BMSSO Lab Exercise PDF

!
!
!
IBM$Bluemix$Single$Sign$On!Service!
$
$
Lab$Exercise$Guide$
$
$
$
$
$
October(21,(2015(
$
IBM$Bluemix$Single$Sign$On$Service$Lab$Exercise$Guide$$$$$1$$$$$$$$$$$$$$$$$$$$October$2015$
TABLE&OF&CONTENT&
LAB&EXERCISE&GUIDE&
1$
1.&INTRODUCTION&
3$
1.1&BLUEMIX&SINGLE&SIGN&ON&SERVICE&
1.2&LAB&OBJECTIVES&
1.3&PREREQUISITES&
3$
3$
4$
2.&CASE&STUDY&OVERVIEW&
5$
3.&SET&UP&BLUEMIX&SSO&SERVICE&
5$
3.1&CREATING&A&SINGLE&SIGN&ON&SERVICE&INSTANCE&
5$
4.&SET&UP&A&CLOUD&DIRECTORY&IDENTITY&SOURCE&
9$
4.1&CREATE&A&CLOUD&DIRECTORY&
4.2&MANUALLY&ADD&A&USER&
4.3&BULK&LOAD&USERS&
4.4&USER&SELF&CARE&
4.5&(OPTIONAL)&OTHER&CLOUD&DIRECTORY&FEATURES&
9$
10$
11$
13$
15$
5.&SET&UP&SOCIAL&ID&IDENTITY&SOURCE&
17$
5.1&ADD&GOOGLE+&SOCIAL&ID&
5.2&REGISTER&A&GOOGLE&APPLICATION&
5.3&COMPLETE&GOOGLE&SOCIAL&ID&IDENTITY&SERVICE&SET&UP&
5.4&VERIFY&GOOGLE+&IDENTITY&SERVICE&SET&UP&(OPTIONAL)&
17$
18$
23$
24$
6.&NODE.JS&APPLICATION&EXAMPLE&
26$
6.1&CREATE&A&NODE.JS&APPLICATION&
6.2&DOWNLOAD&THE&STARTER&CODE&
6.3&BIND&STARTER&APP&TO&SSO&SERVICE&
6.4&INTEGRATE&STARTER&SAMPLE&APP&WITH&SSO&SERVICE&INSTANCE&
6.5&MODIFY&STARTER&APP&TO&MAKE&USE&OF&BLUEMIX&SSO&SERVICE&
6.6&DEPLOY&AND&TEST&MODIFIED&APPLICATION&
26$
27$
28$
31$
32$
35$
7.&LIBERTY&FOR&JAVA&APPLICATION&EXAMPLE&
39$
7.1&CREATE&LIBERTY&FOR&JAVA&APPLICATION&
7.2&INTEGRATE&APPLICATION&WITH&SSO&SERVICE&INSTANCE&
7.3&DEPLOY&DEMO&APP&
7.4&IMPORT&THE&DEMO&APP&INTO&ECLIPSE&(OPTIONAL)&
7.5&MODIFICATIONS&IN&DEMO&APP&TO&ENABLE&SSO&INTEGRATION&
39$
40$
44$
46$
48$
APPENDIX&A&ADD&FACEBOOK&AS&A&SOCIAL&IDENTITY&SOURCE&
50$
REFERENCES&
52$
$
$
1.$Introduction$
$
1.1$Bluemix$Single$Sign$On$Service$
$
This$document$gives$a$technical$overview$and$stepDbyDstep$instructions$on$how$to$
configure$a$Bluemix$Single$Sign$On$(SSO)$service$and$use$it$with$Bluemix$hosted$
web$applications.$$
$
$$$$$$$$$$$$$$$
$
$
The$above$diagram$shows$Bluemix$SSO$Service$bridges$identity$sources$to$cloud$
applications.$Currently$Bluemix$SSO$supports$social$ids,$in$cloud$directory,$and$onD
premise$directory.$$
1.2$Lab$Objectives$
$
In$this$lab$we$will$integrate$inDcloud$directory$and$social$ids$with$a$sample$cloud$
application$running$on$Node.js$or$Liberty$Java$runtime.$$
$
The$Bluemix$SSO$service$is$created$and$managed$by$an$administrator$(in$space$
manager$role);$application$developers$(in$space$developer$role)$can$integrate$the$
service$with$their$applications.$These$two$roles$can$be$assigned$to$different$people$
or$the$same$person.$$
$
Due$to$capacity$issue,$we$will$create$30$SSO$service$instances$before$hand$
(enablement01$to$enablement30).$Users$will$be$grouped$and$assigned$to$different$
SSO$service$instance.$$
$
Users$can$choose$either$Node.js$or$Liberty$Java$as$the$application$runtime.$If$users$
do$not$have$JDK/eclipse$installed$on$the$local$system,$they$can$choose$to$develop$a$
Node.js$application$or$deploy$an$existing$Libery$Java$demo$application.$If$users$want$
to$make$changes$to$the$Liberty$Java$demo$application,$they$need$to$have$JDK$and$
eclipse$installed$locally.$$
$
NOTE:&PLEASE&DO&NOT&CREATE&NEW&SSO&SERVICE&INSTANCE.&&
$
1.3$Prerequisites$
$
1. ____$Your$assigned$SSO$service$instance$name:$$$_________________________$
$
$
2. ____$Name$your$application$name:$_________________________________________$
3. ____$Choose$social$id$provider:$____$Google+,$____$Facebook,$_____$LinkedIn$
$
$
4. ____$Install$Cloud$Foundry$Command$Line$Interface$(CLI)$tool$from$$
https://github.com/cloudfoundry/cli/releases$
5. ____$(Optional)$Install$and$configure$Eclipse$IDE$for$Java$EE$Developers$and$
Eclipse$Plugin$for$IBM$Bluemix$from$http://www.eclipse.org/downloads/$.$
