https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328382#M15383 <P>With Nuxeo DM 5.5, I tried to use &lt;i&gt;nuxeo-platform-login-portal-sso&lt;/i&gt; for authentication using &lt;i&gt;nuxeo-http-client&lt;/i&gt; but I have always 401 reponse when calling &lt;i&gt;client.getSession()&lt;/i&gt;. Inside server.log, I have this lines</P> Tue, 31 Jan 2012 14:39:47 GMT hachicha_ 2012-01-31T14:39:47Z https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328380#M15381 <P>I want to use <CODE>nuxeo-platform-login-portal-sso</CODE> for authentication, but how do I communicate the client authentication info exactly?</P> Thu, 22 Dec 2011 17:10:35 GMT https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328380#M15381 Florent_Guillau 2011-12-22T17:10:35Z https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328381#M15382 <P>First, note that <CODE>nuxeo-platform-login-portal-sso</CODE> is a bit of a misnomer, what this module really does is establish a shared-secret method of authenticating between the Nuxeo server and a client.</P> <H1>Server</H1> <P>On the server side, you establish it using something like:</P> <PRE><CODE>&lt;extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators"&gt; &lt;authenticationPlugin name="PORTAL_AUTH"&gt; &lt;loginModulePlugin&gt;Trusting_LM&lt;/loginModulePlugin&gt; &lt;parameters&gt; &lt;parameter name="secret"&gt;MySharedSecret&lt;/parameter&gt; &lt;parameter name="maxAge"&gt;60&lt;/parameter&gt; &lt;/parameters&gt; &lt;/authenticationPlugin&gt; &lt;/extension&gt; &lt;!-- Include Portal Auth into authentication chain --&gt; &lt;extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain"&gt; &lt;authenticationChain&gt; &lt;plugins&gt; &lt;!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth --&gt; &lt;plugin&gt;BASIC_AUTH&lt;/plugin&gt; &lt;plugin&gt;PORTAL_AUTH&lt;/plugin&gt; &lt;plugin&gt;FORM_AUTH&lt;/plugin&gt; &lt;/plugins&gt; &lt;/authenticationChain&gt; &lt;/extension&gt; </CODE></PRE> <P>Here we've chosen to name this authentication method <CODE>PORTAL_AUTH</CODE>. Note that the <STRONG>secret</STRONG> parameter contains the shared secret that the client will have to know.</P> <H1>Client</H1> <P>On the client side, you could use one of the existing clients:</P> <H2>Using nuxeo-http-client</H2> <P><CODE>nuxeo-http-client</CODE> is a sample Java client to do REST calls to Nuxeo. You can configure it connect to a server that uses <CODE>nuxeo-platform-login-portal-sso</CODE> by doing:</P> <PRE><CODE>NuxeoServer nxServer = new NuxeoServer("http://127.0.0.1:8080/nuxeo"); nxServer.setAuthType(NuxeoServer.AUTH_TYPE_SECRET); nxServer.setSharedSecretAuthentication("Administrator", "MySharedSecret"); </CODE></PRE> <P>See <CODE>src/test/java/org/nuxeo/ecm/http/client/remote/tests/RemoteTests.java</CODE> in <CODE>nuxeo-http-client</CODE> for more.</P> <H2>Using nuxeo-automation-client</H2> <P><CODE>nuxeo-automation-client</CODE> is a more modern Nuxeo Java client using high-level Document abstractions. You can configure it to connect to a server that uses <CODE>platform-login-portal-sso</CODE> by doing:</P> <PRE><CODE>HttpAutomationClient client = new HttpAutomationClient("http://localhost:8080/nuxeo/site/automation"); client.setRequestInterceptor(new PortalSSOAuthInterceptor("MySharedSecret", "Administrator")); Session session = client.getSession(); </CODE></PRE> <P>See <CODE>src/test/java/org/nuxeo/ecm/automation/client/jaxrs/test/SampleSSOPortal.java</CODE> in <CODE>nuxeo-automation-client</CODE> for more.</P> <H2>Manual HTTP calls</H2> <P>If you want to do all the calls to Nuxeo yourself, you'll have to decide which HTTP requests to make, and in addition you'll have to send some specific headers to authenticate. The HTTP headers are:</P> <UL> <LI><CODE>NX_TS</CODE>: the timestamp, in milliseconds since epoch, when you're generating the request.</LI> <LI><CODE>NX_RD</CODE>: a few some random characters.</LI> <LI><CODE>NX_USER</CODE>: the user as whom you want to authenticate.</LI> <LI><CODE>NX_TOKEN</CODE>: a token proving authentication generated using the algorithm <CODE>BASE64_MD5(timestamp + ":" + random + ":" + secret + ":" + user)</CODE></LI> </UL> <P>The token contains the secret but in a hashed form which cannot be reversed by an eavesdropper to generate new requests. The timestamp is used to avoid replay attacks (the delta with the real time on the server cannot be more than the <CODE>maxAge</CODE> specified on the server). The random characters are used to avoid pre-computed dictionary attacks.</P> <P>The following Java code can be used:</P> <PRE><CODE>import java.security.MessageDigest; import javax.xml.bind.DatatypeConverter; public String makeToken(String timestamp, String random, String secret, String user) throws Exception { String clearToken = timestamp + ":" + random + ":" + secret + ":" + user; byte[] md5 = MessageDigest.getInstance("MD5").digest( clearToken.getBytes()); return DatatypeConverter.printBase64Binary(md5); } </CODE></PRE> <P>As a validation of your code, check that <CODE>makeToken("1324572561000", "qwertyuiop", "secret", "bob")</CODE> returns <CODE>8y4yXfms/iKge/OtG6d2zg==</CODE></P> Thu, 22 Dec 2011 17:58:46 GMT https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328381#M15382 Florent_Guillau 2011-12-22T17:58:46Z https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328382#M15383 <P>With Nuxeo DM 5.5, I tried to use &lt;i&gt;nuxeo-platform-login-portal-sso&lt;/i&gt; for authentication using &lt;i&gt;nuxeo-http-client&lt;/i&gt; but I have always 401 reponse when calling &lt;i&gt;client.getSession()&lt;/i&gt;. Inside server.log, I have this lines</P> Tue, 31 Jan 2012 14:39:47 GMT https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328382#M15383 hachicha_ 2012-01-31T14:39:47Z https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328383#M15384 <P>How does that integrate with other SSO uses? Like if I want to authenticate nuxeo through REMOTE_USER-like environment variable, but still connecting clients to it like you described above?</P> Wed, 01 Feb 2012 16:38:04 GMT https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328383#M15384 OlivierM_ 2012-02-01T16:38:04Z https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328384#M15385 <P>Does this approach work if I do not have the user's name/password in LDAP, SQL, or a config file or do I need to have the user name defined somewhere? Is there a need for a "user" entity for documentation ownership, ACls, etc?</P> Sat, 25 Aug 2012 01:19:46 GMT https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328384#M15385 mike_frey 2012-08-25T01:19:46Z https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328385#M15386 <P>This (the first long comment) was posted as an answer but is not an answer. Please ask questions as new questions.</P> Thu, 30 Aug 2012 19:45:53 GMT https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328385#M15386 Florent_Guillau 2012-08-30T19:45:53Z https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328386#M15387 <P>mike</P> Thu, 30 Aug 2012 19:47:29 GMT https://connect.hyland.com/t5/nuxeo-forum/how-do-i-integrate-with-nuxeo-platform-login-portal-sso-in-my/m-p/328386#M15387 Florent_Guillau 2012-08-30T19:47:29Z