TCH HP H THNG

SSO
EGOVPLATFORM
TI LIU K THUT

Version 1.1

Copyright 2014 by OpenEgovPlatform.

 LCH S PHIN BN

Phin bn Ngy pht hnh M t

1.0 02/09/2014 M t tng quan v Single Sign On trong h thng EgovPlatform
1.1 06/09/2014 B sung hng dn cu hnh ci t
 GII THIU
SSO( Single Sign On) l c ch ng nhp mt ln vic ny em li nhiu thun tin cho ngi dng v
tng tnh nng bo mt cho h thng. Trong h thng EgovPlatform c s dng c ch ny v CAS(Central
Authenticate Service) chnh l mt gii php SSO trn mi trng Web, y l mt gii php m ngun
m. CAS s dng xc thc lin kt, cc h thng khc nhau c th xc thc ch mt ln thng qua CAS.

Trong nn tng EgovPlatform c tch hp vi 2 h thng qun l tin trnh cng vic (worklow) UEngine v
h thng bo co Pentaho. y cng l 2 h thng ngun m c tch hp vo h thng nhm em li
li ch ti a cho cng ng pht trin e-government.
 MC LC

Thut ng vit tt ......................................................................................................................................... 5

1. Tng quan ............................................................................................................................................... 6
2. M hnh tch hp SSO ............................................................................................................................. 7
2.1 Qu trnh ng nhp ........................................................................................................................ 7
2.2 M hnh tin trnh ............................................................................................................................ 7
2.3 Single Sign-Out ................................................................................................................................. 8
3. Hng dn cu hnh ci t ................................................................................................................... 8
3.1 Mi trng ci t EgovPlatform .................................................................................................... 8
3.2 Cu hnh OpenLDAP ......................................................................................................................... 9
3.3 Cu hnh CAS .................................................................................................................................. 10
3.4 Cu hnh Liferay ............................................................................................................................. 11
3.5 Cu hnh UEngine ........................................................................................................................... 17
3.6 Cu hnh Pentaho ........................................................................................................................... 19
4. Kt lun................................................................................................................................................. 21
Tham kho .................................................................................................................................................. 22
Thut ng vit tt
SSO Single Sign On
LDAP Lightweight Directory Access Protocol
CAS Central Authentication Service
JDK Java Development Kit
J2EE Java 2 Platform, Enterprise Edition
URI Uniform Resource Identifier
URL Uniform Resource Locator
API Application Programming Interface
CSDL C S D Liu
 1. Tng quan
H thng EgovPlatform s s dng CAS lm h thng xc thc login (SSO) chnh cho tt c cc ng dng
c tch hp m 2 thnh phn tch trong ny l UEngine v Pentaho.

CAS cung cp rt nhiu c ch xc thc nh:

CAS URIs,

CAS Tickets,

Ticket-Granting Ticket (TGT),

Service Ticket (ST),

Proxy Ticket (PT),

Proxy-Granting Ticket IOU,

Login Ticket

Trong h thng EgovPlatform ang s dng c ch Login Ticket, mc ch s dng c ch ny l ngn

cn s phn hi li thng tin xc thc. Bn canh vic s dng c ch ny th cu hnh cng ht sc
ng gin m tin dng. Bn c th ti v ti: https://www.apereo.org/cas/download

UEngine l mt h thng qun l tin trnh lm vic(workflow), y l mt m ngun m. Ging nh cc

workflow khc, nhng y l h thng em li vic kh chuyn rt mnh m. Bn c th ti v ti:
http://sourceforge.net/projects/uengine/

Pentaho l mt h thng bo co ngun m, h thng c kh nng tch hp vi h thng CAS mnh m

v tin dng. H thng c cc tnh nng bo co nh phn tch kinh doanh, tch hp d liu, d liu
ln. Bn c th ti v ti: http://sourceforge.net/projects/pentaho/
 2. M hnh tch hp SSO
M hnh tng quan v vic tch hp SSO vo h thng EgovPatform

LDAP
CAS Server

HTTPS: iu hng li khi sai thng tin

SSL: kim tra hoc xc thc li thng tin session

Ngi dng/Trnh duyt Web

HTTP(S): Yu cu xc thc v SSO

M hnh 1: M hnh SSO trong h thng EgovPlatform

y l m hnh m t v c ch cc h thng c ng nhp v xc thc qua CAS. Tt c h thng

EgovPlatform, UEgine, Pentaho u c CAS khch nhn din c CAS Server.

2.1 Qu trnh ng nhp

Ngi dng duyt web ng nhp vo h thng EgovPlatform th s c h thng t ng y sang h
thng CAS Server xc thc. Khi xc thc thnh cng h thng s sinh ra mt v xc thc vo ca(ticket).
Tt nhin v xc thc phi c h thng EgovPlatform nhn din, khi xc thc thnh cng CAS Server
s tr ngi dng quay li h thng EgovPlatform s dng dch v, c bit l cc dch v cng dnh
cho ngi dng ny. Tuy nhin, nu v xc thc thng bo l ngi dng khng ng, CAS Server cng
s a ra thng tin thng bo trn h thng ngi dng c bit.