This'step'is'for'advanced'users'who'want'to'modify'the'demo'application'code'
or'write'their'own'code.'Detail'steps'are'not'provided'in'this'lab'guide,'please'
follow'the'URL'below:''
https://www.ibm.com/cloudAcomputing/bluemix/eclipse/'
$
$
$$$$$$$$$$$$
$
$
2.$Case$Study$Overview$
$
We$will$set$up$one$cloud$directory$and$one$or$more$cloud$social$ids$as$identity$
sources$for$the$Bluemix$SSO$instance.$$
$
Inside$the$cloud$directory$each$SSO$service$instance$has$its$own$directory$space.$
Users$and$groups$can$be$managed$manually$via$UI$or$programmatically$via$SCIM$
API.$There$are$also$tools$to$support$bulk$load$and$synchronization$with$existing$
directory$servers.$We$will$practice$the$manual$editing$and$bulk$loading.$$
$
Users$can$also$explore$the$User$Self$Care$(USC)$feature$that$the$cloud$directory$
provides.$We$will$practice$user$registration.$$
$
The$social$ids$supported$by$Bluemix$SSO$are$Google+,$facebook,$and$Linkedin.$Each$
user$can$use$his/her$favorite$social$id$provider$to$configure$the$assigned$SSO$service$
instance.$$
$
Once$the$identity$sources$are$defined,$users$can$pick$either$a$Node.js$or$Liberty$Java$
demo$application$to$start$the$integration.$$
$
After$application$integration,$users$can$test$the$single$sign$on$service$with$either$
cloud$directory$credentials$or$social$id$credentials.$$
$
The$onDpremise$identity$source$is$not$in$the$scope$of$this$lab$exercise,$but$it$is$an$
important$feature$for$customers$that$do$not$want$to$move$their$user$data$on$the$
cloud.$We$support$SAML$integration,$and$if$customer$does$not$have$a$SAML$identity$
provider,$we$provide$an$identity$bridge$virtual$appliance$as$a$SAML$identity$
provider$that$customers$can$download$and$deploy$within$their$data$center.$$
$$
3.$Set$up$Bluemix$SSO$Service$
$
3.1$Creating$a$Single$Sign$On$service$instance$
$
This$section$is$for$information$purpose$only,$all$single$sign$on$service$instances$are$
provisioned$before$hand$in$order$to$control$the$number$of$instances.$$There$are$30$
SSO$instances$created$in$the$UK$data$center$for$this$lab$exercise.$$
$
A$space$manager$role$is$required$to$create$a$single$sign$on$service$instance.$$
$
An$administrator$logins$to$Bluemix$console$at$https://console.euDgb.bluemix.net/$.$$
$
$
After$login,$make$sure$the$region$and$organization$information$from$the$upper$right$
drop$down$menu$
$matches$the$following$screenshot:$
$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$
$
Region:$United$Kingdom$
Organization:$vijayka@us.ibm.com$
$
On$the$left$hand$side,$make$sure$space$Enablement$is$listed$under$the$chosen$
organization:$
$
$
$
In$the$above$organization$and$space,$select$SERVICES$then$click$on$the$USE$
SERVICES$OR$APIS$on$the$right$side$of$the$screen$to$create$a$new$service:$$
$
$
$
Navigate$through$the$list$of$services$offered$by$Bluemix,$select$Single$Sign$On$under$
Security:$
$
Click$the$Single$Sign$On$service$icon,$look$for$the$Add$Service$panel$on$the$right:$
$
$
$
Enter$the$service$name,$make$sure$the$service$is$Leave$unbound$and$not$attached$
to$any$application$at$this$time$since$there$are$additional$configuration$steps$to$be$
completed.$$
$
Click$the$CREATE$button$to$create$the$service.$$
$
Once$the$service$is$created,$a$welcome$page$shows$up$for$configure$and$deploy:$
$
$
Enter$the$name$of$the$service,$click$on$Continue.$$
$
A$new$SSO$service$instance$has$been$created$with$no$identity$source$defined:$
$
$
Next$step$we$will$set$up$the$SSO$service.$$
$
$
4.$Set$up$a$Cloud$Directory$Identity$Source$
4.1$Create$a$cloud$directory$
$
6. ____$Login$to$https://console.euDgb.bluemix.net/$,$from$Dashboard$you$
should$see$a$list$of$predefined$SSO$services:$
$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$
$
7. ____$Click$on$the$assigned$SSO$service$instance,$a$service$with$no$identity$
source$is$shown:$
$
$
$
8. ____$Click$on$Cloud$Directory$on$the$left$bar$
$
9. ____$Provide$a$name$of$the$cloud$directory,$then$click$on$Save.$$
$
4.2$Manually$add$a$user$
$
$$$$$$$$$$$$$$$$$$$$$
$
$
10. ____$Click$on$+$icon$on$the$upper$right$corner$to$manually$add$a$new$user$
$
$
$$$$$$$$$$$$$$$$$$$$
$
$
11. _____$Fill$in$the$form,$then$click$on$Save$to$create$a$user.$If$the$newly$created$
user$does$not$show$up,$click$on$the$search$icon$
$
$to$refresh$the$content.$
4.3$Bulk$load$users$
$
$$$$$$$$$$$$$$
$
12. ____$Click$on$the$upload$icon$
$to$perform$bulk$upload$of$users.$$
$$$$$$$$$
13. ____$Click$on$Click$here$to$download$the$sample$file$for$the$bulk$load.$$
$
The$sample$template$has$the$following$contents:$
$
userName,password,name.givenName,name.familyName,email.work'
jamesb,password,Bill,James,jamesb@mail.com'
davidh,password,David,Hill,davidh@mail.com'
$
You$may$use$it$as$is$or$add/modify$the$content$for$additional$users.$Once$its$
done$save$the$file$and$get$ready$to$upload$it.$$
$
$$$$$$$
14. ____$Browse$to$the$csv$file,$click$on$Upload$File$to$bulk$load$the$users.$$
$
$$$$$$$$$$$$$
$
15. ____$After$upload$is$complete,$click$on$the$search$icon$to$refresh,$you$should$
see$something$like$this:$
$
$$$$$$$$$$$$
$
4.4$User$Self$Care$
$
$$$$$$$$$$$
$
16. ____$Open$the$cloud$directory,$click$on$the$Settings$icon$ $at$the$upper$right$
corner.$$
$
$
$
17. ____$In$the$settings$page,$click$on$API$Access$on$the$left$side$and$copy$the$
User$Self$Care$Base$URL$from$the$right$side.$You$should$get$something$like$
this:$
$
https://enablement01Dd3qd77go3oDcabc.euD
gb.iam.ibmcloud.com/v1/mgmt/idaas/user$
$
Copy$the$host$name$and$replace$the$<hostname>$in$the$user$self$registration$
URL$below:$
$
https://<hostname>/idaas/mtfim/sps/idaas/usc/public/register.html$
For$example,$the$enalement01$SSO$service$has$the$following$self$registration$
URL:$
$
https://enablement01Dd3qd77go3oDcabc.euD
gb.iam.ibmcloud.com/idaas/mtfim/sps/idaas/usc/public/register.html$
$
Prepare$your$own$self$registration$URL$and$copy/paste$it$to$a$browser$
window.$$$
$
18. ____$Fill$in$the$self$registration$form$
$$$$$$$$$$$$$
$
Click$on$Submit$
$
19. ____$Check$your$email,$you$should$receive$a$mail$like$this:$
$
$
20. Click$on$the$link$in$your$email$or$enter$the$security$code$in$the$registration$
page:$
$
$$$$$$$$$$$$$
$
$
Click$on$Check$Code$to$continue.$$
21. ____$Complete$the$self$registration$page:$
$
Click$on$Save$to$complete$the$self$registration$process.$$
$
4.5$(Optional)$Other$cloud$directory$features$
$
22. ____$(Optional)$Go$back$to$cloud$directory$dashboard,$find$the$download$link$
at$the$upper$right$corner:$
$
The$Download$link$points$to$the$cloud$directory$sync$tool$that$is$available$at$
IBM$fix$central.$The$cloud$directory$sync$can$help$customers$to$sync$up$their$
on$premise$directory$server$with$the$Bluemix$cloud$directory$server.$$
$
We$do$not$have$time$to$practice$this$feature,$no$need$to$download$it$during$
the$lab$session.$$$
$
23. ____$(Optional)$Go$back$to$Single$Sign$On$service$dashboard,$client$on$
DESIGN$at$the$upper$right$corner:$
$$$$$$$$$$$$$
Click$on$Download$File$button.$
24. (Optional)$Unzip$the$downloaded$zip$file,$check$out$the$template$files$that$
user$can$modify.$$
$
$$$$$$$$$$$$$$
$
$
The$following$table$shows$the$template$can$be$modified$and$its$purpose:$
$
Template page
/authsvc/authenticator/basicldapuser/login.html
Purpose
Used for
authenticating the
user in Bluemix.
When the page is

displayed
Shown during
authentication of the
user.
Displays the change

password page during
Used for changing authentication when the
the password of the in-cloud registry user
/authsvc/authenticator/basicldapuser/change_password.html
in-cloud registry
receives a password
user.
expiry error or a
password about to expire
warning.
/idaas/login.html
Displays the login

methods that are
configured for the
application where
the user can initiate
a login flow.
Displayed when the

single sign-on flow is
initiated and the user
does not have an
authenticated session.
/oidc/consent.html
Prompts whether to
allow the OpenID
Connect client to
retrieve the user's
identity information.
Displayed after the user

is authenticated but
before authorization
code is returned to the
OpenID Connect client
$
$
5.$Set$up$Social$ID$Identity$Source$
5.1$Add$Google+$social$id$
$
Bluemix$SSO$supports$Google+,$Facebook,$and$LinkedIn$social$id$as$identity$sources.$
In$the$part$of$the$lab$guide$we$will$use$Google+$as$an$example,$for$Facebook$set$up$
process,$please$see$Appendix$A.$LinkedIn$requires$more$information$from$the$
application$developer,$such$as$web$site$icon,$which$is$not$suitable$for$this$lab$
exercise.$$
$
25. ____$Add$Google+$as$identity$service$in$your$Single$Sign$On$service$instance.$
Navigate$to$the$SSO$service$dashboard,$click$on$Google+$from$the$left$bar$
Add$New$Identity$Source:$
$
$
26. ____$Follow$the$step$1$instruction$to$register$your$application$with$Google+$$
$$$$$$$$$$$$
$
Copy$the$OAuth$Redirect$URI$at$the$bottom.$Click$on$the$Click$Here$link,$
which$opens$a$browser$with$the$Google$Developers$Console$URL:$
$
https://console.developers.google.com/$
$
5.2$Register$a$Google$application$
$
27. ____$Login$with$your$Google$id$
$
Click$on$Create$an$empty$project.$$
$
28. ____$Enter$project$name,$this$can$be$anything$meaningful$to$you$$
$
Click$on$Create.$$
$
29. ____$In$the$newly$created$applications$dashboard,$expand$APIs$&$auth$on$the$
left$side,$click$on$APIs.$$
$
On$the$right$side$select$Google+$API$under$the$Social$APIs.$$
$
30. ____$By$default$the$Google+$API$is$not$enable,$click$on$Enable$API$$
$
$
31. ____$Review$the$details$of$the$API$settings.$$
$
click$on$
$to$go$back$to$Google+$API$dashboard.$$
$
32. ____$Click$on$Credentials$under$the$API$&$auth$on$the$left$panel$
Click$on$Add$credentials.$
$
33. ____$Select$OAuth$2.0$client$ID$
$
$
$
34. ____$Click$Configure$consent$screen$
35. ____$Enter$product$name,$this$one$will$show$up$when$user$authenticates$to$let$
user$know$which$application/product$is$asking$for$his/her$credential.$$
$$$$$$$$$$$$
$
Click$on$Save.$$
$
36. ____$Choose$Web$application,$enter$name,$and$the$redirect$URL$as$we$copied$
at$step$26.$
$$$$$$$$$$
$
Click$on$Create.$
$
37. ____$Record$the$OAuth$client$ID$and$secret,$we$need$to$use$them$to$set$up$the$
Google$social$id$in$the$Bluemix$SSO$service.$$
5.3$Complete$Google$social$id$identity$service$set$up$
$
$
$
38. ____$Go$back$to$Bluemix$SSO$dashboard,$continue$to$set$up$the$Google$social$
id.$
$
Enter$the$client$ID$and$secret$we$recorded$in$step$37,$click$on$Save.$$
$
39. ____$A$new$Google$social$id$identity$service$is$set$up$and$enabled$for$the$
Bluemix$Single$Sign$On$service$instance.$$
$
5.4$Verify$Google+$identity$service$set$up$(Optional)$
$
40. ____$(Optional)$In$the$Google$identity$service$dashboard,$click$on$Verify$
41. ____$(Optional)$In$the$Verify$Access$to$Google+$page,$click$on$Click$here$$
$
$
It$will$open$a$browser$and$redirect$to$Google$login$page.$(If$you$already$login$to$
Google$web$site,$you$may$not$see$the$login$page$again).$
$
42. ____$(Optional)$Consent$the$access$to$your$base$information$
$
$
$
$
43. ____$(Optional)$Upon$success$you$should$see$the$login$success$page.$$
6.$Node.js$application$example$
6.1$Create$a$Node.js$application$
$
$
44. ____$Login$and$go$to$the$Dashboard.$$
45. ____$Click$on$CREATE$APP$under$Cloud$Foundry$Apps$
$
$
$
46. ____$Select$WEB$application$to$create$
$
$
47. ____$Select$SDK$for$Node.js$to$create$a$Node.js$application$
$
$
48. ____$Review$the$choice$and$click$on$CONTINUE.$
49. ____$Enter$the$name$of$your$new$application.$It$should$be$the$one$you$decided$
on$step$2.$Try$to$use$different$application$name$to$distinguish$with$others$
application.$$
$
$$$$$$$$$$$$
$
$
50. ____$A$new$application$is$created$and$running$
$
$$$$$$$$$$$$
$
6.2$Download$the$Starter$Code$
51. ____$Review$the$steps,$click$on$Download$Starter$Code.$$
Note:&&CF&Command&Line&Interface&(CLI)&tool&must&be&installed.&If&you&want&to&
run&the&application&locally,&you&also&need&to&download&and&install&Node.js&from&
https://nodejs.org&
$
52. ____$Unzip$Starter$App$zip$file$to$a$local$directory,$you$should$find$the$
following$files:$
$
6.3$Bind$starter$app$to$SSO$service$$
53. ____$From$the$dashboard$you$should$see$the$newly$created$app$and$
previously$configured$SSO$service$instance.$$
$
$
Click$on$the$app$you$just$created$to$open$it.$$
$
54. ____$Click$on$Bind$a$service$or$API$$
$
$
55. ____$Select$the$Single$Sign$On$service$just$configured,$click$Add.$
$
56. ____$Click$on$RESTAGE,$application$will$restart.$$
$
57. ____$Review$the$service$credentials$by$click$on$Show$Credentials$under$the$
SSO$service$
$
$
A$sample$credential$section$looks$like$this,$it$contains$the$endpoints,$client$id$and$
secret$of$the$SSO$service$instance.$The$client$id$and$secret$are$assigned$to$your$
sample$app$to$communicate$with$the$Bluemix$SSO$service$instance.$$
{
"SingleSignOn": [
{
"credentials": {
"authorizationEndpointUrl": "https://mlssoozlngzp5nk-cabc.eugb.iam.ibmcloud.com/idaas/oidc/endpoint/default/authorize",
"clientId": "xxxxxxxx",
"issuerIdentifier": "mlsso-ozlngzp5nk-cabc.eugb.iam.ibmcloud.com",
"secret": "XXXXXXXX",
"serverSupportedScope": [
"openid"
],
"tokenEndpointUrl": "https://mlsso-ozlngzp5nkcabc.eu-gb.iam.ibmcloud.com/idaas/oidc/endpoint/default/token"
},
"label": "SingleSignOn",
"name": "Single Sign On-Enablement",
"plan": "standard"
}
]
}
6.4$Integrate$starter$sample$app$with$SSO$service$instance$
58. ____$Navigate$to$the$SSO$service$dashboard,$click$on$INTEGRATE$to$start$the$
integration.$$
$
$
Enter$the$ReturnDto$URL$,$$it$is$in$the$format$of$https://<application$host$
name>:443/auth/sso/callback,$replace$<application$host$name>$with$the$
actual$host$name,$it$can$be$found$at$the$applications$dashboard.$$
$
Also$download$the$Node.js$module$passportAidaasAopenidconnect.zip$that$is$
required$for$Bluemix$SSO$integration.$$
$
Click$Save$to$complete$the$integration.$$
$
$
$
59. ____$Review$the$Environment$Variables$of$the$application,$the$integration$
process$should$populate$all$the$required$attributes$into$the$environment$
variables,$including$endpoints,$client$id$and$secret,$etc.$$
$
6.5$Modify$Starter$App$to$make$use$of$Bluemix$SSO$service$
$
60. ____$Extract$the$module$file$passportAidaasAopenidconnect.zip$into$the$
node_modules$subDdirectory$within$the$application.$If$the$subDdirectory$
node_modules$does$not$exist,$create$it.$
$
$
61. ____$Remove$node_modules$from$the$.cfignore$file$under$the$applications$
directory,$this$will$allow$the$passportAidaasAopenidconnect'module$to$be$
uploaded$to$Bluemix.$$
$
62. ____$Go$to$the$local$directory$where$the$starter$app$was$unpacked,$modify$the$
packages.json$file$to$add$the$following$dependencies:$
$
{
"name": "NodejsStarterApp",
"version": "0.0.1",
"description": "A sample nodejs app for Bluemix",
"scripts": {
"start": "node app.js"
},
"dependencies": {
"express": "4.12.x",
"cfenv": "1.0.x",
"passport": "0.2.x",
"express-session": "1.11.3",
"cookie-parser": "1.4.0"
},
"repository": {},
"engines": {
"node": "0.12.x"
}
}
$
Note:&we&need&to&use&0.2.x&level&of&passport&module,&newer&module&does&not&
work&well&with&the&passportdidaasdopenidconnect&module.&&
$
63. ____$Modify$app.js$file$to$leverage$the$Bluemix$SSO$service.$$
Please$copy/paste$the$lines$between$//$START$OF$CHANGE$and$//END$OF$
CHANGE$(two$places)$to$your$app.js.$$
$
Do$not$forget$to$replace$the$host$name$in$the$callback_url$with$your$own$
applications$host$name.$$
$
A$sample$package$of$this$sample$file$can$be$downloaded$from$https://w3D
connections.ibm.com/files/app#/file/15aa61c9Dc702D48ecDa51aD
f38f5beb6113$
$
$
/*eslint-env node*/
//-----------------------------------------------------------------------------// node.js starter application for Bluemix
//-----------------------------------------------------------------------------// This application uses express as its web server
// for more info, see: http://expressjs.com
var express = require('express');
$
// START OF CHANGE
var session = require('express-session');
var passport = require('passport');
var cookieParser = require('cookie-parser');
// END OF CHANGE
$
// cfenv provides access to your Cloud Foundry environment
// for more info, see: https://www.npmjs.com/package/cfenv
var cfenv = require('cfenv');
// create a new express server
var app = express();
// START OF CHANGE
app.use(cookieParser());
app.use(session({resave: 'true', saveUninitialized: 'true' , secret: 'keyboard cat'}));
app.use(passport.initialize());
app.use(passport.session());
passport.serializeUser(function(user, done) {
done(null, user);
});
passport.deserializeUser(function(obj, done) {
done(null, obj);
});
// VCAP_SERVICES contains all the credentials of services bound to
// this application. For details of its content, please refer to
// the document or sample of each service.
var services = JSON.parse(process.env.VCAP_SERVICES || "{}");
var ssoConfig = services.SingleSignOn[0];
var client_id = ssoConfig.credentials.clientId;
var client_secret = ssoConfig.credentials.secret;
var authorization_url = ssoConfig.credentials.authorizationEndpointUrl;
var token_url = ssoConfig.credentials.tokenEndpointUrl;
var issuer_id = ssoConfig.credentials.issuerIdentifier;
var callback_url = "https://enablement-node-example.eugb.mybluemix.net:443/auth/sso/callback";
var OpenIDConnectStrategy = require('passport-idaas-openidconnect').IDaaSOIDCStrategy;
var Strategy = new OpenIDConnectStrategy({
authorizationURL : authorization_url,
tokenURL : token_url,
clientID : client_id,
scope: 'openid',
response_type: 'code',
clientSecret : client_secret,
callbackURL : callback_url,
skipUserProfile: true,
issuer: issuer_id},
function(iss, sub, profile, accessToken, refreshToken, params, done) {
process.nextTick(function() {
profile.accessToken = accessToken;
profile.refreshToken = refreshToken;
done(null, profile);
})
});
passport.use(Strategy);
app.get('/', function(req, res) {
res.send('Login using ' + req.session.originalUrl + 'login');});
app.get('/login', passport.authenticate('openidconnect', {}));
function ensureAuthenticated(req, res, next) {
if (!req.isAuthenticated()) {
req.session.originalUrl = req.originalUrl;
res.redirect('/login');
} else {
return next();
}
}
// handle callback, if authentication succeeds redirect to
// original requested url, otherwise go to /failure
app.get('/auth/sso/callback',function(req, res, next) {
var redirect_url = req.session.originalUrl;
passport.authenticate('openidconnect', {
successRedirect: redirect_url,
failureRedirect: '/failure',
})(req,res,next);
});
// failure page
app.get('/failure', function(req, res) {
res.send('login failed'); });

