https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230679#M183809 <HTML><HEAD></HEAD><BODY><SPAN>Using OpenSSO for authentication or any other method for that matter is totally doable if the basics are understood properly.</SPAN><BR /><BR /><SPAN>a) Share never ever fully authenticates a user. All that authentication plugins can do is forward credentials to the underlying repository and that repository is responsible for the authentication. (Note: NOT the web client, although it provides some of the hooks.)</SPAN><BR /><SPAN>b) SSO filters of Share have to work in conjunction with endpoint connectors to allow SSO and normal login behaviour depending on the entry point of the user. A SSO filter alone will not work if the endpoint connector (including its authenticator) can't retain the authenticated session on the repository.</SPAN><BR /><SPAN>c) Authentication filters of the repository / web client applications have to allow for the possibility of SSO and password logins. Usually the documentation/tutorials on that matter follow a SSO-only or login-only approach where both methods can not co-exist. I can not speak to the SourceSense plugin though.</SPAN><BR /><BR /><SPAN>What you need should be these components (based on my experience with the matter of backporting some SPNEGO fixes from 3.3 to 3.2 and enabling co-existence of SSO and login):</SPAN><BR /><BR /><SPAN>a) A filter for Alfresco Share that takes the SSO token, authenticates against the repository by passing it in a call to "/touch" and sets the external authentication flag in the session. Use the SSOAuthenticationFilter as a rough guideline for your implementation.</SPAN><BR /><SPAN>b) An authenticator for Alfresco Share endpoint connections that checks both the ticket in the connector session and the external authentication flag when determining if a user has already been authenticated. Simply extend the AlfrescoAuthenticator here. (Only this authenticator will later allow your users to both use SSO or normal login.)</SPAN><BR /><BR /><SPAN>You should not need to explicitly call authenticate or login on the UserFactory or the AuthenticationUtil at all for this to work.</SPAN></BODY></HTML> Sat, 16 Oct 2010 16:41:13 GMT afaust 2010-10-16T16:41:13Z https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230678#M183808 I am writing an OpenSSO plugin for Alfresco Share. My spec is to check for the presence and validity of an SSO token in a cookie; if the cookie is not there, or is expired, the user should login to Share in the normal way, but if the cookie is present, and contains a valid token, then the user shoul Fri, 08 Oct 2010 03:36:09 GMT https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230678#M183808 metadaddy 2010-10-08T03:36:09Z https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230679#M183809 <HTML><HEAD></HEAD><BODY><SPAN>Using OpenSSO for authentication or any other method for that matter is totally doable if the basics are understood properly.</SPAN><BR /><BR /><SPAN>a) Share never ever fully authenticates a user. All that authentication plugins can do is forward credentials to the underlying repository and that repository is responsible for the authentication. (Note: NOT the web client, although it provides some of the hooks.)</SPAN><BR /><SPAN>b) SSO filters of Share have to work in conjunction with endpoint connectors to allow SSO and normal login behaviour depending on the entry point of the user. A SSO filter alone will not work if the endpoint connector (including its authenticator) can't retain the authenticated session on the repository.</SPAN><BR /><SPAN>c) Authentication filters of the repository / web client applications have to allow for the possibility of SSO and password logins. Usually the documentation/tutorials on that matter follow a SSO-only or login-only approach where both methods can not co-exist. I can not speak to the SourceSense plugin though.</SPAN><BR /><BR /><SPAN>What you need should be these components (based on my experience with the matter of backporting some SPNEGO fixes from 3.3 to 3.2 and enabling co-existence of SSO and login):</SPAN><BR /><BR /><SPAN>a) A filter for Alfresco Share that takes the SSO token, authenticates against the repository by passing it in a call to "/touch" and sets the external authentication flag in the session. Use the SSOAuthenticationFilter as a rough guideline for your implementation.</SPAN><BR /><SPAN>b) An authenticator for Alfresco Share endpoint connections that checks both the ticket in the connector session and the external authentication flag when determining if a user has already been authenticated. Simply extend the AlfrescoAuthenticator here. (Only this authenticator will later allow your users to both use SSO or normal login.)</SPAN><BR /><BR /><SPAN>You should not need to explicitly call authenticate or login on the UserFactory or the AuthenticationUtil at all for this to work.</SPAN></BODY></HTML> Sat, 16 Oct 2010 16:41:13 GMT https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230679#M183809 afaust 2010-10-16T16:41:13Z