Khi ngi dng xc thc qua CAS v EgovPlatform ngi dng c th s dng h thng bo co thng
k danh cho mnh nh Pentaho v nu ngi dng l cn b c th s dng h thng UEngine

lm r rng hn v vic xc thc ta c th xem phn tip theo

2.2 M hnh tin trnh

Sau y s m t cc bc xc thc qua CAS Server i vi ng dng EgovPlatform

2.3 Single Sign-Out

CAS khch c th truy cp thng tin kt thc tin trnh lm vic. Vic ny ng ngha tt c cc h thng
s ng b thot khi tin trnh.

3. Hng dn cu hnh ci t
3.1 Mi trng ci t EgovPlatform
- Ci t trn mi trng H iu hnh Linux: Centos 6.4 (64 bit)
- Mi trng JAVA phin bn: JDK 1.6.0_25. Bn c th ti v ti y:
http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-
downloads-javase6-419409.html#jdk-6u25-oth-JPR
- CSDL MySQL phin bn: Ver 14.14 Distrib 5.1.73.
ci t bn c th dng lnh: yum -y install mysql mysql-server
- S dng cng c Apache Directory Studio qun tr OpenLDAP. Bn c th ti v ti
y: http://directory.apache.org/studio/downloads.html
- Ti bn ci t cas server phin bn 3.5.0 ti: http://downloads.jasig.org/cas/ hoc
https://www.apereo.org/cas/download
- Ti bn ci t liferay jboss phin bn 6.1.0 GA1 ti:
http://sourceforge.net/projects/lportal/files/Liferay%20Portal/6.1.0%20GA1/
 - Ti bn ci t UEngine phin bn 3.5.4 ti a ch:
http://sourceforge.net/projects/uengine/files/2.%20uengine%20packaged%20edition/
- Ti bn ci t Pentaho phin bn 4.5.0 ti a ch:
http://sourceforge.net/projects/pentaho/files/Business%20Intelligence%20Server/4.5.0-
stable/

3.2 Cu hnh OpenLDAP

- V thng tin hng dn ci t cc bn xem link theo a ch sau:
http://easylinuxtutorials.blogspot.com/2013/11/installing-configuring-openldap-
server.html
- y s hng dn bn cu hnh cc thng tin cn thit tch hp vi EgovPlatform.
Cu hnh nh sau:
o file /etc/openldap/slapd.conf sa li thnh:
suffix "dc=egovplatform,dc=org"
rootdn "cn=Manager,dc=egovplatform,dc=org"
o To file init-ldap.ldif vi thng tin c bn nh sau:
dn: dc=egov, dc=org
objectClass: organizationalUnit
objectClass: dcObject
dc: egov
ou: egov.org

dn: cn=Manager,dc=egov,dc=org
objectClass: top
objectClass: organizationalRole
cn: Manager

dn: ou=People,dc=egov,dc=org
objectClass: organizationalUnit
ou: People
#!Tai khoan cho he thong EgovPlatform
dn: mail=test@egov.org,ou=People,dc=egov,dc=org
objectClass: top
objectClass: person
 objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Test Test
description::
Y249TmjDs20gTGnDqm0sb3U9R3JvdXBzLGRjPWR0dCxkYz12bg==
givenName: Test
mail: test@egov.org
sn: Test
title: ou=People,dc=egov,dc=org
uid: testegovorg
userPassword:: ZHR0QHRvZGF5
o S dng Apache Directory Studio kt ni vi h thng OpeLDAP ri import d
liu va to.
o Bn s dng Apache Directory Studio sa li thng tin userPassword.

3.3 Cu hnh CAS

- Bn c th xem hng dn ci t cu hnh ti y:
https://www.liferay.com/web/azar7k1s/blog/-/blogs/sso-via-cas-in-liferay v
http://www.liferay.com/community/wiki/-/wiki/Main/CAS+Liferay+6+Integration , tuy nhin
tch hp vi EgovPlatform bn xem nh sau:
o Chnh sa thng tin vo file WEB-INF/cas.properties nh sau:
server.name=https://livedemo.openegovplatform.org
server.prefix=${server.name}/cas
Thng tin log4j nh sau:
log4j.config.location=${jboss.server.base.dir}/deployments/cas.war/WEB-
INF/classes/log4j.xml
o Chnh sa thng tin vo file WEB-INF/deployerConfigContext.xml nh sau:
trong th <property name="authenticationHandlers"> b sung(nu c th chnh
sa li) thng tin nh sau:
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="filter" value="mail=%u" />
<property name="searchBase" value="ou=People,dc=egov,dc=org" />
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" />
</bean>
 V:
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="true"/>
<property name="urls">
<list><value>ldap://ldap.egov.org:389</value></list>
</property>
<property name="userDn" value="ou=Manager,dc=egov,dc=org"/>
<property name="password" value="$demoegov$"/>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
Thng tin y tng ng vi thng tin bn ci t trn OpenLDAP
o By gi bn c th khi ng h thng v kim tra, nu ng nhp sai s c
thng bo hin th trn mn hnh