app.get('/hello', ensureAuthenticated, function(req, res) {
var claims = req.user['_json'];
console.log(claims);
res.send('<h2> Hello '+ claims.displayName + '<br /> Welcome to Enablement
Example App</h2>');
});
// END OF CHANGE
// serve the files out of ./public as our main files
app.use(express.static(__dirname + '/public'));
// get the app environment from Cloud Foundry
var appEnv = cfenv.getAppEnv();
// start server on the specified port and binding host
app.listen(appEnv.port, function() {
// print a message when the server starts listening
console.log("server starting on " + appEnv.url);
});
'
6.6$Deploy$and$test$modified$application$
64. ____$Login$to$Bluemix$with$Cloud$Foundry$CLI$commands.$$
$
$ cf api https://api.eu-gb.bluemix.net
$ cf login -u mlu@us.ibm.com -o vijayka@us.ibm.com -s Enablement
Password> XXXXXXX
65. ____$Push$the$application$from$the$applications$directory$
$
$ cf push "<Application Name>"
66. ____$Test$the$application,$the$base$URL$of$the$application$can$be$found$under$
the$applications$name$in$the$dashboard,$append$/hello$to$test$it.$$
$
For$example,$the$above$apps$test$URL$is$https://enablement-nodeexample.eu-gb.mybluemix.net/hello
67. ____$Choose$the$identity$service$to$use$for$authentication$
$
68. ____$Login$with$your$test$account$
69. ____$For$cloud$directory$user,$upon$first$time$login$and$after$password$has$
been$reset,$the$password$must$be$changed.$$
$
$
$
70. ____$After$successful$login,$the$starter$sample$app$can$display$your$email$
address.$$
$
71. ____$If$choose$to$login$with$Google+$service,$you$should$see$the$Google$login$
page:$
$
$
$
72. ____$A$consent$page$is$displayed,$you$need$to$allow$the$demo$app$to$collect$
your$base$information:$
$
73. ____$After$consent,$you$should$see$the$same$login$success$page$with$your$
email$address$displayed.$
$
74. ____$(Optional)$If$you$are$curious$about$what$happened$behind$the$scene,$you$
can$check$the$application$logs$with$the$following$CF$CLI$command$(replace$
<application$name>$with$your$actual$application$name),$you$should$be$able$
to$find$the$interactions,$access$token,$and$id$token.$$
cf logs "<application name>" recent

