The topics in this page provide instructions on how to configure the Nuxeo authenticator with WSO2 Identity Server. Here, a sample application is used to demonstrate the integration.
Note
- Nuxeo Authenticator is supported with WSO2 Identity Server 5.5.0.
- Configuring the Nuxeo authenticator is tested with Nuxeo Server version 10.1.
Follow the instructions in the topics below to configure the Nuxeo authenticator with WSO2 Identity Server:
Deploying Nuxeo artifacts
- Download the artifacts for this authenticator from the store.
- Copy the downloaded
org.wso2.carbon.identity.authenticator.nuxeo-x.x.x.jar
file to the<IS_HOME>/repository/components/dropins
directory.
If you want to upgrade the Nuxeo Authenticator (.jar) that is packaged with your existing WSO2 IS distribution to the latest, see upgrade instructions.
Configuring the Nuxeo application
- Go to https://www.nuxeo.com/downloads/, download the server and unzip the archive. The path to the sever will be referred to as
<NUEXO_HOME>
throughout this page. Navigate to the
<NUEXO_HOME>/bin
directory and use the following command to install the JSF UI add-on:./nuxeoctl mp-install nuxeo-jsf-ui
Start the Nuxeo server using the commands given below:
$ chmod +x ./nuxeoctl $ ./nuxeoctl start
After the first time server start, follow the consequence instructions in the nuxeo console to setup the nuxeo server.
- Once the server starts, follow the steps below to setup the nuxeo server.
- Go to http://localhost:8080/nuxeo/jsf and sign in with Administrator/Administrator credentials.
- Click Admin, then click Cloud Services, and then click the Consumers tab.
- Click Add under the OAuth2 Clients section.
- Specify values for the Name, Client ID, Client Secret, and Redirect URI. You can use https://localhost:9443/commonauth as the Redirect URI.
- Click Create.
Now you have configured the Nuxeo application .
Next let's deploy the the travelocity.com sample app so that it can be used in this scenario.
Deploying the travelocity.com sample app
To download and deploy the travelocity sample application, follow the instructions in deploying travelocity.com sample app.
If you are running the Nuxeo server and apache tomcat on the same port (eg: 8080), be sure to change the port that you run apache tomcat.
Follow the steps below to change the port on which apache tomcat runs:
Navigate to the
<TOMCAT_HOME>/conf/server.xml
file and change the values ofConnector port,Server port
parameters.<Server port="8005" shutdown="SHUTDOWN"> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Navigate to the
<TOMCAT_HOME>/webapps/travelocity.com/WEB-INF/classes/travelocity.properties
file and change the port in the URL of the SAML 2.0 assertion consumer.#The URL of the SAML 2.0 Assertion Consumer SAML2.AssertionConsumerURL=http://localhost:8080/travelocity.com/home.jsp
Configuring the identity provider
Follow the steps below to add a new identity provider via the management console of WSO2 Identity Server.
- Download the WSO2 Identity Server from here.
- Run the WSO2 Identity Server.
- Log in to the management console as an administrator.
- In the Identity Providers section under the Main tab of the management console, click Add.
- Specify an appropriate name as the Identity Provider Name.
- Expand the Federated Authenticators section, and then expand the Nuxeo Configuration section.
- Select Enable to enable the Nuxeo authenticator for the identity provider.
- Select Default to set Nuxeo as the default authenticator for the identity provider.
- Specify appropriate values for the following fields depending on the
- Select both checkboxes to Enable the Nuxeo authenticator and make it the Default.
Client Id : The client Id of the Nuxeo application you created.
Client Secret : The client secret of the Nuxeo application you created.
Callback URL : The service provider's URL where code needs to be sent. https://localhost:9443/commonauth
Nuxeo Server URL : The Nuxeo server URL. http://localhost:8080
Click Register.
Now that you have added the identity provider. Next, let's configure the service provider.
Configuring the service provider
Follow the steps below to configure the service provider.
- On the WSO2 IS management console, click Add under Service Providers.
- Since you are using travelocity as the sample, enter travelocity.com as the Service Provider Name.
- Click Register .
- Expand the Inbound Authentication Configuration section, then expand the SAML2 Web SSO Configuration section, and then click Configure.
