topic SSO/External Authentication still broken in 201611EA? in Alfresco Archive

SSO/External Authentication still broken in 201611EA?

davidd2go — Wed, 23 Nov 2016 08:00:52 GMT

HiI tried to get SSO (with CAS) working on version 201611EA. According to the release notes earlier problems as reported by in this bug should have been solved in the 201611EA release.However I still see problems for which I filed a new bug-report here.Since the details are described there I won't

Re: SSO/External Authentication still broken in 201611EA?

idwright — Wed, 23 Nov 2016 09:38:42 GMT

I have CAS authentication working with repo/share version 5.1.g and can confirm that I'm seeing the same thing with 5.2.b-EA/5.2.c-EA

with the same code GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS single sign on

I haven't yet made any effort to diagnose this.(I recently changed my approach to this problem so may try the old approach to see what happens)

(Something seems to change in this area with every release....)

Re: SSO/External Authentication still broken in 201611EA?

pinux — Fri, 09 Dec 2016 21:09:10 GMT

Hi Ian,

also I planned to run Alfresco with CAS auth; after a lot of work trying to follow the official Alfresco approach here Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation I decied to change my way and I found your github project GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS single sign on . So I installed fresh version of Alfresco Community version 5.0.d, integrated the amp file alfresco-cas-share-amp-1.2.2.amp produced; my java-cas-client-properties is:

casServerLoginUrl=https://my-server-hostname:8444/cas-webapp/login
serverName=https://my-server-hostname:8443
ticketValidatorClass=org.jasig.cas.client.validation.Cas30ServiceTicketValidator
casServerUrlPrefix=https://my-server-hostname:8444/cas-webapp

The x509 certificate of alfresco is the default one provided with Alfresco fresh installation (under $ALFRESCO_HOME/alf_data/keystore) while the x509 certificate of CAS Server was self made with the keytool -utility (keytool -genkey -alias tomcat -keyalg RSA) and when asked the common nome i used my-server-hostname.

When I try to login in Alfresco Share I'm redirect to CAS login, successfully login on CAS but whe I'm redirect to Alfresco Share I received an error. In catalina.out the error is:

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

What I'm wrong?

Could you help me to solve the problem?

Thanks in advance.

Pino

Re: SSO/External Authentication still broken in 201611EA?

idwright — Mon, 12 Dec 2016 07:55:14 GMT

Hi Pino,

This is almost certainly down to using self signed certificates for the CAS server.

Note this is different from the Alfresco x509 certificates.

If you can, it is much the easiest to use a full certificate e.g. using Lets Encrypt - this might help Configuring Alfresco SSL by using Let's Encrypt - keensoft

Otherwise it's a case of getting hold of the client certificate and adding it to the cacerts file used by the java that is running tomcat - which is relatively painful to do. See SSL Troubleshooting and Reference Guide - CAS User Manual - Apereo Wiki

Re: SSO/External Authentication still broken in 201611EA?

pinux — Mon, 12 Dec 2016 15:48:52 GMT

Hi Ian,

thanks for your reply; added the certificate to cacerts file used by tomcat JVM; now I'm receiving a new error:

ERROR [alfresco.web.site] [http-bio-8443-exec-19] javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)

Could you help me to solve the problem?

Thanks in advance,
Pino

Re: SSO/External Authentication still broken in 201611EA?

idwright — Mon, 12 Dec 2016 16:05:58 GMT

I think you're going to need to debug your CAS installation - perhaps look at the CAS server logs.

You could also try enabling the CAS client debug logging in Alfresco so you can see what the server is returning

Re: SSO/External Authentication still broken in 201611EA?

pinux — Tue, 13 Dec 2016 22:23:35 GMT

Ian,

try to debug the error, but whitout success; one question: is your project GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS single sign on based on the use of mod_auth_cas described here: Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation ?

Thanks for your support.

Pino

Re: SSO/External Authentication still broken in 201611EA?

idwright — Wed, 14 Dec 2016 07:48:53 GMT

My project does not use mod_auth_cas at all, instead it uses the CAS client jars installed as part of the amps.

It should be quite straightforward to use my project to test your CAS installation using run.sh - you should just need to change the serverName in java-cas-client.properties to http://localhost:8080 before running it.

If you are using mod_auth_cas then you can still debug it but you need to use the Apache configuration files in order to do so

(mod_auth_cas has been updated since I last looked at it)

Re: SSO/External Authentication still broken in 201611EA?

pinux — Wed, 14 Dec 2016 08:18:19 GMT

Hi Ian,

thanks for your fast reply; if I decide to follow your project (so without mod_auth_cas) but with a standalone version of Alfresco community which version of Alfresco you should suggest to use and which version of CAS?

Thanks for your support.

Pino

Re: SSO/External Authentication still broken in 201611EA?

idwright — Wed, 14 Dec 2016 08:42:08 GMT

My project is built using 5.1.g for both share and repository and that is what I would recommend.

5.1.g is the only recent version of share that works so while I'd prefer to use an OOTB GA version that's not really practical (it is possible but only with patching and I think it's better not to)

I'm currently on the 4.1 version of CAS but will be looking to upgrade soon - in theory this shouldn't make any difference as the java version of the cas client is the best supported client and I'm using the most recent version.

Re: SSO/External Authentication still broken in 201611EA?

pinux — Fri, 16 Dec 2016 10:13:36 GMT

Hi Ian,

I have successfully setup Alfresco 5.1g with CAS version 4.0 (unable to retrieve a valid pom file for 4.1 for LDAP support)

Now I can successfully login and logout from Alfresco through the CAS server. I have also integrated with CAS another service (Joomla website) and when I login in Joomla (or in Alfresco) I'm also logged in Alfresco (or Joomla).

But when I logout from Joomla (or in Alfresco) I logout from Joomla (and also CAS) but still remain logged in Alfresco (or Joomla); maybe the POST sent from CAS after the logout failed.

What do you think is the problem? If as I suppose is related to browser session, can I construct a POST in Joomla (so in php) to send to Alfresco in order to invalidate Alfresco browser session? Such as this:

curl -i -H "application/x-www-form-urlencoded" -X POST --data '{"redirectURL":"https://my-site/cas/logout","redirectURLQueryKey":"service","redirectURLQueryValue":"https://my-site"}' "https://my-site/share/page/dologout"

Thanks in advance,

Pino

Re: SSO/External Authentication still broken in 201611EA?

idwright — Fri, 16 Dec 2016 11:00:10 GMT

To the best of my knowledge nobody has done anything about single sign out for Alfresco.

I guess you'd have to in some way extend the CAS client single sign out filter and install that into the Alfresco instance

I think what you suggest would work for your case - you probably don't even need the data (assuming Joomla logs you out of CAS)

Re: SSO/External Authentication still broken in 201611EA?

pinux — Fri, 16 Dec 2016 12:35:40 GMT

Thanks, Ian!

I tried with POST but it works only if I set the cookie with JSESSIONID that is present in the header of the request sent by the browser to Alfresco; is there any way to produce the same POST that should be sent from joomla code?

Thanks in advance.

Pino