OUT TOKEN
OUT AT: jRtOBeIvLt2KO3qyDRPO74yBWlGPWuFs5gB8iMUT
OUT RT: undefined
OUT { access_token: 'jRtOBeIvLt2KO3qyDRPO74yBWlGPWuFs5gB8iMUT',
OUT
token_type: 'Bearer',
OUT
expires_in: 299,
OUT
scope: 'openid',
OUT ---OUT { iss: 'mlsso-ozlngzp5nk-cabc.eu-gb.iam.ibmcloud.com',
OUT
ext: '{}',
OUT
at_hash: 'okrlXMCW70EEuhzGx-6Itw',
OUT
sub: 'mlsso-ozlngzp5nk-cabc.eugb.iam.ibmcloud.com/www.google.com/100149681185499934024',
OUT
realmName: 'www.google.com',
OUT
displayName: 'Ming Lu',
OUT
uniqueSecurityName: 'mlsso-ozlngzp5nk-cabc.eugb.iam.ibmcloud.com/www.google.com/100149681185499934024',
OUT
aud: 'EtsKGC6ljQ',
OUT
firstName: 'Ming',
OUT
emailAddress: 'bmsso.demo@gmail.com',
OUT
exp: 1444969167,
OUT
iat: 1444968867 }
OUT JWT Alg is HS256/384/512 and Aud is the proper client id.
OUT Signature is confirmed. Move on.
$
OUT { iss: 'mlsso-ozlngzp5nk-cabc.eu-gb.iam.ibmcloud.com',
OUT
ext: '{}',
OUT
at_hash: 'okrlXMCW70EEuhzGx-6Itw',
OUT
lastName: 'Lu',
OUT
sub: 'mlsso-ozlngzp5nk-cabc.eugb.iam.ibmcloud.com/www.google.com/100149681185499934024',
OUT
realmName: 'www.google.com',
OUT
displayName: 'Ming Lu',
OUT
uniqueSecurityName: 'mlsso-ozlngzp5nk-cabc.eugb.iam.ibmcloud.com/www.google.com/100149681185499934024',
OUT
aud: 'EtsKGC6ljQ',
OUT
firstName: 'Ming',
OUT
emailAddress: 'bmsso.demo@gmail.com',
OUT
exp: 1444969167,
OUT
iat: 1444968867 }
$
$
7.$Liberty$for$Java$Application$Example$
7.1$Create$Liberty$for$Java$Application$
$
75. ____$From$the$Bluemix$dashboard,$select$Cloud$Foundry$Apps$and$click$on$
Create$App.$
$
76. ____$Select$WEB$application$type,$then$choose$Liberty$for$Java$.$$
$
$$$
77. ____$Review$settings$and$click$on$CONTINUE$
$
$
78. ____$Enter$the$application$name.$This$name$will$be$used$by$the$Cloud$Foundry$
CLI$commands.$$
$
$
79. ____$Review$the$deployment$instructions;$then$Download$the$starter$code$by$
clicking$on$the$Download$Starter$Code$button.$Unzip$the$downloaded$
package$to$a$directory.$$
$
$
80. ____$The$new$application$should$be$created$and$running$afterwards.$You$may$
test$it$in$your$browser.$Also$make$a$note$to$the$application$URL.$$
$
$
$
$
7.2$Integrate$Application$with$SSO$Service$Instance$
81. ____$From$the$Bluemix$dashboard,$click$on$the$newly$created$Liberty$for$Java$
application.$$
$
$
$
82. ____$Click$on$BIND$A$SERVICE$OR$API$
83. ____$Add$the$preDconfigured$Single$Sign$On$service$instance.$$
$
$
84. ____$Restage$the$application$
$
$
85. ____$Click$on$the$SSO$service$instance$from$the$application$dashboard,$you$
should$see$INTEGRATE$on$the$upper$right$corner.$(If$you$click$on$the$SSO$
service$directly$from$the$Bluemix$dashboard,$you$will$not$see$it).$$
$
$
$
86. ____$Click$on$INTEGRATE$to$start$the$integration$
Enter$the$Display$name$and$click$on$Save.$$
$
87. ____$Click$OK$to$complete$the$integration$process.$$
$
$
$
88. ____$(Optional)$Verify$the$SSO$integration$settings.$$Navigate$to$the$Bluemix$
dashboard,$click$on$the$application$we$have$integrated.$$
$
From$the$left$panel$click$on$Files$and$Logs,$navigate$to$
app/wlp/user/servers/default$on$the$right$side$of$the$window,$then$click$on$
server.xml$file.$$
$
<server>
<featureManager>
<feature>beanValidation-1.1</feature>
<feature>cdi-1.2</feature>
<feature>ejbLite-3.2</feature>
<feature>el-3.0</feature>
<feature>jaxrs-2.0</feature>
<feature>jdbc-4.1</feature>
<feature>jndi-1.0</feature>
<feature>jpa-2.1</feature>
<feature>jsf-2.2</feature>
<feature>jsonp-1.0</feature>
<feature>jsp-2.3</feature>
<feature>managedBeans-1.0</feature>
<feature>servlet-3.1</feature>
<feature>websocket-1.1</feature>
<feature>icap:managementConnector-1.0</feature>
<feature>appstate-1.0</feature>
<feature>openidConnectClient-1.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<application name='myapp' location='myapp.war' type='war' context-root='/'/>
<cdi12 enableImplicitBeanArchives='false'/>
<httpEndpoint id='defaultHttpEndpoint' host='*' httpPort='${port}'/>
<webContainer trustHostHeaderPort='true' extractHostHeaderPort='true'/>
<include location='runtime-vars.xml'/>
<logging logDirectory='${application.log.dir}' consoleLogLevel='INFO'/>
<httpDispatcher enableWelcomePage='false'/>
<applicationMonitor dropinsEnabled='false' updateTrigger='mbean'/>
<config updateTrigger='mbean'/>
<appstate appName='myapp' markerPath='${home}/../.liberty.state'/>
<openidConnectClient
id='${cloud.services.Single Sign On-Enablement.connection.clientId}'
clientId='${cloud.services.Single Sign On-Enablement.connection.clientId}'
clientSecret='${cloud.services.Single Sign On-Enablement.connection.secret}'
authorizationEndpointUrl='${cloud.services.Single Sign On-
Enablement.connection.authorizationEndpointUrl}'
tokenEndpointUrl='${cloud.services.Single Sign OnEnablement.connection.tokenEndpointUrl}'
redirectToRPHostAndPort='https://enablement-liberty-example.eugb.mybluemix.net:443' issuerIdentifier='${cloud.services.Single Sign OnEnablement.connection.issuerIdentifier}' scope='${cloud.services.Single Sign OnEnablement.connection.serverSupportedScope}' httpsRequired='true'/>
<keyStore id='defaultKeyStore' password='changeit' type='jks'
location='${java.home}/lib/security/cacerts'/>
</server>
$
The$lines$in$red$are$added$by$the$SSO$integration$process.$$
$
7.3$Deploy$demo$app$
$
We$will$use$an$existing$demo$application$to$test$the$application$integration$first,$
then$import$the$application$into$Eclipse$tool$and$examine$the$additional$steps$to$
enable$the$application$to$leverage$the$Bluemix$SSO$service.$$
$
89. ____$Download$the$demo$app$from$
http://www.weeden.org/work/blog/bmsso/bmssodemo.ear$$
(also$check$out$blog:$$https://wwwD
304.ibm.com/connections/blogs/sweeden/entry/getting_started_with_ibm_sing
le_sign_on_for_bluemix?lang=en_us)$
$
90. ____$Modify$the$manifest.yml$file$which$is$contained$within$the$starter$code$
file$we$downloaded$and$unzipped$at$step$79.$$
$
Put$bmssodemo.ear$after$path:$$,$and$keep$everything$else$unchanged$in$
the$manifest.yml$file.$$
$
applications:
- path: bmssodemo.ear
memory: 512M
instances: 1
domain: eu-gb.mybluemix.net
name: Enablement Liberty Example
host: enablement-liberty-example
disk_quota: 1024M
services:
- Single Sign On-Enablement
$
Make$sure$the$name,$host,$services$all$match$to$the$applications$we$just$
created$and$configured.$$
$
91. ____$Place$bmssodemo.ear$file$into$the$same$directory$as$manifest.yml$file,$
then$push$it$to$the$server$with$the$following$command:$$
$
$ cf api https://api.eu-gb.bluemix.net
$ cf login -u mlu@us.ibm.com -o vijayka@us.ibm.com -s

