External SSO via http headers not working.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2014 02:47 PM
Hi there,
I want to enable external authentication via http headers as described here:
http://docs.alfresco.com/4.2/tasks/auth-alfrescoexternal-sso.html
http://www.youtube.com/watch?v=5tS0XrC_-rw
After configuring my system my normal web authentication (via username and password) no longer works. The external SSO is also not working. If I set the configurations back to normal my web authentication starts working again.
Here are the steps I have followed:
1. Downloaded alfresco-community-4.2.f-installer-linux-x64.bin and ran the auto installer
2. Verified that Alfresco and Share was working fine. Created a site with some content
3. In /opt/alfresco/tomcat/shared/classes/alfresco.global.properties add:
### External Authentication ###
authentication.chain=external1:external
4. In /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml set connector-id:
<connector-id>alfrescoHeader</connector-id>
5. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-authentication.properties add:
external.authentication.defaultAdministratorUserNames=admin
external.authentication.enabled=true
6. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-filter.properties add:
external.authentication.proxyUserName=alfresco-system
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=
7. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/wcmqs-api.properties and set the admin password:
wcmqs.api.alfresco=http://localhost:8080/alfresco
wcmqs.api.user=admin
wcmqs.api.password=my_admin_password_details_here
8. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/extension/wqsapi-custom.properties and set the admin password:
wcmqs.api.alfresco=http://localhost:8080/alfresco
wcmqs.api.user=admin
wcmqs.api.password=my_admin_password_details_here
9. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties add
log4j.logger.org.alfresco.web.site.servlet.SSOAuthenticationFilter=debug
log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug
log4j.logger.org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService=debug
10. In /opt/alfresco/tomcat/webapps/share/WEB-INF/classes/log4j.properties add
log4j.logger.org.alfresco.web.app.servlet.DefaultRemoteUserMap=debug
log4j.logger.org.springframework.extensions.webscripts.connector.RemoteClient=debug
log4j.logger.org.springframework.extensions.webscripts.connector.AlfrescoAuthenticator=debug
11. service alfresco start
12. tail -f /opt/alfresco/tomcat/logs/catalina.out (wait until everything has started)
13. Use "Modify headers" add on in Firefox to try and log into Alfresco without a password as per demo in
http://www.youtube.com/watch?v=5tS0XrC_-rw
Result: I still get sent to the login screen. My usual password does not work any more.
Here is the debug info from catalina.out:
2014-06-28 20:28:17,829 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
2014-06-28 20:28:17,834 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@73f2361a: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
2014-06-28 20:28:17,834 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
14. Try to use curl to login with modified header as follows:
curl -X GET -L -H "X-Alfresco-Remote-User: admin" http://localhost:8080/alfresco/ | less
Result: I still get the login page
Any idea what I'm doing wrong?
Much appreciated,
Barry D.
I want to enable external authentication via http headers as described here:
http://docs.alfresco.com/4.2/tasks/auth-alfrescoexternal-sso.html
http://www.youtube.com/watch?v=5tS0XrC_-rw
After configuring my system my normal web authentication (via username and password) no longer works. The external SSO is also not working. If I set the configurations back to normal my web authentication starts working again.
Here are the steps I have followed:
1. Downloaded alfresco-community-4.2.f-installer-linux-x64.bin and ran the auto installer
2. Verified that Alfresco and Share was working fine. Created a site with some content
3. In /opt/alfresco/tomcat/shared/classes/alfresco.global.properties add:
### External Authentication ###
authentication.chain=external1:external
4. In /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml set connector-id:
<connector-id>alfrescoHeader</connector-id>
5. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-authentication.properties add:
external.authentication.defaultAdministratorUserNames=admin
external.authentication.enabled=true
6. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-filter.properties add:
external.authentication.proxyUserName=alfresco-system
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=
7. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/wcmqs-api.properties and set the admin password:
wcmqs.api.alfresco=http://localhost:8080/alfresco
wcmqs.api.user=admin
wcmqs.api.password=my_admin_password_details_here
8. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/extension/wqsapi-custom.properties and set the admin password:
wcmqs.api.alfresco=http://localhost:8080/alfresco
wcmqs.api.user=admin
wcmqs.api.password=my_admin_password_details_here
9. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties add
log4j.logger.org.alfresco.web.site.servlet.SSOAuthenticationFilter=debug
log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug
log4j.logger.org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService=debug
10. In /opt/alfresco/tomcat/webapps/share/WEB-INF/classes/log4j.properties add
log4j.logger.org.alfresco.web.app.servlet.DefaultRemoteUserMap=debug
log4j.logger.org.springframework.extensions.webscripts.connector.RemoteClient=debug
log4j.logger.org.springframework.extensions.webscripts.connector.AlfrescoAuthenticator=debug
11. service alfresco start
12. tail -f /opt/alfresco/tomcat/logs/catalina.out (wait until everything has started)
13. Use "Modify headers" add on in Firefox to try and log into Alfresco without a password as per demo in
http://www.youtube.com/watch?v=5tS0XrC_-rw
Result: I still get sent to the login screen. My usual password does not work any more.
