Hyland Community
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Alfresco Share SSO using CAS

zaine
Champ in-the-making
Champ in-the-making

‎02-23-2009 05:27 AM

Hi,

I have implemented Alfresco with CAS without any issues, but I'm struggling to get Alfresco Share to work with CAS. Has anyone come right with this?

Thanks
Zaine
Labels:
0 Kudos
6 REPLIES 6

warren_mcdonald
Champ in-the-making
Champ in-the-making

‎03-01-2009 07:15 AM

I would also appreciate some help in this direction.

I have been looking at the NTLM auth implementation in Share which relies on a specificially configured endpoint (wcs) on the Alfresco side.

Will a CAS SSO implementation for Share need to employ the same type of mechanism?
Are the endpoint init parameters used on the NTLM auth filter in Share specific to that module or are they generic to Alfresco authenticator classes?

Regards,

Warren
0 Kudos

hongbo
Champ in-the-making
Champ in-the-making

‎04-11-2009 09:20 AM

Same here.

I am also looking at the NTLMAuthenticationFilter in Share as a reference point.
By default /share apparently does not use a filter for authentication , unlike /alfresco.

Warren, have you made any progress?

Regards,

Hongbo
0 Kudos

t_broyer
Champ in-the-making
Champ in-the-making

‎05-11-2009 08:43 AM

I have implemented Alfresco with CAS without any issues, but I'm struggling to get Alfresco Share to work with CAS. Has anyone come right with this?

Yes, see http://translate.google.com/translate?u=http://blog.atolcd.com/%3Fp%3D115&sl=fr&tl=en
0 Kudos

cybertoast
Champ in-the-making
Champ in-the-making

‎10-30-2009 08:20 AM

This procedure works great for getting /alfresco cassified. But /share is causing me some grief. What's happening is that the PGTIOU gets issued, but this does not translate to a PGT per the logs below. Stepping through the code I see that the PGTIOU does not map to a PGT in the cache collection (ProxyGrantingTicketImpl.java).
(I'm using cas-client-3.1.8 with the 3.3.4 cas-server. And all this is on Alfresco 3.2r Community.)

1. Sign into /share, get redirected to CAS
2. Log into CAS, get a ticket with service redirect to /share:
09:22:04,064  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index09:22:04,067  DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found09:22:04,067  DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/page/site-index09:22:04,068  DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2Fpage%2Fsite-index"09:22:22,520  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index09:22:22,520  DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found09:22:22,520  DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/page/site-index09:22:22,520  DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2Fpage%2Fsite-index"09:22:34,764  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index‍‍‍‍‍‍‍‍‍‍

3. CAS validates ticket:
09:23:51,230  DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Attempting to validate ticket: ST-14-UJ16RLSTe4DhnwR3ncUS-cas09:23:52,315  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index09:23:58,287  DEBUG [client.validation.Cas20ProxyTicketValidator] Placing URL parameters in map.09:23:58,290  DEBUG [client.validation.Cas20ProxyTicketValidator] Calling template URL attribute map.09:24:02,333  DEBUG [client.validation.Cas20ProxyTicketValidator] Loading custom parameters from configuration.09:24:16,020  DEBUG [client.validation.Cas20ProxyTicketValidator] Constructing validation url: https://nih.local:8444/cas/proxyValidate?pgtUrl=https%3A%2F%2Fnih.local%3A8443%2Fshare%2FproxyCallba...‍‍‍‍‍‍‍‍

4. CAS redirects user to share with ST
09:24:16,020  DEBUG [client.validation.Cas20ProxyTicketValidator] Retrieving response from server.09:24:21,210  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback09:24:21,212  DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found09:24:21,212  DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/proxyCallback09:24:21,212  DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2FproxyCallback"09:24:22,074  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5K...09:24:22,074  DEBUG [client.authentication.AuthenticationFilter] no ticket and no assertion found09:24:22,074  DEBUG [client.authentication.AuthenticationFilter] Constructed service url: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5K...09:24:22,075  DEBUG [client.authentication.AuthenticationFilter] redirecting to "https://nih.local:8444/cas/login?service=http%3A%2F%2Fnih.local%3A8080%2Fshare%2FproxyCallback%3Fpgt..."09:24:22,102  DEBUG [client.validation.Cas20ProxyTicketValidator] Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>   <cas:authenticationSuccess>      <cas:user>admin</cas:user>      <cas:proxyGrantingTicket>PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas</cas:proxyGrantingTicket>   </cas:authenticationSuccess></cas:serviceResponse>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Here CAS has provided a PGTIOU and a pgtId which references a Ticket-Granting-Ticket (TGT…) instead of a PGT. Not sure if this is wrong or if a TGT is equivalent to a PGT.