Enablement
Password> XXXXXXX
$ cf push
or$you$can$push$it$with$the$application$name$and$package$explicitly:$
$ cf push$<application$name>$p$bmssodemo.ear$$
$
92. ____$Visit$https://<application$url>$from$a$different$browser$or$separate$
browser$window,$you$should$go$through$a$login$process$with$either$cloud$
directory$or$social$id$provider.$Upon$success,$the$bmssodemo$app$will$
recognize$your$id:$
$
$
$
$
93. ____$Click$on$here,$you$should$see$a$more$detailed$information$about$the$
JAAS$Subject:$
7.4$Import$the$demo$app$into$eclipse$(Optional)$
$
$
94. ____$Open$Eclipse,$click$$FileD>Import,$select$EAR$file$as$import$source.$
Click$Next$
$
$
95. ____$Specify$the$location$of$the$bmssodemo.ear$file,$also$select$IBM$Bluemix$
Runtime$as$the$target$runtime.$$
Click$Next.$$
$
$
96. ____$Click$Next$to$import$utility$JARs$
Click$Next$
97. ____$Select$the$WAR$module$to$be$$imported$as$a$new$project.$$
$
Click$Finish.$$
$
$
Two$projects$will$be$created$in$Eclipse,$one$is$the$EAR$project$and$the$other$
is$a$WAR$project.$$
You$may$also$see$errors$associated$with$the$projects,$we$need$to$modify$the$
build$path$of$the$WAR$project$in$order$to$be$able$to$build$the$project$
successfully.$$
$
98. ____$Select$the$BMSSODemoWAR$project,$click$the$mouse$right$button,$select$
Build$Path,$then$Configure$Build$Path.$$
$
99. ____$Click$on$Libraries$tab,$add$two$external$jars$from$the$WebSphere$
Liberty$Profile$(you$need$to$install$the$WebSphere$Liberty$Profile$first).$$
$
The$two$jar$files$are:$
com.ibm.websphere.security_1.0.5.jar''
com.ibm.ws.security.token_1.0.4.jar''
They$are$located$at$the$lib$subDdirectory$of$WebSphere$Liberty$Profile,$i.e.:$
/opt/IBM/WebSphere/Liberty/lib'
This$should$fix$all$the$compilation$and$build$errors.$$
7.5$Modifications$in$demo$app$to$enable$SSO$integration$
$
100.____$The$demo$app$defined$a$security$role$anyDauthenticated$in$the$EAR$
metadatafile$ibmDapplicationDbnd.xml:$
bmssodemo/METADINF/ibmDapplicationDbnd.xml:$$
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
Note:&Security&roles&can&also&be&defined&in&the&server.xml&file,&especially&if&
you&only&have&a&WAR&file.&Please&refer&to&http://wwwD
01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.
nd.doc/ae/cwlp_authorization.html?cp=SSAW57_8.5.5$
$
101. ____$The$demo$application$defines$a$web$application$security$constraints$in$
its$web.xml$of$the$WAR$file$
$
$BMSSODemoWAR/WebContent/WEBDINF/web.xml:$
$
<security-constraint>
<web-resource-collection>
<web-resource-name>bmssodemo</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>any-authenticated</role-name>
</auth-constraint>
</security-constraint>$
This$constraint$allows$any$authenticated$user$to$access$the$application.$If$a$
user$is$not$authenticated,$the$Liberty$profile$runtime$will$trigger$the$OpenID$
Connect$flow$to$authenticate$user$and$get$the$user$identity$information$from$
the$preDconfigured$identity$source.$$
$
102. ____$(Optional)$Review$index.jsp$and$dumpCreds.jsp$to$understand$how$to$
use$JAAS$subject$APIs$to$retrieve$user$information.$WebSphere$Liberty$for$Java$
runtime$s$OpenID$Connect$client$consumes$user$token$and$make$the$user$identity$
available$as$the$JAAS$(Java$Authentication$and$Authorization$Service)$subject.$$
$
This$concludes$the$lab$session.$$
$
$
$
$
Appendix$A$Add$Facebook$as$a$social$identity$source$
$
1. From$the$Bluemix$SSO$service$dashboard,$on$the$Add$New$Identity$Source$
panel,$click$on$Facebook$icon$ .$$
$
2. Under$Step$1,$copy$the$OAuth$Redirect$URI,$then$click$on$Click$here$to$go$
to$the$Facebook$Developer$site$(https://developers.facebook.com).$
$
3. Login$to$the$facebook$developer$site,$register$as$a$developer$if$you$currently$
are$not.$$
$
4. Add$a$New$App,$select$Website$type.$
$
$
5. Enter$the$SSO$service$URL$as$Site$URL,$then$click$Next.$
$
$
6. Skip$to$developer$dashboard$
$
$
7. On$my$apps$dashboard,$click$on$Settings,$$add$email$address,$then$save.$
8. Click$on$Advanced$tab,$make$sure$Client$OAuth$Login$is$enabled,$and$paste$
the$redirect$URI$we$saved$at$step$2$
$
Save$changes.$$
$
9. Return$to$basic$tab,$copy$the$app$id$and$secret.$$
$
10. Enter$the$App$ID$and$Secret$at$the$Step$2$window$of$the$Bluemix$Single$Sign$
On$Facebook$Identity$Source$settings:$
$
$
$
$
11. A$new$identity$source$Facebook$has$been$created.$$
References$
$
$
Bluemix$Single$Sign$On$Service$documentation$
https://www.ng.bluemix.net/docs/services/SingleSignOn/index.html$
$
Getting$Started$with$IBM$Single$Sign$On$for$Bluemix$
https://wwwD
304.ibm.com/connections/blogs/sweeden/entry/getting_started_with_ibm_single_s
ign_on_for_bluemix?lang=en_us$
$
Integrating$NodeJS$application$with$the$Bluemix$Single$Sign$On$Service$
https://wwwD304.ibm.com/connections/blogs/idaasD
sso/entry/intergating_nodejs_application_with_the_bluemix_single_sign_on_sso_ser
vice?lang=en_us$
$

BMSSO Lab Exercise PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

BMSSO Lab Exercise PDF

Caricato da

Copyright:

Formati disponibili

!

When the page is

Displays the change

Displays the login

Displayed when the

Displayed after the user

res.send('login failed'); });

cf logs "<application name>" recent

$ cf login -u mlu@us.ibm.com -o vijayka@us.ibm.com -s

Potrebbero piacerti anche