OpenAM版本-12,代理版本3.5和3.3,tomcat版本7
我尝试按照https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012链接来设置我的J2EE代理。让我在提出问题后粘贴步骤(见最后)
但我收到的错误如下所示
Not able to configure J2ee agent on adding my customized data store for users
我尝试过多次安装和卸载3.5版本,并尝试使用以前的版本。
在http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error对这个主题进行了很好的讨论 但它对我帮助不大。
我正在使用LDAP,因此我使用了LDAP领域,并且主题显示正常。此外,我观察到政策标签与博客中描述的方式相比发生了很大变化。
现在有了路障,我不知道如何继续,因为错误并没有给我任何线索该做什么。我甚至在类路径中添加了名为AMConfig.properties的文件,其中包含代理的用户名和密码,并按照上述讨论中的建议尝试了OpenAM管理员的用户名和密码。但这也无济于事。
问题是Tomcat现在没有启动并且给出了需要AMConfig.properties属性的错误
我知道OpenAM Realm设置很好,因为我能够通过这个领域登录到另一个应用程序(Liferay),我只需要提供使用OpenAM集成的URL。但卸载代理后,tomcat启动时没有任何错误,我可以登录到应用程序
-------------------Step copied from 1st link(modified)--------------------------
1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)
Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
alfresco.authentication.allowGuestLogin=true
SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.
That concludes the setup for Alfresco and OpenAM
For Share you need to have the following section uncommented in your share-config-custom.xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true
Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector
Now you need to add the OpenAM filter to the Share web.xml file
Add the following filter just before the Share SSO authentication support filter
Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section
Agent
REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------
答案 0 :(得分:3)
错误消息有点misleading:无法获取应用程序SSO令牌通常意味着代理无法对自身进行身份验证。安装代理程序时,代理程序会要求提供配置文件名称和密码文件,这些值需要与OpenAM中配置的代理程序配置文件相对应。 要测试您是否可以作为用户进行身份验证,您只需尝试通过发出以下请求进行身份验证:
curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate
在上面的命令中,领域值必须与OpenSSOAgentBootstrap.properties中定义的“com.sun.identity.agents.config.organization.name”属性的值相同(在代理的安装目录下)。 / p>
错误的用户名/密码组合只是此异常的可能根本原因之一。在启动期间,代理也可能无法连接到OpenAM以进行身份验证。在这些情况下,问题可能是: