Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Re: Alfresco Share SSO using CAS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Alfresco Share SSO using CAS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2009 05:27 AM
Hi,
I have implemented Alfresco with CAS without any issues, but I'm struggling to get Alfresco Share to work with CAS. Has anyone come right with this?
Thanks
Zaine
I have implemented Alfresco with CAS without any issues, but I'm struggling to get Alfresco Share to work with CAS. Has anyone come right with this?
Thanks
Zaine
Labels:
- Labels:
-
Archive
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2009 07:15 AM
I would also appreciate some help in this direction.
I have been looking at the NTLM auth implementation in Share which relies on a specificially configured endpoint (wcs) on the Alfresco side.
Will a CAS SSO implementation for Share need to employ the same type of mechanism?
Are the endpoint init parameters used on the NTLM auth filter in Share specific to that module or are they generic to Alfresco authenticator classes?
Regards,
Warren
I have been looking at the NTLM auth implementation in Share which relies on a specificially configured endpoint (wcs) on the Alfresco side.
Will a CAS SSO implementation for Share need to employ the same type of mechanism?
Are the endpoint init parameters used on the NTLM auth filter in Share specific to that module or are they generic to Alfresco authenticator classes?
Regards,
Warren
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2009 09:20 AM
Same here.
I am also looking at the NTLMAuthenticationFilter in Share as a reference point.
By default /share apparently does not use a filter for authentication , unlike /alfresco.
Warren, have you made any progress?
Regards,
Hongbo
I am also looking at the NTLMAuthenticationFilter in Share as a reference point.
By default /share apparently does not use a filter for authentication , unlike /alfresco.
Warren, have you made any progress?
Regards,
Hongbo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2009 08:43 AM
I have implemented Alfresco with CAS without any issues, but I'm struggling to get Alfresco Share to work with CAS. Has anyone come right with this?
Yes, see http://translate.google.com/translate?u=http://blog.atolcd.com/%3Fp%3D115&sl=fr&tl=en
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2009 08:20 AM
This procedure works great for getting /alfresco cassified. But /share is causing me some grief. What's happening is that the PGTIOU gets issued, but this does not translate to a PGT per the logs below. Stepping through the code I see that the PGTIOU does not map to a PGT in the cache collection (ProxyGrantingTicketImpl.java).
(I'm using cas-client-3.1.8 with the 3.3.4 cas-server. And all this is on Alfresco 3.2r Community.)
1. Sign into /share, get redirected to CAS
2. Log into CAS, get a ticket with service redirect to /share:
3. CAS validates ticket:
4. CAS redirects user to share with ST
Here CAS has provided a PGTIOU and a pgtId which references a Ticket-Granting-Ticket (TGT…) instead of a PGT. Not sure if this is wrong or if a TGT is equivalent to a PGT.
5. Share *should* get a ProxyTicket based on the ProxyGrantingTicket (and it fails to find an internal mapping for the PGTIOU):
6. CAS authentication passes, but Share+Alfresco authentication fails:
My CAS-server logs don't show any problems either:
Can anyone shed some light on why exactly I'm not getting the PGT from the PGTIOU? My web.xml is pretty much exactly as Laurent described.
Thanks
(I'm using cas-client-3.1.8 with the 3.3.4 cas-server. And all this is on Alfresco 3.2r Community.)
1. Sign into /share, get redirected to CAS
2. Log into CAS, get a ticket with service redirect to /share:
09:22:04,064 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
09:22:04,067 DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found
09:22:04,067 DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/page/site-index
09:22:04,068 DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2Fpage%2Fsite-index"
09:22:22,520 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
09:22:22,520 DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found
09:22:22,520 DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/page/site-index
09:22:22,520 DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2Fpage%2Fsite-index"
09:22:34,764 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
3. CAS validates ticket:
09:23:51,230 DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Attempting to validate ticket: ST-14-UJ16RLSTe4DhnwR3ncUS-cas
09:23:52,315 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
09:23:58,287 DEBUG [client.validation.Cas20ProxyTicketValidator] Placing URL parameters in map.
09:23:58,290 DEBUG [client.validation.Cas20ProxyTicketValidator] Calling template URL attribute map.
09:24:02,333 DEBUG [client.validation.Cas20ProxyTicketValidator] Loading custom parameters from configuration.
