Skip to main content

Configure LDAP SSO for BCC and Endeca Workbench

If you want to setup your BCC with a SSO server along with LDAP validation you can follow the next steps, this is all for OOTB configs:


LDAP In Memory Server

Feel free to clone and build: https://github.com/kwart/ldap-server

Then you can start it with: java -jar ldap-server.jar -b 127.0.0.1 -p 10389 ldap_test.ldif

Lastly, you can validate connectivity with this command: ldapsearch -h localhost -p 10389 -x -D "uid=admin,ou=system" -w secret

Just make sure that you defined user and organization appropriately.


CIM Setup


SSO

Run <ATG_ROOT>/home/bin/cim.sh

Select options as follows:

Platform-Guided Search Integration
[8] Content Administration
Choose Commerce AddOns:
[4] Single Sign On (SSO)
[D] Done
[1] Commerce Only SSO Authentication
[1] LDAP Server Authentication
[1] Non-Switching Datasource
Don't include demo application
[2] Index by Product
[A] Select Application Server
[2] Weblogic
Enter Weblogic home path: /your/weblogic/wlserver/path
Enter domain path: /your/weblogic/user_projects/domains/instance/path
Leave default URL to admin server t3://localhost:7001
Enter username to admin server: someWeblogicUser
And password: yourWeblogicPassword
Let CIM perform validation against weblogic server (WebLogic must be up of course)
[1] Configure OPSS Security
[1] Enter the location to deploy OPSS files
Enter Shared Path: [[<ATG_ROOT>/home/security/]]
[3] Enter the Workbench login credential
user/passwd -> admin/admin
[4] Deploy configuration files
[D] Deploy to <ATG_ROOT>/home/../home/security/
[D] Deploy OPSS configuration files
[D] Done

Database

[2] Database Configuration
[P] Publishing
[C] Connection Details
[1] Oracle Thin
user/psswd > PUB_USER/PUBPassword
Enter Host Name > localhost
Enter Port Number [[1521]] >
Enter Database Name > YOUR_SERVICENAME
Enter Database URL [[jdbc:oracle:thin:@localhost:1521:YOUR_SERVICENAME]] >
Enter Driver Path > <ATG_ROOT>/CIM/lib/ojdbc7.jar
Enter JNDI Name [[ATGPublishingDS]] >
[T] Test Connection
[S] Create Schema
[C] Create Schema - This will run the pending ddl scripts (not previously run) for the related SSO changes:
Found 1 of 69 previously unrun tasks for Datasource Publishing 1 DPS.InternalUsers.LDAP :
sql/db_components/oracle/internal_user_ldap_ddl.sql ->
create table dpi_organization_ldap (
org_id varchar2(40) not null,
ldap number(1,0) null
,constraint dpi_organization_ldap_p primary key (org_id)
,constraint dpi_organizationldap_f foreign key (org_id) references dpi_organization (org_id));
[I] Import Initial Data
[I] Import Data - This will run the corresponding view mappings for BCC:
Importing ( 1 of 1 ) /DPS-UI/AccessControl/SSO/install/data/viewmapping.xml to
/atg/web/viewmapping/ViewMappingRepository...Success
[O] Configure Another Datasource
[C] Production Core
[C] Connection Details
[1] YOUR_SID@jdbc:oracle:thin:@localhost:1521:YOUR_SERVICENAME
user/psswd > CORE_USER/COREPassword
Enter Host Name [[localhost]] >
Enter Port Number [[1521]] >
Enter Database Name [[YOUR_SERVICENAME]] >
Enter Database URL [[jdbc:oracle:thin:@localhost:1521:YOUR_SERVICENAME]] >
Enter Driver Path [[<ATG_ROOT>/CIM/lib/ojdbc7.jar]] >
Enter JNDI Name [[ATGProductionDS]] >
[T] Test Connection
[O] Configure Another Datasource
[S] Switching A
user/psswd > CATA_USER/CATAPassword
Enter Host Name > localhost
Enter Port Number [[1521]] >
Enter Database Name > YOUR_SID
Enter Database URL [[jdbc:oracle:thin:@localhost:1521:YOUR_SERVICENAME]] >
Enter Driver Path > <ATG_ROOT>/CIM/lib/ojdbc7.jar
Enter JNDI Name [[ATGSwitchingDS_A]] >
[T] Test Connection
[O] Configure Another Datasource
[B] Switching B
user/psswd > CATB_USER/CATBPassword
Enter Host Name > localhost
Enter Port Number [[1521]] >
Enter Database Name > YOUR_SERVICENAME
Enter Database URL [[jdbc:oracle:thin:@localhost:1521:YOUR_SERVICENAME]] >
Enter Driver Path > <ATG_ROOT>/CIM/lib/ojdbc7.jar
Enter JNDI Name [[ATGSwitchingDS_B]] >
[T] Test Connection

LDAP

[3] LDAP Configuration
[C] Connection Details
LDAP SSO Authentication Server URL: ldap://localhost:10389
LDAP SSO Authentication Mechanism: simple
LDAP SSO Security Principal Identity: uid=admin,ou=system
Enter LDAP SSO Security Principal Credentials > secret
[T] Test Connection
Enter the User directory details:
Enter LDAP User Object Classes [[top,person,organizationalPerson,inetorgPerson]] >
Enter LDAP User Login Property Mapping [[uid]] >
Enter LDAP User Last Name Property Mapping [[sn]] >
Enter LDAP User First Name Property Mapping [[givenName]] >
Enter LDAP User Email Property Mapping [[mail]] >
Enter LDAP User Search DN [[cn=users,dc=yourcompany,dc=com]] > ou=users,dc=domain,dc=com,dc=mx
Enter Group Directory Details
Enter LDAP Group Object Classes [[top,groupofuniquenames]] >
Enter LDAP Group Gid Property Mapping [[cn]] >
Enter LDAP Group Members Name Property Mapping [[uniquemember]] >
Enter LDAP Group Email Property Mapping [[mail]] >
Enter LDAP Group Search DN [[cn=groups,dc=yourcompany,dc=com]] > ou=groups,dc=domain,dc=com,dc=mx

Publishing and SSO instances

[4] Server Instance Configuration
[C] Commerce Publishing Server
[C] Commerce Publishing Server General Configuration
Enter Production Lock Server Hostname [[localhost]] >
Enter Production Lock Server Port [[9012]] >
Enter CAS Hostname [[localhost]] >
Enter CAS Port [[8500]] >
Enter EAC Hostname [[localhost]] >
Enter EAC Port [[8888]] >
Enter EAC Base Application Name [[ATG]] >
Enter the Fully-qualified Workbench Hostname, Including Domain > localhost
Enter Workbench Port Number [[8006]] >
Enter Default MDEX Host Name [[localhost]] >
Enter Default MDEX Port Number [[15000]] >
Enter Commerce SSO Host [[localhost]] >
Enter Commerce SSO Port > 7003
[I] Instance Management
[A] Add Server Instance
[1] Publishing with a Server Lock Manager
Enter Server Instance Name : [[atg_publishing_lockserver]]
[U] Use Default Port Binding
Enter HTTP Port [[7003]] > 8280
Enter HTTPS Port [[7004]] > 8243
Enter Site HTTP Port [[7003]] > 8280
Enter RMI Port [[8860]] > 8260
Enter DRP Port [[8850]] > 8250
Enter File Deployment Port [[8810]] > 8210
Enter File Synchronization Deploy Server Port [[8815]] > 8215
[D] Done
[W] Workbench configuration -> This is where the files for workbench will be generated, you will use them later
Enter Workbench configuration path: > <ATG_ROOT>/home/servers
Enter BCC HostName: [[localhost]] >
Enter BCC Server Port: [[8080]] > 8280
After adding the publishing instance, you'll notice the required modules for SSO are:
BIZUI, PubPortlet, DafEar.Admin, ContentMgmt.Versioned, DCS.Versioned,
ContentMgmt.Endeca.Index.Versioned, DCS.Endeca.Index.Versioned,
DCS.Endeca.Assembler.Versioned, DPS.InternalUsers.LDAP,
DPS-UI.AccessControl.SSO
You'll also get the localconfig folder with all required configuration files in: <ATG_ROOT>/home/servers/atg_publishing_lockserver
For your BCC related module you have to add the following files from the above folder into your project:
new file: BCC/config/atg/adapter/ldap/InitialContextEnvironment.properties
new file: BCC/config/atg/adapter/ldap/ldapUserProfile.xml
new file: BCC/config/atg/dynamo/servlet/dafpipeline/DynamoHandler.properties
new file: BCC/config/atg/dynamo/servlet/dafpipeline/ProfileRequestServlet.properties
new file: BCC/config/atg/remote/controlcenter/service/ControlCenterService.properties
new file: BCC/config/atg/userprofiling/InternalProfileFormHandler.properties
new file: BCC/config/atg/userprofiling/ProfileRequest.properties
new file: Management/config/atg/userprofiling/composite.xml
new file: Management/config/atg/userprofiling/internalUserProfile.xml
new file: BCC/config/atg/userprofiling/sso/LightweightSSOTools.properties
new file:
BCC/config/atg/web/assetmanager/userprofiling/NonTransientAccessController.properties
and merge contents on:
modified: BCC/META-INF/MANIFEST.MF
modified: BCC/config/atg/dynamo/servlet/dafpipeline/AccessControlServlet.properties
[O] Configure Another Server Instance Type
[C] Commerce Only SSO Server
[C] Commerce Only SSO Server General Configuration
[I] Instance Management
[A] Add Server Instance
[U] Use Default Port Binding
Enter HTTP Port [[7003]] >
Enter HTTPS Port [[7004]] >
Enter RMI Port [[8860]] >
Enter DRP Port [[8850]] >
Enter File Deployment Port [[8810]] >
Enter File Synchronization Deploy Server Port [[8815]] >
[D] Done
[O] Configure Another Server Instance Type
[D] Done
After adding the SSO instance, you'll notice the required modules for this server are:
DafEar.Admin, SSO, DafEar, DPS.InternalUsers.LDAP

Assembly and Deployment

[5] Application Assembly & Deployment
[A] atg_sso_server
Enter Ear File Name for Commerce Only SSO Server [[sso.ear]] >
[D] Deploy Commerce Only SSO Server sso.ear to Weblogic Online -> This will deploy the SSO server automatically to WebLogic, you'll have to from the WL console
[R] Register Datasources on Weblogic Online
Do the next two:
[A] Add database driver to app server classpath
[P] Post Deployment Actions on Weblogic Online

Endeca Workbench

To integrate Workbench with Commerce SSO:

1. Navigate to <ENDECA_ROOT>/ToolsAndFrameworks/11.3.0/server/workspace/conf directory.
2. Open webstudio.properties in a text editor.
3. Locate the configuration titled # Commerce SSO Authentication.
4. Set com.endeca.webstudio.useSSO to true:
# Commerce SSO Authentication
com.endeca.webstudio.useSSO=true
5. Uncomment the following properties:
com.endeca.webstudio.sso.loginURL
com.endeca.webstudio.sso.keepAliveFrequency
6. Set the uncommented properties to their respective values.
For example:
# Commerce SSO Authentication
com.endeca.webstudio.useSSO=true
com.endeca.webstudio.sso.loginURL=http://localhost:7003/sso/login
com.endeca.webstudio.sso.keepAliveFrequency=1800
7. Save and close the file.

This allows workbench to redirect to SSO server if user ticket is not valid (not signed in)

To configure Workbench with BCC link:

1. Go to <ATG_ROOT>/home/servers/workbench (this was defined above during atg_publishing_lockserver instance config)
2. It contains the ws-extensions.xml and ws-mainMenu.xml file, as well as a /locales directory which contains the configuration resource file.
3. These XML files must be copied or merged into the <ENDECA_ROOT>/ToolsAndFrameworks/11.3.0/server/workspace/conf folder for the Workbench
4. Merge the resource.properties file located in the /workbench/locales directory with that of the Workbench servers /locales directory. Add the Control Center extension, Access Control extension and User Access Menu information.
This will allow merchandisers to go directly to BCC from within Workbench

Creating Users and Organizations

1. If you have a valid LDAP account (test/test) but this account doesn't belong to an LDAP organization in BCC you will be authenticated successfully but won't be granted access to BCC:

2. In order to create an LDAP organization in BCC you'll have to access with the admin account and go to: Access Control > Organizations > Root Organization

3. Click the plus icon and select organization:

4. Select LDAP for the Source property

5. Enter test-group as the name of the organisation and click the validate button

6. You'll get a message that the name is a valid one on the LDAP server, in this case it is because the ldap_test.ldif has it defined:

7. Click the Create button

8. Go back to Users and add a new one (click the plus icon and select 'user')

9. Same as with the organization, you have to provide a user valid in the LDAP server, in this case you can use 'test':

10. Notice the email, first name and last name fields are not editable and more importantly are automatically populated with the information coming directly from LDAP server

Note: Any required properties from LDAP can be mapped into ATG profiles through configuration on ldapUserProfile.xml, these are the ones mapped OOTB:

<item-descriptor name="user" display-name="User" display-property="login">
   <id-property name="id" in-ldap="false"/>
   <object-classes-property name="objectClasses" ldap-name="objectclass"/>
   <object-class>top</object-class>
   <object-class>person</object-class>
   <object-class>organizationalPerson</object-class>
   <object-class>inetorgPerson</object-class>
   <property name="login" ldap-name="uid" writable="false" data-type="string">
      <attribute name="unique" value="true"/>
   </property>
   <property name="firstName" ldap-name="givenName" writable="false"
data-type="string"/>
   <property name="lastName" ldap-name="sn" writable="false"
data-type="string"/>
   <property name="email" ldap-name="mail" writable="false"
data-type="string"/>
   <new-items allowed="false" />
</item-descriptor>
<search-root dn="ou=users,dc=domain,dc=com,dc=mx"/>

Notice the last line: <search-root> tag, which defines the base search domain in this case for the user profiles.

11. Click on the Organization & Role tab, you'll see that the user is automatically added to the test-group organisation we just created, this because user is added to that group in LDAP server already, so ATG just retrieved the information:

12. Click the Create button and you're done


Documentation

https://docs.oracle.com/cd/E69533_01/Platform.11-3/ATGEndecaIntegrationGuide/html/s1601commercesinglesignon01.html

https://docs.oracle.com/cd/E69533_01/Platform.11-3/ATGEndecaIntegrationGuide/html/s1603login01.html

https://docs.oracle.com/cd/E69533_01/Platform.11-3/ATGCommerceSecurityGuide/html/s0302configuringsinglesignonauthentic01.html

https://docs.oracle.com/cd/E69533_01/Platform.11-3/ATGInstallGuide/html/s0206configuringotheroraclecommerceto01.html

https://docs.oracle.com/cd/E70265_01/common.11-3/EndecaAdmin/html/tcag_configuring_commerce_sso.xmltask_0D659CA099C64C84A2ADCDD4B62E9770.html


Labels:

Comments

Post a Comment

Popular posts from this blog

Fix broken sequence on parent-child relationship tables for PUB schema

Whenever you find an error like this (for category-product relationship for example) ERROR [nucleusNamespace.atg.commerce.catalog.ProductCatalog-ver]  Error reading list or array index from the database. Expected: "0", got "1". The following property was not read: " {fixedChildProducts,pType=List,IDesc=[ItemDesc: category],table=dcs_cat_chldprd,cols=child_prd_id   ,pBI=atg.beans.MergedDynamicBeanInfo@5409e0ad,pIDesc=null   ,cType=interface atg.repository.RepositoryItem,cBI=[ItemDesc: product],cIDesc=[ItemDesc: product],colHandle=null}", for item id: "2350:36". This means the data base table holding this property does not have sequential integers starting with 0 in its multi-column. This should only happen if the database table was modifie d directly (outside of Dynamo).: java.lang.Exception It means sequence_num column doesn't contain a consecutive sequence number for the category on all of its products, this is, if category has ...
2 comments
Read more

ATG - Clean up CORE and PUB schemas

In case you want to clean up your environments a little bit you can make use of the following scripts: DEFINE CORE_SCHEMA = '<atg_core_name>'; DEFINE PUB_SCHEMA = '<atg_pub_name>'; -- Delete server host names DELETE FROM &CORE_SCHEMA..rout_instance; DELETE FROM &CORE_SCHEMA..das_sds; DELETE FROM &PUB_SCHEMA..das_sds; DELETE FROM &CORE_SCHEMA..rout_host_inf; commit;  -- Delete projects not checked in DELETE FROM &pub_schema..epub_pr_history WHERE project_id IN (SELECT project_id FROM &pub_schema..epub_project WHERE checked_in = 0); DELETE FROM &pub_schema..epub_proc_history WHERE process_id IN (SELECT process_id FROM &pub_schema..epub_process WHERE PROJECT IN (SELECT project_id FROM &pub_schema..epub_project WHERE checked_in = 0)); DELETE FROM &pub_schema..epub_proc_taskinfo WHERE ID IN (SELECT process_id FROM &pub_schema..epub_process WHERE PROJECT IN (SELECT project_id FROM &pub_schema..epub_pro...
Post a Comment
Read more