Alfresco Share SSO using CAS

zaine — Mon, 23 Feb 2009 10:27:19 GMT

Hi,I have implemented Alfresco with CAS without any issues, but I'm struggling to get Alfresco Share to work with CAS. Has anyone come right with this? ThanksZaine

Re: Alfresco Share SSO using CAS

warren_mcdonald — Sun, 01 Mar 2009 12:15:53 GMT

I would also appreciate some help in this direction.

I have been looking at the NTLM auth implementation in Share which relies on a specificially configured endpoint (wcs) on the Alfresco side.

Will a CAS SSO implementation for Share need to employ the same type of mechanism?
Are the endpoint init parameters used on the NTLM auth filter in Share specific to that module or are they generic to Alfresco authenticator classes?

Regards,

Warren

Re: Alfresco Share SSO using CAS

hongbo — Sat, 11 Apr 2009 13:20:51 GMT

Same here.

I am also looking at the NTLMAuthenticationFilter in Share as a reference point.
By default /share apparently does not use a filter for authentication , unlike /alfresco.

Warren, have you made any progress?

Regards,

Hongbo

Re: Alfresco Share SSO using CAS

t_broyer — Mon, 11 May 2009 12:43:40 GMT

I have implemented Alfresco with CAS without any issues, but I'm struggling to get Alfresco Share to work with CAS. Has anyone come right with this?

Yes, see http://translate.google.com/translate?u=http://blog.atolcd.com/%3Fp%3D115&sl=fr&tl=en

Re: Alfresco Share SSO using CAS

cybertoast — Fri, 30 Oct 2009 12:20:35 GMT

This procedure works great for getting /alfresco cassified. But /share is causing me some grief. What's happening is that the PGTIOU gets issued, but this does not translate to a PGT per the logs below. Stepping through the code I see that the PGTIOU does not map to a PGT in the cache collection (ProxyGrantingTicketImpl.java).
(I'm using cas-client-3.1.8 with the 3.3.4 cas-server. And all this is on Alfresco 3.2r Community.)

1. Sign into /share, get redirected to CAS
2. Log into CAS, get a ticket with service redirect to /share:

09:22:04,064  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
09:22:04,067  DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found
09:22:04,067  DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/page/site-index
09:22:04,068  DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2Fpage%2Fsite-index"
09:22:22,520  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
09:22:22,520  DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found
09:22:22,520  DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/page/site-index
09:22:22,520  DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2Fpage%2Fsite-index"
09:22:34,764  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
‍‍‍‍‍‍‍‍‍‍

3. CAS validates ticket:


09:23:51,230  DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Attempting to validate ticket: ST-14-UJ16RLSTe4DhnwR3ncUS-cas
09:23:52,315  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
09:23:58,287  DEBUG [client.validation.Cas20ProxyTicketValidator] Placing URL parameters in map.
09:23:58,290  DEBUG [client.validation.Cas20ProxyTicketValidator] Calling template URL attribute map.
09:24:02,333  DEBUG [client.validation.Cas20ProxyTicketValidator] Loading custom parameters from configuration.
09:24:16,020  DEBUG [client.validation.Cas20ProxyTicketValidator] Constructing validation url: https://nih.local:8444/cas/proxyValidate?pgtUrl=https%3A%2F%2Fnih.local%3A8443%2Fshare%2FproxyCallback&ticket=ST-14-UJ16RLSTe4DhnwR3ncUS-cas&service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2Fpage%2Fsite-index
‍‍‍‍‍‍‍‍

4. CAS redirects user to share with ST


09:24:16,020  DEBUG [client.validation.Cas20ProxyTicketValidator] Retrieving response from server.
09:24:21,210  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback
09:24:21,212  DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found
09:24:21,212  DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/proxyCallback
09:24:21,212  DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2FproxyCallback"
09:24:22,074  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5KbudOXAGGoekG0gxFdPLOdzxcnQwlqocdf4ajTMKtXAeXa2Z-cas
09:24:22,074  DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found
09:24:22,074  DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5KbudOXAGGoekG0gxFdPLOdzxcnQwlqocdf4ajTMKtXAeXa2Z-cas
09:24:22,075  DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2FproxyCallback%3FpgtIou%3DPGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas%26pgtId%3DTGT-23-l5KbudOXAGGoekG0gxFdPLOdzxcnQwlqocdf4ajTMKtXAeXa2Z-cas"
09:24:22,102  DEBUG [client.validation.Cas20ProxyTicketValidator] Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
   <cas:authenticationSuccess>
      <cas:user>admin</cas:user>
      <cas:proxyGrantingTicket>PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas</cas:proxyGrantingTicket>
   </cas:authenticationSuccess>
</cas:serviceResponse>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Here CAS has provided a PGTIOU and a pgtId which references a Ticket-Granting-Ticket (TGT…) instead of a PGT. Not sure if this is wrong or if a TGT is equivalent to a PGT.