09:24:16,020 DEBUG [client.validation.Cas20ProxyTicketValidator] Constructing validation url: https://nih.local:8444/cas/proxyValidate?pgtUrl=https%3A%2F%2Fnih.local%3A8443%2Fshare%2FproxyCallba...
4. CAS redirects user to share with ST
09:24:16,020 DEBUG [client.validation.Cas20ProxyTicketValidator] Retrieving response from server.
09:24:21,210 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback
09:24:21,212 DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found
09:24:21,212 DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/proxyCallback
09:24:21,212 DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2FproxyCallback"
09:24:22,074 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5K...
09:24:22,074 DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found
09:24:22,074 DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5K...
09:24:22,075 DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2FproxyCallback%3Fpgt..."
09:24:22,102 DEBUG [client.validation.Cas20ProxyTicketValidator] Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>admin</cas:user>
<cas:proxyGrantingTicket>PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas</cas:proxyGrantingTicket>
</cas:authenticationSuccess>
</cas:serviceResponse>
Here CAS has provided a PGTIOU and a pgtId which references a Ticket-Granting-Ticket (TGT…) instead of a PGT. Not sure if this is wrong or if a TGT is equivalent to a PGT.
5. Share *should* get a ProxyTicket based on the ProxyGrantingTicket (and it fails to find an internal mapping for the PGTIOU):
09:24:43,023 INFO [client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket found for PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas
6. CAS authentication passes, but Share+Alfresco authentication fails:
09:25:30,151 DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Successfully authenticated user: admin
09:25:30,170 DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Redirecting after successful ticket validation.
09:25:30,171 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index;jsessionid=47F57241192E0CBD568B39ECAFE581EC
09:25:35,498 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index
09:26:13,576 DEBUG [atolcd.alfresco.CasAuthenticationFilter] Authenticating user: admin against ticket source http://nih.local:8080/alfresco
09:26:17,862 DEBUG [client.authentication.AttributePrincipalImpl] No ProxyGrantingTicket was supplied, so no Proxy Ticket can be retrieved.
My CAS-server logs don't show any problems either:
2009-10-29 09:24:16,359 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve credentials for [callbackUrl: https://nih.local:8443/share/proxyCallback]>
2009-10-29 09:24:21,222 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://nih.local:8080/share/proxyCallback>
2009-10-29 09:24:21,233 DEBUG [org.jasig.cas.util.HttpClient] - <Response code from server matched 200.>
2009-10-29 09:24:21,235 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: [callbackUrl: https://nih.local:8443/share/proxyCallback]>
2009-10-29 09:24:21,235 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas]>
2009-10-29 09:24:21,235 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] found in registry.>
2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-23-l5KbudOXAGGoekG0gxFdPLOdzxcnQwlqocdf4ajTMKtXAeXa2Z-cas] to registry.>
2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas]>
2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] found in registry.>
2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] from registry>
2009-10-29 09:24:22,085 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5K...>
2009-10-29 09:24:22,094 DEBUG [org.jasig.cas.util.HttpClient] - <Response code from server matched 200.>
2009-10-29 09:24:22,095 DEBUG [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - <Sent ProxyIou of PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas for service: [callbackUrl: https://nih.local:8443/share/proxyCallback]>
Can anyone shed some light on why exactly I'm not getting the PGT from the PGTIOU? My web.xml is pretty much exactly as Laurent described.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2009 07:27 AM
4. CAS redirects user to share with STYes, it's PGT
09:24:22,074 DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5K...
Here CAS has provided a PGTIOU and a pgtId which references a Ticket-Granting-Ticket (TGT…) instead of a PGT. Not sure if this is wrong or if a TGT is equivalent to a PGT.
5. Share *should* get a ProxyTicket based on the ProxyGrantingTicket (and it fails to find an internal mapping for the PGTIOU):If you setup the proxyCallback servlet correctly, you should able to get it with ProxyTicketReceptor.getProxyTicket(String pgtIou, String target)
09:24:43,023 INFO [client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket found for PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2010 08:45 AM
Related Content
- Tech Talk Live #162 Recording - Alfresco Enterprise Roadmap in Alfresco Blog
- Adf alfresco UI not loading document properties in Alfresco Forum
- Document properties not loading adf in Alfresco Forum
- get all nodes by metadata property value in Alfresco Forum
- APS Upgrade activiti5.migration.enabled flag in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
