此内容没有您所选择的语言版本。
Chapter 12. Integrating Red Hat JBoss BPM Suite with Red Hat Single Sign-On
Red Hat Single Sign-On (RH-SSO) is a Single Sign-On solution that you can use for securing your browser applications and your REST web services. This chapter describes how you can integrate RH-SSO with Red Hat JBoss BPM Suite and leverage its features.
Integrating with RH-SSO brings an integrated SSO and IDM (Identity Management) environment for Red Hat JBoss BPM Suite. The session management feature of RH-SSO allows you to use different Red Hat JBoss BPM Suite environments on the web by authenticating only once.
For more information on RH-SSO, see the RH-SSO documentation.
Red Hat Single Sign On Integration Points
You can integrate RH-SSO with Intelligent Process Servers using the following integration points:
Business Central authentication through an RH-SSO server
Authenticating Red Hat JBoss BPM Suite Business Central through RH-SSO involves securing both the Business Central web client and remote services through RH-SSO. This integration enables you to connect to Business Central using either web interface or a remote service consumer through RH-SSO.
Intelligent Process Server authentication through an RH-SSO server
Authenticating Red Hat JBoss BPM Suite Intelligent Process Server through RH-SSO involves securing the remote services provided by the Intelligent Process Server as it does not provide a web interface for server authentication. This enables any remote Red Hat JBoss BPM Suite service consumer (user or a service) to authenticate through RH-SSO.
Third-party client authentication through an RH-SSO server
Authenticating a third-party client through an RH-SSO server involves third-party clients to authenticate themselves using RH-SSO to consume the remote service endpoints provided by Business Central and Intelligent Process Server.
The following sections describe how to achieve RH-SSO integration through these integration points:
12.1. Business Central Authentication through RH-SSO 复制链接链接已复制到粘贴板!
To authenticate Business Central through RH-SSO:
- Set up and run an RH-SSO server with a realm client for Business Central.
- Install and set up the RH-SSO client adapter for EAP.
- Secure Business Central Remote Service using RH-SSO.
- Create an RH-SSO client and configure the RH-SSO client adapter for Dashbuilder (BAM).
Security realms are used to restrict access for the different applications resources. It is advised to create a new realm whether your RH-SSO instance is private or shared amongst other products. You can keep the master realm as a place for super administrators to create and manage the realms in your system. If you are integrating with an RH-SSO instance that is shared with other product installations to achieve Single Sign-On with those applications, all those applications must use the same realm.
Here is how you can install an RH-SSO server and create a security realm for Business Central:
Procedure: Setting Up RH-SSO with Realm Client
Install and configure a basic RH-SSO standalone server. To do this, follow the instructions in the RH-SSO Installation Guide.
NoteIf you want to run both RH-SSO and Red Hat JBoss BPM Suite servers on the same machine, ensure that you avoid port conflicts. To do so, do one of the following:
Update the
RHSSO_HOME/standalone/configuration/standalone.xml
file and set a port offset to 100. For example:<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use an environment variable to run the server:
bin/standalone.sh -Djboss.socket.binding.port-offset=100
bin/standalone.sh -Djboss.socket.binding.port-offset=100
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Start the RH-SSO server using the following command from
RHSSO_HOME/bin
:./standalone.sh
./standalone.sh
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Once the RH-SSO server starts, open http://localhost:8180/auth/admin in a web browser and log in using your admin credentials that you created while installing RH-SSO. When you login for the first time, you can set up the initial user using the new user registration form.
- On the RH-SSO admin console, click Realm Settings tab.
On the Realm Settings page, click Add Realm.
The Add realm page opens.
- On the Add realm page, provide a name for the realm and click Create.
Click Client tab from the main admin console menu and click Create.
The Add Client page opens.
On the Add Client page, provide the required information to create a new client for your realm. For example:
- Client ID: kie
- Client protocol: openid-connect
- Root URL: http://localhost:8080/business-central
Click Save to save your changes.
At this point, the RH-SSO server is configured with a realm with a client for Red Hat JBoss BPM Suite applications (Business Central, in this example) and running and listening for HTTP connections at
localhost:8180
. This realm provides different users, roles, and sessions for the Red Hat JBoss BPM Suite applications.
12.1.2. Setting Up RH-SSO Client Adapter for EAP 复制链接链接已复制到粘贴板!
To set up the RH-SSO client adapter for EAP:
- Install the RH-SSO adapter for EAP.
- Configure the Red Hat JBoss BPM Suite application and the RH-SSO client adapter.
Procedure: Installing the RH-SSO Adapter for EAP
- Install EAP 6.4.X. See Chapter 2. Installation Instructions from the Red Hat JBoss Enterprise Application Platform Installation Guide.
-
Install Red Hat JBoss BPM Suite in the freshly installed JBoss EAP. This step is important because if you configure RH-SSO adapter by making changes in
standalone.xml
, and then unzip Red Hat JBoss BPM Suite, you may overwrite and lose the RH-SSO adapter configuration. - Download the EAP adapter from the Red Hat Customer Portal.
