topic Re: Testing External Authentication in Alfresco Archive

Testing External Authentication

arbitraryname — Tue, 28 Jul 2015 23:35:22 GMT

Hello;I am trying to configure external authentication. authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlmexternal.authentication.proxyUserName=secretAccountexternal.authentication.enabled=trueexternal.authentication.defaultAdministratorUserNames=adminexternal.authentication.proxyHea

Re: Testing External Authentication

niketapatel — Wed, 29 Jul 2015 06:21:19 GMT

I think, Your test is flawed.

First this login script /api/login doesnt require any authentication. Any user can hit it and can get ticket. And its logic is to get ticket for provided user ID and pwd NOT for one which is there in header.

To verify external authentication - Try some other script like /alfresco/wcservice/slingshot/dashlets/my-contents. pass userid in header and verify.

Other thing - You need to user wcservice NOT service. Please check this link for detail - https://wiki.alfresco.com/wiki/Web_Scripts

/service => HTTP Basic Authentication e.g. http://localhost:8080/service/api/path/Workspace/SpacesStore/Company%20Home/children
/wcservice => Alfresco Explorer Authentication e.g. http://localhost:8080/wcservice/api/path/Workspace/SpacesStore/Company%20Home/children

Hope this help!

Re: Testing External Authentication

arbitraryname — Wed, 29 Jul 2015 22:57:42 GMT

I can not seem to authenticate to that URL…

I turned on external auth, and still support Alfresco NTLM…

But when I set the authentication header to the base64 encoded value IE: Authorization | Basic {base64 usernameassword}

It won't authenticate that user. Am i doing that right?

I guess i don't know how to authenticate with my external user and set the header for another user.

Re: Testing External Authentication

arbitraryname — Thu, 30 Jul 2015 04:45:59 GMT

So I had to abandon my community in addition I was running on a VM the test with.

What I did was enable external authentication through the admin console and left the alfresco and NTLM turned on. Next I created an account named secret via share. I set the external authentication config to trust that secret account

I can see the account work if I hit /service/ using an authorization header previously configured to be Basic {base 64 encode usernameasswd}

But I can't seem to make that work on the wsservice end point. I even tried getting a ticket from /service and using that as ?alf_ticket=TICKET_blahblah.

So I guess my summary question is how do I actually now authenticate with that secret account when I am calling the WS service end point? Setting the header value to another's username is no problem; but I can't seem to figure out how to authenticate the requester.

Re: Testing External Authentication

arbitraryname — Thu, 30 Jul 2015 23:22:00 GMT

I think I made a lot of progress. But I still don't seem to be triggering the sub system (this time I configured it via the admin console)

We used service/api/login?u=secretProxyUser&pw=password to get the ticket which was TICKET_000000000000000000

Then we tried to talk to /wcservice/api/activities/feed/user?ticket=TICKET_000000000000000000 which successfully gave us a response of:

*Parens for xml tags*

(link rel="self" href=""/)
(title)Alfresco Activities User Feed for secretProxyUser(/title)
(/feed)

Good news! We successfully authenticated as the secretProxyUser since we saw the user name in the xm.

Then we tried setting the "X-Alfresco-Remote-User" header as another user name in the system.

Sad news! the response came back as the same 'User Feed for secretProxyUser'

Any tips anyone?

Re: Testing External Authentication

mrogers — Fri, 31 Jul 2015 10:55:37 GMT

Why are you trying to use a ticket with external authentication?

Re: Testing External Authentication

arbitraryname — Fri, 31 Jul 2015 13:30:27 GMT

I'm trying to use that ticket to authenticate the proxy user that is called out in the external authentication configuration.

After getting help to call under /wcservice to invoke the Alfresco authentication chain; I'm pretty lost as how to actually now authenticate as the proxy user configured for external authentication

I thought perhaps I could get a ticket from/service for the proxy user, and then use that to authenticate the call,then call out another user in the header, in hopes the external with chain would run it as the user in the header value.

Eventually I want to use a web script to get back a ticket for another user in the system (the one called out in the header) and then I can use that ticket to make calls on their behalf.

In effect all I really need to do is be able to get a ticket for another user based on knowing the username. In a alfresco and NTLM forms/basic username and password stored in the repo scheme.

Re: Testing External Authentication

arbitraryname — Wed, 05 Aug 2015 04:59:13 GMT

I got external authentication to work; but only if I set the proxyUserName property to an empty string ""

In that case I can set the x-alfresco-header to a username and see the request run as that user.

I still think the root cause is my inability to authenticate the proxyUser account. Can anyone help me understand how to do that? All I have found is using a Ticket, but that bypasses the rest of the authentication chain.