Sun GlassFish Web Space Server 10.0 OpenSSO Add-On Guide

How Does the OpenSSO Add-On Work?

The OpenSSO Add-On enables the exchange of user authentication data between a Web Space Server site and an OpenSSO server. From the standpoint of a Web Space Server administrator, the OpenSSO Add-On provides a Community Mapper portlet, which is GUI-based administration tool for associating OpenSSO users, roles, filtered roles, groups, and realms with Web Space Server users, communities, and organizations.

Figure 2–1 OpenSSO Add-On Overview

OpenSSO Add-On overview

There are two general scenarios through which account information is mapped from an OpenSSO server and a Web Space Server:

These two scenarios are described in more detail below.

Individual User Login Scenario

When an individual user connects to a Web Space Server site:

  1. The attempt to connect to the Web Space Server site is redirected to the OpenSSO server for authentication.

    • If access to public pages on the Web Space Server site is allowed, then the public pages are displayed without further authentication.

    • If an attempt is made to access any Web Space Server private pages, or if the user initiates a login request by clicking the Sign In link on the Web Space Server page, the user is redirected to an OpenSSO login page.

  2. After successful OpenSSO login, the user is redirected back to the Web Space Server page.

    • If a Web Space Server account corresponding to the account used to log in through the OpenSSO server already exists, the user is logged in to Web Space Server and is redirected to his or her home page.

    • If a corresponding Web Space Server account does not exist, a new Web Space Server account is created.

      • If the user belongs to an OpenSSO realm that is mapped to a Web Space Server organization, then his or her account is assigned to that mapped organization.

      • If the user has an OpenSSO membership (role, filtered role, or group) that is mapped to a Web Space Server community, then the user added to the mapped community, and Web Space Server content available to that community is displayed.

      • If the user's OpenSSO membership has been subsequently removed, then the user is also removed from the mapped community.

  3. Once a user has been authenticated through OpenSSO, he or she is also signed on with all applications that use those OpenSSO credentials.

  4. Logging out of Web Space Server or any other application that uses OpenSSO causes the user to be logged out of Web Space Server, OpenSSO, and any other application that uses those OpenSSO credentials.

Bulk User Import Scenario

In this scenario, typically performed by a Web Space Server site administrator as part of a migration from Portal Server to Web Space Server, an existing set of OpenSSO user accounts is imported in a single step. Instructions for performing a bulk user import are provided later in this guide, in Performing Bulk Imports of OpenSSO User Accounts.


Note –

Bulk import only imports basic OpenSSO user account credentials, and does not map memberships to communities or organizations.