https://connect.hyland.com/t5/nuxeo-forum/configuring-mod-sso/m-p/318908#M5909 <P>Ok, I'll be answering myself here. It was actually pretty simple, only I needed to :</P> <UL> <LI>know how to force my authenticationChain to prevail (like explained <A href="http://answers.nuxeo.com/questions/231/several-authenticationchains-who-wins">here</A>)</LI> <LI>forget about my PHP "knowledge" and set the ssoHeaderName to "Auth-User" instead of "HTTP_AUTH_USER".</LI> </UL> <P>And then, with all that, my Nuxeo instance is officially connected to LemondLDAP::NG (through a reverse-proxy, CAS/Shibboleth might come later).</P> Fri, 23 Sep 2011 18:13:46 GMT OlivierM_ 2011-09-23T18:13:46Z https://connect.hyland.com/t5/nuxeo-forum/configuring-mod-sso/m-p/318906#M5907 <P>Is there any recent document describing the use of org.nuxeo.ecm.platform.login.mod_sso ?</P> Fri, 16 Sep 2011 12:01:05 GMT https://connect.hyland.com/t5/nuxeo-forum/configuring-mod-sso/m-p/318906#M5907 OlivierM_ 2011-09-16T12:01:05Z https://connect.hyland.com/t5/nuxeo-forum/configuring-mod-sso/m-p/318907#M5908 <P>Ok, some more information about what I'm fighting against. I installed org.nuxeo.ecm.platform.login.mod_sso (it's shown in the list after <STRONG>INFO [org.nuxeo.runtime.deployment.preprocessor.DeploymentPreprocessor] Preprocessing order:</STRONG>).</P> <P>On server start, it's shown as registered and merged as an authentificator:</P> <PRE><CODE>2011-09-16 15:03:17,730 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: BASIC_AUTH 2011-09-16 15:03:18,959 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] registered AuthenticationPluginDescriptor: PROXY_AUTH 2011-09-16 15:03:18,960 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: PROXY_AUTH </CODE></PRE> <P>(among others)</P> <P>I configured my extension point to read the requested header :</P> <PRE><CODE> &lt;extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators"&gt; &lt;authenticationPlugin name="PROXY_AUTH" enabled="true" class="org.nuxeo.ecm.platform.ui.web.auth.proxy.ProxyAuthenticator"&gt; &lt;loginModulePlugin&gt;Trusting_LM&lt;/loginModulePlugin&gt; &lt;parameters&gt; &lt;parameter name="ssoHeaderName"&gt;HTTP_AUTH_USER&lt;/parameter&gt; &lt;/parameters&gt; &lt;/authenticationPlugin&gt; &lt;/extension&gt; </CODE></PRE> <P>And I even tested - by pointing my reverse proxy on a simple PHP page showing phpinfo() - that the env var is sent. So, as far as I'm concerned, everything should work. But when I try to access the instance through the proxy, login page is shown (and working). According to my logs :</P> <PRE><CODE>2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter 2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal 2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache 2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin BASIC_AUTH 2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin FORM_AUTH 2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Looking for user/password in the request 2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBENGINE_FORM_AUTH 2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin ANONYMOUS_AUTH 2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBSERVICES_AUTH 2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache 2011-09-16 16:03:07,538 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Forward to Login Screen </CODE></PRE> <P>For the sake of completeness (sorry for the lengthy post), here is my plugin chain :</P> <PRE><CODE> &lt;extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain"&gt; &lt;authenticationChain&gt; &lt;plugins&gt; &lt;!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth --&gt; &lt;plugin&gt;BASIC_AUTH&lt;/plugin&gt; &lt;plugin&gt;PROXY_AUTH&lt;/plugin&gt; &lt;/plugins&gt; &lt;/authenticationChain&gt; &lt;/extension&gt; </CODE></PRE> <P>So it looks like my plugin chain (BASIC_AUTH, then PROXY_AUTH) isn't even taken into account. Any idea, anyone?</P> Fri, 16 Sep 2011 16:11:42 GMT https://connect.hyland.com/t5/nuxeo-forum/configuring-mod-sso/m-p/318907#M5908 OlivierM_ 2011-09-16T16:11:42Z https://connect.hyland.com/t5/nuxeo-forum/configuring-mod-sso/m-p/318908#M5909 <P>Ok, I'll be answering myself here. It was actually pretty simple, only I needed to :</P> <UL> <LI>know how to force my authenticationChain to prevail (like explained <A href="http://answers.nuxeo.com/questions/231/several-authenticationchains-who-wins">here</A>)</LI> <LI>forget about my PHP "knowledge" and set the ssoHeaderName to "Auth-User" instead of "HTTP_AUTH_USER".</LI> </UL> <P>And then, with all that, my Nuxeo instance is officially connected to LemondLDAP::NG (through a reverse-proxy, CAS/Shibboleth might come later).</P> Fri, 23 Sep 2011 18:13:46 GMT https://connect.hyland.com/t5/nuxeo-forum/configuring-mod-sso/m-p/318908#M5909 OlivierM_ 2011-09-23T18:13:46Z