Single Sign On(SSO) for Bluemix Web Apps

SSO_logo2

IBM® Bluemix™ is a Platform as a Service(PaaS) cloud offering from IBM®. It enables organizations and developers to quickly and easily create, deploy, and manage applications on the cloud.

IBM Single Sign ON is a policy based authentication service that provides an easy to embed Single SIGN ON capability for NODE JS Or Java Applications.

Single SIGN ON supports several identity sources where users credentials are stored:

  • SAML Enterprise: A user registry with an exchange of SAML token that completes the authentication.
  • Cloud Directory: A user registry that is hosted in the IBM Cloud
  • Social Identity Sources: The user registries that are maintained by Google,Facebook and LinkedIn

This blog will help you to ADD SOCIAL IDENTITY SOURCE FROM FACEBOOK for Single SIGN ON (SSO) for Bluemix App

Prerequisites

So,let’s begin with CONFIGURING IDENTITY SOURCES :

Step 1: From Bluemix CATALOG, Select Single Sign On Security service

1

Step 2: Insert a Service Name and then click on CREATE

2

Step 3: Provide a name to the service. This name will be part of the service URL and Click on Continue

3

Step 4: Click FACEBOOK to add identity source.

4

Step 5: After changing the name (optional), Click on “Click here” which will redirect you to facebook for developers page.

5

Step 6: Click on My Apps and then click on Add a New App

6

Step 7: Click on Website

7

Step 8: Enter App Name and then Click on Create New Facebook App ID

8

Step 9: Choose a Category and then click on Create APP ID

9

Step 10: You can now see your App listed on My Apps section. Click on TweetAuth which will take you to Dashboard of the App

10

Step 11: In the Dashboard, Copy APP ID and APP Secret

11

Step 12: Go back to Bluemix Dashboard and then Paste the APP ID and APP Secret. Copy the OAuth Redirect URI and then Click on SAVE

12

Step 13: In the facebook for developers page, SETTINGS TAB>Basic enter your Contact Email and Website URL and click on SAVE CHANGES

13

Step 14: In Facebook for developer page, SETTINGS>ADVANCED, toggle from NO to YES for Client OAuth Login and then paste the OAuth Redirect URI in the textbox and then click on SAVE CHANGES

14

Step 15: Go back to Bluemix DASHBOARD, you will now find VERIFY button,click on that and Verify Access to Facebook by clicking on “Click here”

15

Step 16: Awesome! It’s working!!

15-b

Step 17: You can now see your identity source app in the list

16

The next step is to Configure APP by creating an APP:

Configuring a Liberty for Java APP with SSO:

  • For Liberty for Java Applications, the Single Sign On service leverages the OpenID Connect (OIDC) client feature from Liberty and the Bluemix Liberty buildpack. As a result, Java applications running on Bluemix do not need to include any code to support the OpenID Connect protocol or Single Sign On.
  • However, you must enable security constraints. To enable them, you can use declarative J2EE security to secure the application and all protocol support is completely “built-in.”

    After you bind the app to an instance of the single sign-on service, the Bluemix buildpack detects that the application is bound and automatically configures the OIDC client in the Liberty runtime server.xml to enable the application for the service. The configuration is done when you deploy the application in Bluemix using either the cf push command or using the restaging process in the Bluemix dashboard.

    To complete the configuration of the application, you must add security constraints. You can add the constraints in the same manner as you would for traditional J2EE applications using EAR/WAR binding files to declare roles and protected resources.

    The following example illustrates security constraint configuration for a Java application that uses the web.xml and the Liberty server.xml files.

  • Create a HelloWorld Servlet in com package with twitter as the Java application name
  • Open the web.xml file in a text editor.
  • Set security constraints: Consider the below as example.
<servlet>
    <servlet-name>HelloServlet</servlet-name>
    <servlet-class>com.HelloWorld</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>HelloServlet</servlet-name>
    <url-pattern>/hello/*</url-pattern>
    </servlet-mapping>
    
    <security-constraint>
    <display-name></display-name>
    <web-resource-collection>
      <web-resource-name>HelloServlet</web-resource-name>
      <url-pattern>/</url-pattern>
      <url-pattern>/*</url-pattern>
      <url-pattern>/</url-pattern>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>TRACE</http-method>
      <http-method>POST</http-method>
      <http-method>DELETE</http-method>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>TESTROLE</role-name>
    </auth-constraint>
  </security-constraint>

  • Save the web.xml file.

 

  • Open the server.xml file in a text editor.
  • Enable the security constraints. Use the following example as a guide.
    <server description="new server">
    <featureManager>
    <feature>jsp-2.2</feature>
    <feature>localConnector-1.0</feature>
    </featureManager>
    <httpEndpoint httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
    <applicationMonitor updateTrigger="mbean"/>
    <application type="war" id="twitter" name="twitter"
    location="twitter.war">
    <application-bnd>
    <security-role name="TESTROLE">
    <special-subject type="ALL_AUTHENTICATED_USERS"/>
    </security-role>
    </application-bnd>
    </application>
    </server>

  • Push the app(twitter.war) along with server.xml to Bluemix using CF Push command . Learn how to push application to bluemix using CF command through my earlier blog.
  • Bind the SSO service to the Java APP and then Restage it.
  • Open the app .Here eg: tweetout.mybluemix.net/twitter/hello ,It will redirect you to facebook page for logging in

Hurray your Bluemix App is now secured by Single Sign On facebook authentication!!

 

 

Courtesy: (bluemix.net) IBM Bluemix and Facebook for Developers (developers.facebook.com)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s