Here is the debug info from catalina.out:
2014-06-28 20:28:17,829 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
2014-06-28 20:28:17,834 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@73f2361a: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
2014-06-28 20:28:17,834 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
14. Try to use curl to login with modified header as follows:
curl -X GET -L -H "X-Alfresco-Remote-User: admin" http://localhost:8080/alfresco/ | less
Result: I still get the login page
Any idea what I'm doing wrong?
Much appreciated,
Barry D.
Labels:
- Labels:
-
Archive
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2014 11:21 AM
Hello,
you cannot use the External authentication subsystem without enabling a second, SSO-capable authentication subystem such as alfrescoNtlm. So your chain should include such a subsystem and you should set *.sso.enabled for that subystem.
Regards
Axel
you cannot use the External authentication subsystem without enabling a second, SSO-capable authentication subystem such as alfrescoNtlm. So your chain should include such a subsystem and you should set *.sso.enabled for that subystem.
Regards
Axel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2014 04:09 PM
Hi Axel,
Thanks for your help. I have added alfrescoNtlm to my chain and enabled SSO and at least normal authentication works again now.
However, I don't want to authenticate via NTLM (I understand this to be Windows authentication). I now get a username and password popup when I visit myhost:8080/alfresco in the browser with modified headers. If I click cancel I get the normal web login screen.
In this video ( http://www.youtube.com/watch?v=5tS0XrC_-rw ) it seems that it is possible to achieve External Authentication SSO by simply modifying the headers (No NTLM, CAS, Kerberos or anything like that). There is no mention made of having to enable SSO for NTLM for instance.
E.g. if I modify the headers with X-Alfresco-Remote-User as the name and admin as the value I expect to be logged in as the admin user. If I use e.g. peter as the value I should be logged in as Peter irrespective of which Windows user I am logged in as. That's what I understood from Mehdi Belmekki's video. Am I understanding this correctly?
Thanks again,
Barry
Thanks for your help. I have added alfrescoNtlm to my chain and enabled SSO and at least normal authentication works again now.
However, I don't want to authenticate via NTLM (I understand this to be Windows authentication). I now get a username and password popup when I visit myhost:8080/alfresco in the browser with modified headers. If I click cancel I get the normal web login screen.
In this video ( http://www.youtube.com/watch?v=5tS0XrC_-rw ) it seems that it is possible to achieve External Authentication SSO by simply modifying the headers (No NTLM, CAS, Kerberos or anything like that). There is no mention made of having to enable SSO for NTLM for instance.
E.g. if I modify the headers with X-Alfresco-Remote-User as the name and admin as the value I expect to be logged in as the admin user. If I use e.g. peter as the value I should be logged in as Peter irrespective of which Windows user I am logged in as. That's what I understood from Mehdi Belmekki's video. Am I understanding this correctly?
Thanks again,
Barry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2014 04:29 PM
If your authentication chain only has a single authenticator of type external then there's only one way of authenticating. You don't have any "normal web authentication" in your chain. The authenticator of type alfrescoNtlm is badly named it should really just be alfresco or alfresco internal. What it will do is authenticate the username / password against the hash value stored within alfresco.
Also I don't like seeing hacking files under web-inf. don't do it. you will loose your changes on redeploy.