- Specify values as follows:
- Issuer: travelocity.com
- Assertion Consumer URL: http://localhost:8181/travelocity.com/home.jsp
- Select the following:
- Enable Response Signing
- Enable Single Logout
- Enable Attribute Profile.
- Include Attributes in the Response Always
- Click Update to save the changes. Now you will be sent back to the Service Providers page.
Expand the Local and Outbound Authentication Configuration section.
From the drop-down list under Federated Authentication , select the identity provider you created.
- Ensure that the Federated Authentication radio button is selected and click Update to save the changes.
Now you have added the service provider. Next, let's configure claims.
Configuring claims
Follow the steps below to configure claims. For more information on configuring claims, see Adding Claim Mapping in the WSO2 IS documentation.
- Sign in to the Management Console with your username and password.
On the Main menu, click Add under Claims.
Click Add Claim Dialect to create the Nuxeo authenticator specific claim dialect.
Specify the Dialect URI as
http://wso2.org/nuxeo/claims
.Click Add to create the claim dialect.
Map the new external claim to an existing local claim dialect. Be sure to map at least one claim under the new dialect. Here, let's map the claim for the last name.
On the Main menu, click Add under Claims.
Click Add External Claim to add a new claim to the Nuxeo claim dialect.
Select the Dialect URI as
http://wso2.org/nuxeo/claims
.Enter the External Claim URI based on the following claim mapping information.
Select the Mapped Local Claim based on the following claim mapping information.
Claim mapping for last name
Dialect URI http://wso2.org/nuxeo/claims
External Claim URI http://wso2.org/nuxeo/claims/lastName
Mapped Local Claim http://wso2.org/claims/lastname
Click Add to add the new external claim.
Similarly, repeat step 6 for the following claim mappings to create claims for all the public information of the Nuxeo user.
Claim mapping for the first name:
Dialect URI http://wso2.org/nuxeo/claims External Claim URI http://wso2.org/nuxeo/claims/firstName Mapped Local Claim http://wso2.org/claims/givenname Claim mapping for the email:
Dialect URI http://wso2.org/nuxeo/claims External Claim URI http://wso2.org/nuxeo/claims/email Mapped Local Claim http://wso2.org/claims/emailaddress Claim mapping for groups:
Dialect URI http://wso2.org/nuxeo/claims External Claim URI http://wso2.org/nuxeo/claims/groups Mapped Local Claim http://wso2.org/claims/role Claim mapping for user id:
Dialect URI http://wso2.org/nuxeo/claims External Claim URI http://wso2.org/nuxeo/claims/id Mapped Local Claim http://wso2.org/claims/userid Claim mapping for extended group:
Dialect URI http://wso2.org/nuxeo/claims External Claim URI http://wso2.org/nuxeo/claims/extendedGroups Mapped Local Claim http://wso2.org/claims/group Claim mapping for user name:
Dialect URI http://wso2.org/nuxeo/claims External Claim URI http://wso2.org/nuxeo/claims/username Mapped Local Claim http://wso2.org/claims/username Claim mapping for entity type:
Dialect URI http://wso2.org/nuxeo/claims External Claim URI http://wso2.org/nuxeo/claims/entity-type Mapped Local Claim http://wso2.org/claims/userType Click Update.
Configuring requested claims for travelocity.com
On the Main tab of the management console, click List under Service Providers.
Click Edit to edit the travelocity.com service provider.
Expand the Claim Configuration section.
Click Add Claim URI under Requested Claims and add the requested claims as follows:
Select the Subject Claim URI as
http://wso2.org/claims/username
to define the authenticated user identifier that will return with the authentication response to the service provider.Click Update. This saves the service provider changes.
Testing the sample
- To test the sample, go to
http://<TOMCAT_HOST>:<TOMCAT_PORT>/travelocity.com/index.jsp
. For example, http://localhost:8181/travelocity.com. - Click the appropriate link to log in with SAML from WSO2 Identity Server.
- Enter your Nuxeo credentials in the log in prompt of Nuxeo. Once you log in successfully you will be taken to the homepage of the t
ravelocity.com
application.
Now that you understand how to use Nuxeo as a federated authenticator with WSO2 Identity Server, you can configure the Nuxeo authenticator as required to authenticate Nuxeo users to log in to your organization’s applications.