A few months ago I posted a series of entries on this blog to help people get started using Shibboleth as an IdP for logging into a Liferay portal. Well, it's time to revisit the topic only this time instead of using Shibboleth, we'll be using CILogon.
CILogon is similar to Shibboleth in that it connects the user to a separate Identity Provider for authentication. A nice feature of CILogon is that it allows the user to choose from a list of available Identity Providers for use with the resource they're accessing. For more information, visit the CILogon Website.
One thing to keep in mind is that some users may have multiple accounts across multiple Identity Providers. For example, both Google and PayPal can appear in the list of IdPs and the authenticated user data that they return aren't necessarily going to match. That means that the same user can come at the portal from multiple different IdPs with different authentication details.
For example, when I authenticate through CILogon on my test server, I can choose from Google, PayPal and Johns Hopkins University as my IdP. I have accounts with all three of them, and each of them would return a different E-mail address and username after authenticating. When you use CILogon, you need to keep that in mind, and make decisions on how you're going to handle that kind of situation.
In the case of this tutorial, we're going to ignore that since design decisions like that will vary by application, and implementing solutions will be unique.
One more caveat: I'm still in the process of refining and fine tuning this process myself, so I won't pretend there isn't room for improvement. As with all of my blog posts, I'm sharing the basics of what I've found to work, and I leave the elegance to the reader.
This particular setup will involve:
Operating System: (Linux) CentOS 5.6
Authentication Provider: CILogon 1.01
Servlet Container: Tomcat 6.0.29
Portal: Liferay 6.06
IDE: Eclipse Helios
(Yeah, I know Liferay is up to version 6.1 and Tomcat is on version 7, but this solution hasn't yet been tested in those environments. Liferay 6.1 is different enough from 6.0 that I make no guarantees that this same version will work.)
Before you go any further, you absolutely must obtain a certificate from CILogon if you don't already have one from a trusted Certificate Authority. The process for doing so is detailed here. This is not an optional step! That means you also need to be doing this on a machine that has a static IP address and hostname.
Got it? Alright. Let's proceed.
You're also going to need Maven to build the CILogon portal servlet application. If you don't already have the Maven plugin, download and install that.
Step 1: Install Liferay
If you haven't done so already, download Liferay 6.06 and install it according to the Liferay instructions.
Start it up and make sure it works, and that you're able to log in as the admin. All set? Good.
Step 2: Download the CILogon Portal App.
The way I did this was to download and customize the cilogon-portal-servlet project. You can import it right into Eclipse using SVN. In the File menu, click Import... You'll then see a popup box where you can select the import source. Under the SVN folder, select "Checkout Projects from SVN" and click "Next." Choose "Create a new repository location" and enter the URL in the link at the beginning of this paragraph. Click "Finish."
This can sometimes be a little tricky, so you might have to wrestle with it a little. (I did, but I managed to get it to download into Eclipse eventually.)
Now that you have the project in your Eclipse, you can customize it to fit your needs. Eventually you'll be installing this as a webapp in the same Tomcat where Liferay lives. Make sure you can build it with Maven before moving on to the next step.
To be continued...