to work with liferay now
CONFIDENTIAL
19
JSR-168 leaves authentication out Pluto has very limited SSO support Get many threads why it doesnt work Migrating to Liferay was a treat JSR-268 has support for shared variables between portlets
CONFIDENTIAL
20
Jquery in short:
http://www.slideshare.net/Sudar/a-short-introduction-to-jquery/ http://www.slideshare.net/simon/jquery-in-15-minutes/
CONFIDENTIAL
21
CONFIDENTIAL
22
23