3.4 Cu hnh Liferay

- Hng dn ci t c th xem ti y: https://www.liferay.com/documentation/liferay-
portal/6.1/user-guide/-/ai/lp-6-1-ugen11-installing-liferay-on-jboss-7-0 hoc
https://www.youtube.com/watch?v=43RqsxwBVBk
- Hng dn cu hnh Liferay vi OpenLDAP v CAS nh sau:
o Cu hnh CAS:
Nhp thng tin cu hnh theo hnh, chnh sa thng tin cho ph hp vi CAS
 Kim tra thng tin:

o Cu hnh LDAP:
Chn thng tin cu hnh c bn
Nhp thng tin OpenLDAP Server gm:
Tn my ch v thng tin Kt ni
Kim tra kt ni

Thng tin ngi dng

Thng tin nhm ngi dng
Thng tin xut sang LDAP

Lu li cc thng tin sau khi sa i

 - Sau khi tt c cc thng tin lu thnh cng thot ng dng ng nhp li, h thng s
lp tc chuyn qu trnh ng nhp sang h thng CAS. Sau dng account to
trong OpenLDAP ng nhp li.

3.5 Cu hnh UEngine

- Chnh sa file ti v thnh uengine-web.war, copy vo th mc deployments ca liferay
- Cu hnh cc thng s nh sau:
o Thng s kt ni CSDL
uengine-web.war/WEB-INF/classes/org/uengine/uengine.properties
Thay i thng s ph hp vi CSDL ca bn
datasource.jndiname=java:/uEngineDS
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://localhost:3306/{uengine}?autoReconnect=true&amp;charac
terEncoding=UTF-8
web.url=http://localhost:8080/uengine-web
jdbc.username={username}
jdbc.password={password}
o Thng s kt ni CAS trong file uengine-web.war/WEB-INF/web.xml
Thay i thng tin ph hp vi h thng CAS ca bn
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://livedemo.openegovplatform.org/cas/login</param-
value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://livedemo.openegovplatform.org</param-value>
 </init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-
class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://livedemo.openegovplatform.org/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://livedemo.openegovplatform.org</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-
class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<!-- Sign out not yet implemented -->
<filter-mapping>
<filter-name>EncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
 </filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

3.6 Cu hnh Pentaho

- Hng dn ci t bn c th xem chi tit ti y:
http://anonymousbi.wordpress.com/2012/10/28/pentaho-bi-server-4-5-0-definitive-mysql-
installation-guide/
- Sau y s hng dn cu hnh Pentaho vo CAS nh sau:
o Tm file Pentaho/pentaho-solutions/system/applicationContext-spring-security-
cas.xml
Thng s serviceProperties
<bean id="serviceProperties"
class="org.springframework.security.ui.cas.ServiceProperties" autowire="default"
dependency-check="default" lazy-init="default">
<property name="service"
value="http://livedemo.openegovplatform.org/pentaho/j_spring_cas_security_che
ck"/>
<property name="sendRenew" value="false"/>
</bean>
 Thng s casProcessingFilterEntryPoint
<bean id="casProcessingFilterEntryPoint"
class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"
autowire="default" dependency-check="default" lazy-init="default">
<property name="loginUrl"
value="https://livedemo.openegovplatform.org/cas/login"/>
<property name="serviceProperties">
<ref local="serviceProperties"/>
</property>
</bean>
Thng s ticketValidator
<bean id="ticketValidator"
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"
autowire="default" dependency-check="default" lazy-init="default">
<constructor-arg index="0"
value="https://livedemo.openegovplatform.org/cas" />
</bean>
Thng s logoutFilter
<bean id="logoutFilter"
class="org.springframework.security.ui.logout.LogoutFilter" autowire="default"
dependency-check="default" lazy-init="default">
<constructor-arg
value="https://livedemo.openegovplatform.org/cas/logout?service=http://livedemo
.openegovplatform.org/pentaho"/>
<constructor-arg>
<list>
<bean
class="org.pentaho.platform.web.http.security.PentahoLogoutHandler"/>
<bean
class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/Logout"/>
</bean>
o Sau khi ng li Server Pentaho v Liferay
 o To ti khon trong Pentaho tng ng vi ti khon trong liferay v phn
quyn cho ti khon c quyn xem hay qun tr bo co.

4. Kt lun
Trong nn tng m openegovplatform ta c th tch hp c vi rt nhiu h thng khc m c h tr
SSO, trn ta dng UEngine v Pentaho ch l 2 h thng m rng. Ti liu ny cng m t mt cch khi
qut m khng i su xa vo tng chi tit k thut ca tng h thng, ch nhm m t c c ch tch
hp SSO m EgovPlatform c th s dng. Vic EgovPlatform SSO s em li tin ch ti a i vi cc
h thng ang dng sn c m khng phi thay i nhiu v mt pht trin.

Cc thnh phn trn nhm khng nh rng EgovPlatform khng nhng m c v mt k thut ln cng
ngh m cn m c mt t tng cho cc nh pht trin.
Tham kho
http://openegovplatform.org
https://vietvo.wordpress.com/2010/09/12/single-sign-on-solution/#more-999
http://uengine.org
http://www.pentaho.com
https://www.apereo.org
http://www.openldap.org