* Setup and test procedure
[Configuration]
IDP: RHSSO 7.0.0 standalone server
listens at localhost:8080
SP : JBOSS EAP 7.0.0 standalone server (standalone.xml)
listens at localhost:8180
SP application: use app-profile-saml-jee-jsp in rh-sso-7.0.0-quickstarts and add test.jsp file.
[Install and Setup IDP]
- Install RHSSO 7. The installed directory assumes to be ${RHSSO_HOME}.
$ unzip /path/to/rh-sso-7.0.0.zip
- Create "admin" user for web console (port 9990).
$ ${RHSSO_HOME}/bin/add-user.sh
- Create "admin" user for RHSSO web console (port 8080).
$ ${RHSSO_HOME}/bin/add-user-keycloak.sh -u admin
- Start RHSSO 7 standalone server.
$ ${RHSSO_HOME}/bin/standalone.sh
- Login to RHSSO web console http://localhost:8080/auth/admin/ as "admin" user.
- Setup "user" role and "user1" user.
-- Add "user" role in Configure > Roles > "Add Role" page.
-- Add "user1" user in Manage > Users > "Add user" page.
-- Open Credentials tab, set new user1's password (for example, "password1")
and "Reset Password" button.
-- Open Role Mappings, select "user" and click "Add selected" button.
- Create a client.
-- Open Configure > Clients page, and click "Create" button.
-- In Configure > Clients > "Add Client" page, input "client1",
choose "saml" as Client Protocol, and then click Save button.
-- In Configure > Clients > client1 page, set the following fields:
Valid Redirect URIs: http://localhost:8180/app-profile-saml/*
Base URL: http://localhost:8180/app-profile-saml/
Master SAML Processing URL: http://localhost:8180/app-profile-saml/saml
Force Name ID Format: ON
and click Save button.
- Generate keycloak-saml.xml. ..... (*1)
-- In Configure > Clients > client1 page, open Installation tab,
select "Keycloak SAML Adapter keycloak-saml.xml" in Format Option,
and click Download button.
[Install and Setup SPs]
- Install EAP 7. The installed directory assumes to be ${EAP_HOME}.
$ unzip /path/to/jboss-eap-7.0.0.zip
- Install adapters to EAP 7.
$ cd ${EAP_HOME}
$ unzip /path/to/RH-SSO-7.0.0-GA-eap7-adapter.zip
$ unzip /path/to/RH-SSO-7.0.0-GA-saml-eap7-adapter.zip
- Create "admin" user for the SP node web console.
$ ${EAP_HOME}/bin/add-user.sh
- Copy "standalone" directory for the node.
$ cp -a ${EAP_HOME}/standalone node1
- Start node1 and run scripts for adapter configuration.
(node1) ${EAP_HOME}/bin/standalone.sh -Djboss.server.base.dir=./node1 --server-config=standalone.xml -Djboss.node.name=node1 -Djboss.socket.binding.port-offset=100
(node1) $ ${EAP_HOME}/bin/jboss-cli.sh --controller=localhost:10090 --connect --file=${EAP_HOME}/bin/adapter-install.cli
(node1) $ ${EAP_HOME}/bin/jboss-cli.sh --controller=localhost:10090 --connect --command=:reload
(node1) $ ${EAP_HOME}/bin/jboss-cli.sh --controller=localhost:10090 --connect --file=${EAP_HOME}/bin/adapter-install-saml.cli
(node1) $ ${EAP_HOME}/bin/jboss-cli.sh --controller=localhost:10090 --connect --command=:reload
[Access logging setup]
- Enable access logging for RHSSO (idp), node1 (sp).
(RHSSO/idp) $ ${RHSSO_HOME}/bin/jboss-cli.sh --controller=localhost:9990 --connect --command="/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add"
(node1) $ ${EAP_HOME}/bin/jboss-cli.sh --controller=localhost:10090 --connect --command="/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add"
[Build and deploy SP application]
- Extract RHSSO 7 quickstarts.
$ unzip /path/to/rh-sso-7.0.0-quickstarts.zip -d rh-sso-7.0.0-quickstarts
- Copy app-profile-saml-jee-jsp in redhat-sso-quickstarts to a new directory (for example, app-profile-saml-jee-jsp_01800894)
and use it.
$ cd rh-sso-7.0.0-quickstarts
$ cp -a app-profile-saml-jee-jsp app-profile-saml-jee-jsp_01800894
- Copy keycloak-saml.xml you already generated in (*1) to app-profile-saml-jee-jsp_01800894/config/.
$ cp keycloak-saml.xml app-profile-saml-jee-jsp_01800894/config/
- Modify app-profile-saml-jee-jsp_01800894/src/main/webapp/WEB-INF/web.xml.
----- web.xml -----
app
/profile.jsp <---------- for test.jsp to be a protected resource, modify "/profile.jsp" to "/*" if needed
user
KEYCLOAK-SAML
user
MYSESSIONID
----- End of web.xml -----
- Copy test.jsp to app-profile-saml-jee-jsp_01800894/src/main/webapp/.
----- test.jsp -----
<%@page contentType="text/html" pageEncoding="ISO-8859-1"%>
<%= request.getSession(true).getId() %>
----- End of test.html -----
- Deploy app-profile-saml.war to the sp node (node1)
$ cd rh-sso-7.0.0-quickstarts/app-profile-saml-jee-jsp_01800894
$ mvn clean package wildfly:deploy -Dwildfly.port=10090
[Test 1]
In the case that test.jsp is a protected resource (/* in web.xml).
(1) Access http://localhost:8180/app-profile-saml/test.jsp from your browser.
(2) The authentication page by IDP will be displayed.
Please input user1/password1 as username/password.
(3) test.jsp will be executed and the session id of the current session will be displayed.
If you trace HTTP request and response, for example, using Live HTTP headers add-on for firefox,
You can see the session cookie name JSESSIONID in the final Set-Cookie header appeard. <-----
[Test 2]
In the case that test.jsp is not a protected resource (/profile.jsp in web.xml).
(1) Access http://localhost:8180/app-profile-saml/test.jsp from your browser.
(2) test.jsp will be executed and the session id of the current session will be displayed.
If you trace HTTP request and response, for example, using Live HTTP headers add-on for firefox,
You can see the session cookie name JSESSIONID in Set-Cookie header in the final HTTP response. <-----
[Test 3]
In the case of using the following web.xml.
(remove , , from web.xml)
---
MYSESSIONID
---
(1) Access http://localhost:8180/app-profile-saml/test.jsp from your browser.
(2) test.jsp will be executed and the session id of the current session will be displayed.
If you trace HTTP request and response, for example, using Live HTTP headers add-on for firefox,
You can see the session cookie name MYSESSIONID in Set-Cookie header in the final HTTP response. <-----