- Unzip and install the adapter. For installation instructions, see Installing Adapters for Red Hat Single Sign-On in the RH-SSO Installation Guide.
Procedure: Configuring the RH-SSO Adapter
Navigate to
EAP_HOME/standalone/configuration
in your EAP installation and editstandalone.xml
to add the RH-SSO subsystem configuration. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Here,
-
secure-deployment name
: Name of your application’s WAR file. -
realm
: Name of the realm that you created for the applications to use. -
realm-public-key
: The public key of the realm you created. You can find it in the Keys tab in the Realm settings page of the realm you created in the RH-SSO admin console. If you do not provide a value for realm-public-key, the server retrieves it automatically. -
auth-server-url
: The URL for the RH-SSO authentication server. -
enable-basic-auth
: The setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests. -
resource
: The name for the client that you created. -
credential name
: The secret key for the client you created. You can find it in the Credentials tab on the Clients page of the RH-SSO admin console. principal-attribute
: The login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.NoteThe RH-SSO server converts the user names to lowercase. Therefore, after integration with RH-SSO, your user name will appear in lowercase in Business Central. If you have user names in upper-case letters hard coded in business processes, the application may not be able to identify the upper-case user.
-
Add the following sub element under the
<extensions>
section ofstandalone.xml
:<extension module="org.keycloak.keycloak-adapter-subsystem"/>
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow This secures the application using the urn:jboss:domain:keycloak subsystem in
standalone.xml
as opposed to securing it throughweb.xml
file inside each WAR.Navigate to
EAP_HOME/bin/
and start the EAP server using the following command:./standalone.sh
./standalone.sh
Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can now login to your Red Hat JBoss BPM Suite application (in this example, Business Central) once the server is running using the RH-SSO admin user credentials.
You can also configure RH-SSO adapter for EAP by updating your applications WAR file to use the RH-SSO security subsystem. However, the recommended approach is configuring the adapter through the RH-SSO subsystem. This means that you are updating EAP configuration instead of applying the configuration on each WAR file.
12.1.3. Adding a New User 复制链接链接已复制到粘贴板!
To add new users and assign them a role to access Business Central:
- Login to the RH-SSO Admin console and open the realm you wish to add a user to.
Click Users under Manage section in the left menu bar.
An empty user list page called Users opens.
Click the Add User button on the empty user list to start creating your new user.
An Add user page opens.
- Provide user information on the Add user page and click Save.
- Set new password under the Credentials tab.
Assign the new user one of the roles that allow access to Business Central (For example,
admin
oranalyst
role for Red Hat JBoss BRMS andadmin
ordeveloper
role for Red Hat JBoss BPM Suite).Define the roles as realm roles in the Roles page under the Configure section.
- Click Role Mappings tab on the Users page to assign roles.
Business Central provides different remote service endpoints that can be consumed by third-party clients using remote API. To authenticate those services through RH-SSO, you must disable a security filter called BasicAuthSecurityFilter
. To do this, follow these steps:
Procedure: Disabling BasicAuthSecurityFilter
Open your application deployment descriptor file (
WEB-INF/web.xml
) and apply the following changes to it:Remove the following lines to remove the servlet filter and its mapping for class
org.uberfire.ext.security.server.BasicAuthSecurityFilter
:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add the following lines to add the
security-constraint
for the url-patterns that you have removed from the filter mapping:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- Save your changes.
Once you have created a realm client for Business Central and set up the RH-SSO client adapter for EAP, you can repeat the same steps to integrate BAM with RH-SSO. After successful integration of RH-SSO with BAM, you can navigate within Business Central and BAM without having to re-login.
Procedure: Integrating RH-SSO with BAM
- On the RH-SSO admin console, open the security realm that you created.
Click Client tab from the main admin console menu and click Create.
The Add Client page opens.
On the Add Client page, provide the required information to create a new BAM client for your realm. For example:
- Client ID: dashbuilder
- Root URL: http://localhost:8080/dashbuilder
- Client protocol: openid-connect
Configure the RH-SSO client adapter for BAM. To do so, navigate to
EAP_HOME/standalone/configuration
in your EAP installation and editstandalone.xml
to add the RH-SSO subsystem configuration. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Here,
-
secure-deployment name
: The name of the BAM war file being deployed. -
realm-public-key
: The public key of the realm you created. -
resource
: The name of the client that you created for BAM (dashbuilder). -
enable-basic-auth
: The setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests. -
credential name
: The secret key for the client you created for BAM. You can find it in the Credentials tab on the Clients page of the RH-SSO admin console. -
principal-attribute
: The login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.
-
Restart the EAP server and open http://localhost:8080/dashbuilder in a web browser to access BAM. Login to BAM using your RH-SSO admin user credentials.
You can now access both the applications (Business Central and BAM) without having to re-login.