Saturday, November 8, 2008

Deploying WSO2 Identity Solution over Active Directory

This post explains all the steps you need to know in deploying WSO2 Identity Solution over Microsoft Active Directory [AD].

Lets get started with setting up the AD.

I have setup my AD on Windows 2003 Server [IP:192.168.1.3] and it looks like as shown in the image below.

Let's first create an AD user, which can be used by WSO2 IS to access AD.

This user can be of any name, we'll just say 'identity'

Now we need to delegate the task, 'Read all user information' - to the user 'identity'.

[Users --> Right Click --> Delegate Control]

Done, with it. Lets create another user called 'prabath' - where this user represents any user in the AD - who can connect to the WSO2 IS and download an Information Card against his corresponding AD profile.

All set - we are done with the AD configurations - let's setup Identity Solution.

Download the latest code from the SVN repo: https://svn.wso2.org/repos/wso2/trunk/solutions/identity

Then, from the root directory (say [Identity] ) of the downloaded code.

[Make sure you have installed Maven2]

:\> mvn -Drelease clean install

The above will create a zip file distribution at [Identity]\modules\distribution\target.

Unzip the Zip file to a local folder.

You also need to download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0 from here and copy the two jar files from the extracted jce directory (local_policy.jar and US_export_policy.jar) to $JAVA_HOME/jre/lib/security.

Start WSO2 Identity Solution with [IS_INSTALLED_DIR]\bin\wso2is.bat.

Go to url : https://localhost:12443/admin and login with admin/admin [user/password] - then select 'User Stores and then 'Add new user store'.

Select LDAPRealm.

Set LDAPRealm properties. You can find the availabe AD attribute names from here.

Set Active_Directory realm as the default.

Click on 'Define Claims' and select 'Given name' and 'Email address' [Dont uncheck any claims which are already selected]

Click on 'Claim Mappings'.

Click on 'Given name' and 'Email address' and do the claim mapping appropriately.

All set, hit the url https://localhost:12443 and login with your AD user credentials.

Now you can download an Information Card from WSO2 IS, against your AD account.