5. Share *should* get a ProxyTicket based on the ProxyGrantingTicket (and it fails to find an internal mapping for the PGTIOU):


09:24:43,023  INFO  [client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket found for PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas
‍‍‍

6. CAS authentication passes, but Share+Alfresco authentication fails:

09:25:30,151  DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Successfully authenticated user: admin
09:25:30,170  DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Redirecting after successful ticket validation.
09:25:30,171  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index;jsessionid=47F57241192E0CBD568B39ECAFE581EC
09:25:35,498  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
09:26:13,576  DEBUG [atolcd.alfresco.CasAuthenticationFilter] Authenticating user: admin against ticket source http://nih.local:8080/alfresco
09:26:17,862  DEBUG [client.authentication.AttributePrincipalImpl] No ProxyGrantingTicket was supplied, so no Proxy Ticket can be retrieved.
‍‍‍‍‍‍‍

My CAS-server logs don't show any problems either:


2009-10-29 09:24:16,359 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve credentials for [callbackUrl: https://nih.local:8443/share/proxyCallback]>
2009-10-29 09:24:21,222 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://nih.local:8080/share/proxyCallback>
2009-10-29 09:24:21,233 DEBUG [org.jasig.cas.util.HttpClient] - <Response code from server matched 200.>
2009-10-29 09:24:21,235 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: [callbackUrl: https://nih.local:8443/share/proxyCallback]>
2009-10-29 09:24:21,235 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas]>
2009-10-29 09:24:21,235 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] found in registry.>
2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-23-l5KbudOXAGGoekG0gxFdPLOdzxcnQwlqocdf4ajTMKtXAeXa2Z-cas] to registry.>
2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas]>
2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] found in registry.>
2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] from registry>
2009-10-29 09:24:22,085 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5KbudOXAGGoekG0gxFdPLOdzxcnQwlqocdf4ajTMKtXAeXa2Z-cas>
2009-10-29 09:24:22,094 DEBUG [org.jasig.cas.util.HttpClient] - <Response code from server matched 200.>
2009-10-29 09:24:22,095 DEBUG [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - <Sent ProxyIou of PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas for service: [callbackUrl: https://nih.local:8443/share/proxyCallback]>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Can anyone shed some light on why exactly I'm not getting the PGT from the PGTIOU? My web.xml is pretty much exactly as Laurent described.

Thanks

Re: Alfresco Share SSO using CAS

hoaivan — Sat, 19 Dec 2009 12:27:01 GMT

4. CAS redirects user to share with ST
09:24:22,074 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5KbudOXAGGoekG0gxFdPLOdzxcnQwlqocdf4ajTMKtXAeXa2Z-cas

Here CAS has provided a PGTIOU and a pgtId which references a Ticket-Granting-Ticket (TGT…) instead of a PGT. Not sure if this is wrong or if a TGT is equivalent to a PGT.

Yes, it's PGT

5. Share *should* get a ProxyTicket based on the ProxyGrantingTicket (and it fails to find an internal mapping for the PGTIOU):
09:24:43,023  INFO  [client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket found for PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas
‍‍‍

If you setup the proxyCallback servlet correctly, you should able to get it with ProxyTicketReceptor.getProxyTicket(String pgtIou, String target)

Re: Alfresco Share SSO using CAS

akselb — Thu, 02 Sep 2010 12:45:59 GMT

I have also been using the solution posted here. For Alfresco 3.3 I have changed the code slightly and now it works fine with CAS for Alfresco and Alfresco Share.
See my solution here.

topic Re: Alfresco Share SSO using CAS in Alfresco Archive

Alfresco Share SSO using CAS

Re: Alfresco Share SSO using CAS

Re: Alfresco Share SSO using CAS

Re: Alfresco Share SSO using CAS

Re: Alfresco Share SSO using CAS

Re: Alfresco Share SSO using CAS

Re: Alfresco Share SSO using CAS