topic Re: External SSO via http headers not working. in Alfresco Archive

External SSO via http headers not working.

bdaniel — Sat, 28 Jun 2014 18:47:05 GMT

Hi there, I want to enable external authentication via http headers as described here:http://docs.alfresco.com/4.2/tasks/auth-alfrescoexternal-sso.htmlhttp://www.youtube.com/watch?v=5tS0XrC_-rwAfter configuring my system my normal web authentication (via username and password) no longer works. The

Re: External SSO via http headers not working.

afaust — Sun, 29 Jun 2014 15:21:08 GMT

Hello,

you cannot use the External authentication subsystem without enabling a second, SSO-capable authentication subystem such as alfrescoNtlm. So your chain should include such a subsystem and you should set *.sso.enabled for that subystem.

Regards
Axel

Re: External SSO via http headers not working.

bdaniel — Sun, 29 Jun 2014 20:09:22 GMT

Hi Axel,

Thanks for your help. I have added alfrescoNtlm to my chain and enabled SSO and at least normal authentication works again now.

However, I don't want to authenticate via NTLM (I understand this to be Windows authentication). I now get a username and password popup when I visit myhost:8080/alfresco in the browser with modified headers. If I click cancel I get the normal web login screen.

In this video ( http://www.youtube.com/watch?v=5tS0XrC_-rw ) it seems that it is possible to achieve External Authentication SSO by simply modifying the headers (No NTLM, CAS, Kerberos or anything like that). There is no mention made of having to enable SSO for NTLM for instance.

E.g. if I modify the headers with X-Alfresco-Remote-User as the name and admin as the value I expect to be logged in as the admin user. If I use e.g. peter as the value I should be logged in as Peter irrespective of which Windows user I am logged in as. That's what I understood from Mehdi Belmekki's video. Am I understanding this correctly?

Thanks again,
Barry

Re: External SSO via http headers not working.

mrogers — Sun, 29 Jun 2014 20:29:00 GMT

If your authentication chain only has a single authenticator of type external then there's only one way of authenticating. You don't have any "normal web authentication" in your chain. The authenticator of type alfrescoNtlm is badly named it should really just be alfresco or alfresco internal. What it will do is authenticate the username / password against the hash value stored within alfresco.

Also I don't like seeing hacking files under web-inf. don't do it. you will loose your changes on redeploy.

Re: External SSO via http headers not working.

bdaniel — Sun, 29 Jun 2014 21:24:09 GMT

Thanks mrogers,

I have added alfrescoNtlm to my chain and thus regained normal web login functionality. However, I still don't have SSO via modifying HTTP headers as per the http://www.youtube.com/watch?v=5tS0XrC_-rw video. I now get a popup asking for username and password.

Also, you mention that I should not 'hack' files under WEB-INF. Could you specify the correct place to make these sort of changes instead?

Much appreciated,
Barry

Re: External SSO via http headers not working.

afaust — Mon, 30 Jun 2014 13:25:23 GMT

Hello,

all configuration should go in the tomcat/shared/classes/alfresco/extension directory or the tomcat/shared/classes/alfresco-global.properties file.
Regarding external authentication it is important to know that by default, Alfresco tries to validate the client passing the modified headers via a client certificate check. Unless you are actually using SSL and a client certificate, you have to disable that or Alfresco won't actually accept the modified headers. Last time I used this for a development setup, this amounted to setting the "external.authentication.proxyUserName" property to the empty value / string.

The reason you need to enable SSO on a different authentication subsystem is that the external subsystem alone only overs the Explorer UI and web scripts via the /wcs or /wcservice endpoint. The SSO filter for NTLM / Kerberos call the logic for header evaluation (of the external subsystem) on the other HTTP servlets…
At least that was the case the last time I worked with external on 4.2.x. There might be differences between the Alfresco versions concerning default configuration.

Regards
Axel

Re: External SSO via http headers not working.

bdaniel — Mon, 30 Jun 2014 21:56:19 GMT

Hi Axel,

Thanks, I managed to get the external SSO working now via modified headers using curl in my terminal. I have set ntlm.authentication.sso.enabled=false and the login popup has now gone and the external SSO is still working. I suppose my Firefox Modify headers plugin was not working somehow. I also moved the configs into alfresco global properties file.

Now that I am logged in I need to get a ticket for the logged in user as I want to make CMIS calls (using Apache Chemistry PHP client). Is there an easy way to do this?

Much appreciated,

Re: External SSO via http headers not working.

afaust — Tue, 01 Jul 2014 08:44:50 GMT

Hello Barry,

I recently had to do the same thing. There is no out-of-the-box web script you can call to "just" give you a ticket - the one web script that does exists requires you to actually provide username and password. I just wrote myself a tiny custom web script that I then called with active external authentication.
The web script is as simple as the following FTL:


{<#escape x as jsonUtils.encodeJSONString(x)>
    "ticket" : "${session.ticket}"
</#escape>}
‍‍‍‍‍

Regards
Axel

Re: External SSO via http headers not working.

bdaniel — Tue, 01 Jul 2014 21:26:19 GMT

Hi Axel,

Thanks, this works brilliantly!

Re: External SSO via http headers not working.

bdaniel — Fri, 11 Jul 2014 21:30:57 GMT

Hi there,

What would be the best way to make external authentication via http headers as secure as possible?

So far it seems these two things are recommended:
1. Make sure that no untrusted direct access to Alfresco's HTTP or AJP ports is allowed.
2. Use SSL.

Any other things to add?

I still want users to be able to log in to Alfresco / Share directly via the web interface.

Thanks,

Re: External SSO via http headers not working.

pnkrravi — Wed, 13 Aug 2014 18:07:26 GMT

Hi,
We are currently testing external sso auth through firefox modify adon to pass header. Can you please share your alfresco-global.properties file. We followed all the steps given in this but no luck so far.

Regards,
Ravi

Re: External SSO via http headers not working.

kimberlydeborah — Wed, 17 Sep 2014 06:54:08 GMT

You can also referred to as SSO (Single Sign-on), is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again. So you can try start working again.

Re: External SSO via http headers not working.

bdaniel — Sun, 09 Nov 2014 18:51:51 GMT

Hi there, on Alfresco 5.0.b it seems the URL for external SSO via http headers has changed. In any case I can't seem to get it working again.

Can anyone help me out with the correct URL? In Alfresco 4.2 I was using http://mydomain:8080/alfresco

Thanks

Re: External SSO via http headers not working.

olidrouin — Tue, 25 Nov 2014 16:06:08 GMT

Hello,
I'd like some clarification on Barry's step #4 (i.e.: 4. In /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml set connector-id: alfrescoHeader). What is the relevant documentation regarding this step, if any?

Thank you!
Olivier.