External Authentication using Shibboleth

criedlberger — Wed, 22 Jan 2020 17:21:49 GMT

Hi there, we are having an issue using header based external authentication using shibboleth in Alfresco 5.2. User passwords are being corrupted and cannot login even after we change the password. After disabling external authentication in the authentication chain everything starts to work again. I have included the following setup for the files we are using in alfresco, apache and shibboleth:

alfresco-global.properties:

authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.defaultAdministratorUserNames=admin

apache conf:

<VirtualHost *:80>#DocumentRoot '/home/alfresco/apps/httpd-2.2.17/htdocs'
ServerName https://ourserver.com
UseCanonicalName On
#ErrorLog '/home/alfresco/apps/httpd-2.2.17/logs/error_log'
#TransferLog '/home/alfresco/apps/httpd-2.2.17/logs/access_log'#Remove header to close hole to access Alfresco with arbitrary user
RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off
RewriteEngine On# Ignore Shibboleth
ProxyPass /Shibboleth.sso !# Alfresco Surfconext
ProxyPass /surfconext ajp://alfresco:8009/alfresco/s/board/api/auth
#ProxyPassReverse /surfconext http://192.168.65.2:3001/ProxyPass / http://exam-board-svc
ProxyPassReverse / http://exam-board-svc</VirtualHost>

shibboleth2.xml:

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
          xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
          xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
          clockSkew="180">    <ApplicationDefaults entityID="https://ourserver.com/Shibboleth"
                         REMOTE_USER="Shib-eduPersonPN Shib-eduPersonPrincipalName persistent-id targeted-id">
        <Sessions lifetime="30" timeout="30" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="https" maxTimeSinceAuthn="60">
            <SSO entityID="https://engine.surfconext.nl/authentication/idp/metadata" forceAuthn="true">SAML2</SSO>
            <Logout>SAML2 Local</Logout>
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status"            Location="/Status"/>
            <Handler type="Session"           Location="/Session" showAttributeValues="true"/>
            <Handler type="DiscoveryFeed"     Location="/DiscoFeed"/>
        </Sessions>
        <Errors supportContact="out.email@ourserver.com" logoLocation="https://www.ourserver.com/gfx/logo.png" styleSheet="/shibboleth-sp/main.css"/>
        <MetadataProvider type="XML" url="https://metadata.surfconext.nl/idp-metadata.xml" backingFilePath="metadata-surfconext.xml" reloadInterval="3600000">
            <MetadataFilter type="Signature" certificate="/etc/shibboleth/surfconext.pem"/>
        </MetadataProvider>
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" key="shib.key" certificate="shib.crt"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

Does anyone know how External Authorization might be causing this issue.

Thanks

Re: External Authentication using Shibboleth

openpj — Thu, 23 Jan 2020 11:10:34 GMT

External authentication in the default installation of Alfresco is implemented only using HTTP Header federation.

Looking at your Shibboleth configuration I see only SAML2 and XML that are both not supported by Alfresco. SAML2 is supported only if you install the dedicated plugin or if you use the Alfresco Identity Server (Keycloak).

Your apache conf seems wrong:

RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off

it should be:

RequestHeader unset X-Alfresco-Remote-User
ProxyRequests Off

Maybe this could be a problem.

Re: External Authentication using Shibboleth

criedlberger — Wed, 29 Jan 2020 16:45:38 GMT

I am not sure why you say it doesn't support SAML 2.0 when the documentation directly contradicts this: https://docs.alfresco.com/saml/concepts/saml-prereqs.html

Maybe I am misunderstanding, could you maybe explain a little more, also the issue with the apache conf was just a copy and paste error, sorry about that.

Re: External Authentication using Shibboleth

mjw — Mon, 10 Feb 2020 17:16:17 GMT

The documentation you link to mentions, that you have to install this separatly. I guess that's what @openpj was refering to as the "dedicated plugin" which seems to be available to paying customers only.

My understanding would be that the prefered way for SAML SSO would be to use the Identity Services (Keycloak) as the glue between ACS/APS and Shibboleth. But it's basically a guess, so do your own research.

topic Re: External Authentication using Shibboleth in Alfresco Forum

External Authentication using Shibboleth

Re: External Authentication using Shibboleth

Re: External Authentication using Shibboleth

Re: External Authentication using Shibboleth