5. Share *should* get a ProxyTicket based on the ProxyGrantingTicket (and it fails to find an internal mapping for the PGTIOU):
09:24:43,023  INFO  [client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket found for PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas‍‍‍

6. CAS authentication passes, but Share+Alfresco authentication fails:
09:25:30,151  DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Successfully authenticated user: admin09:25:30,170  DEBUG [client.validation.Cas20ProxyReceivingTicketValidationFilter] Redirecting after successful ticket validation.09:25:30,171  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index;jsessionid=47F57241192E0CBD568B39ECAFE581EC09:25:35,498  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/page/site-index09:26:13,576  DEBUG [atolcd.alfresco.CasAuthenticationFilter] Authenticating user: admin against ticket source http://nih.local:8080/alfresco09:26:17,862  DEBUG [client.authentication.AttributePrincipalImpl] No ProxyGrantingTicket was supplied, so no Proxy Ticket can be retrieved.‍‍‍‍‍‍‍

My CAS-server logs don't show any problems either:
2009-10-29 09:24:16,359 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve credentials for [callbackUrl: https://nih.local:8443/share/proxyCallback]>2009-10-29 09:24:21,222 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://nih.local:8080/share/proxyCallback>2009-10-29 09:24:21,233 DEBUG [org.jasig.cas.util.HttpClient] - <Response code from server matched 200.>2009-10-29 09:24:21,235 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: [callbackUrl: https://nih.local:8443/share/proxyCallback]>2009-10-29 09:24:21,235 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas]>2009-10-29 09:24:21,235 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] found in registry.>2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-23-l5KbudOXAGGoekG0gxFdPLOdzxcnQwlqocdf4ajTMKtXAeXa2Z-cas] to registry.>2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas]>2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] found in registry.>2009-10-29 09:24:21,236 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-14-UJ16RLSTe4DhnwR3ncUS-cas] from registry>2009-10-29 09:24:22,085 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5K...>2009-10-29 09:24:22,094 DEBUG [org.jasig.cas.util.HttpClient] - <Response code from server matched 200.>2009-10-29 09:24:22,095 DEBUG [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - <Sent ProxyIou of PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas for service: [callbackUrl: https://nih.local:8443/share/proxyCallback]>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Can anyone shed some light on why exactly I'm not getting the PGT from the PGTIOU? My web.xml is pretty much exactly as Laurent described.

Thanks
0 Kudos

hoaivan
Champ in-the-making
Champ in-the-making

‎12-19-2009 07:27 AM

4. CAS redirects user to share with ST
09:24:22,074  DEBUG [client.util.CommonUtils] serviceUrl generated: http://nih.local:8080/share/proxyCallback?pgtIou=PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas&pgtId=TGT-23-l5K...

Here CAS has provided a PGTIOU and a pgtId which references a Ticket-Granting-Ticket (TGT…) instead of a PGT. Not sure if this is wrong or if a TGT is equivalent to a PGT.
Yes, it's PGT
5. Share *should* get a ProxyTicket based on the ProxyGrantingTicket (and it fails to find an internal mapping for the PGTIOU):
09:24:43,023  INFO  [client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket found for PGTIOU-10-rrO5TMttIfOmXr9cXR2L-cas‍‍‍
If you setup the proxyCallback servlet correctly, you should able to get it with ProxyTicketReceptor.getProxyTicket(String pgtIou, String target)
0 Kudos

akselb
Champ in-the-making
Champ in-the-making

‎09-02-2010 08:45 AM

I have also been using the solution posted here. For Alfresco 3.3 I have changed the code slightly and now it works fine with CAS for Alfresco and Alfresco Share.
See my solution here.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC
Top