Also I don't like seeing hacking files under web-inf. don't do it. you will loose your changes on redeploy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2014 05:24 PM
Thanks mrogers,
I have added alfrescoNtlm to my chain and thus regained normal web login functionality. However, I still don't have SSO via modifying HTTP headers as per the http://www.youtube.com/watch?v=5tS0XrC_-rw video. I now get a popup asking for username and password.
Also, you mention that I should not 'hack' files under WEB-INF. Could you specify the correct place to make these sort of changes instead?
Much appreciated,
Barry
I have added alfrescoNtlm to my chain and thus regained normal web login functionality. However, I still don't have SSO via modifying HTTP headers as per the http://www.youtube.com/watch?v=5tS0XrC_-rw video. I now get a popup asking for username and password.
Also, you mention that I should not 'hack' files under WEB-INF. Could you specify the correct place to make these sort of changes instead?
Much appreciated,
Barry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-30-2014 09:25 AM
Hello,
all configuration should go in the tomcat/shared/classes/alfresco/extension directory or the tomcat/shared/classes/alfresco-global.properties file.
Regarding external authentication it is important to know that by default, Alfresco tries to validate the client passing the modified headers via a client certificate check. Unless you are actually using SSL and a client certificate, you have to disable that or Alfresco won't actually accept the modified headers. Last time I used this for a development setup, this amounted to setting the "external.authentication.proxyUserName" property to the empty value / string.
The reason you need to enable SSO on a different authentication subsystem is that the external subsystem alone only overs the Explorer UI and web scripts via the /wcs or /wcservice endpoint. The SSO filter for NTLM / Kerberos call the logic for header evaluation (of the external subsystem) on the other HTTP servlets…
At least that was the case the last time I worked with external on 4.2.x. There might be differences between the Alfresco versions concerning default configuration.
Regards
Axel
all configuration should go in the tomcat/shared/classes/alfresco/extension directory or the tomcat/shared/classes/alfresco-global.properties file.
Regarding external authentication it is important to know that by default, Alfresco tries to validate the client passing the modified headers via a client certificate check. Unless you are actually using SSL and a client certificate, you have to disable that or Alfresco won't actually accept the modified headers. Last time I used this for a development setup, this amounted to setting the "external.authentication.proxyUserName" property to the empty value / string.
The reason you need to enable SSO on a different authentication subsystem is that the external subsystem alone only overs the Explorer UI and web scripts via the /wcs or /wcservice endpoint. The SSO filter for NTLM / Kerberos call the logic for header evaluation (of the external subsystem) on the other HTTP servlets…
At least that was the case the last time I worked with external on 4.2.x. There might be differences between the Alfresco versions concerning default configuration.
Regards
Axel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2014 01:51 PM
Hi there, on Alfresco 5.0.b it seems the URL for external SSO via http headers has changed. In any case I can't seem to get it working again.
Can anyone help me out with the correct URL? In Alfresco 4.2 I was using http://mydomain:8080/alfresco
Thanks
Can anyone help me out with the correct URL? In Alfresco 4.2 I was using http://mydomain:8080/alfresco
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-30-2014 05:56 PM
Hi Axel,
Thanks, I managed to get the external SSO working now via modified headers using curl in my terminal. I have set ntlm.authentication.sso.enabled=false and the login popup has now gone and the external SSO is still working. I suppose my Firefox Modify headers plugin was not working somehow. I also moved the configs into alfresco global properties file.
Now that I am logged in I need to get a ticket for the logged in user as I want to make CMIS calls (using Apache Chemistry PHP client). Is there an easy way to do this?
Much appreciated,
Thanks, I managed to get the external SSO working now via modified headers using curl in my terminal. I have set ntlm.authentication.sso.enabled=false and the login popup has now gone and the external SSO is still working. I suppose my Firefox Modify headers plugin was not working somehow. I also moved the configs into alfresco global properties file.
Now that I am logged in I need to get a ticket for the logged in user as I want to make CMIS calls (using Apache Chemistry PHP client). Is there an easy way to do this?
Much appreciated,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2014 04:44 AM
Hello Barry,
I recently had to do the same thing. There is no out-of-the-box web script you can call to "just" give you a ticket - the one web script that does exists requires you to actually provide username and password. I just wrote myself a tiny custom web script that I then called with active external authentication.
The web script is as simple as the following FTL:
Regards
Axel
I recently had to do the same thing. There is no out-of-the-box web script you can call to "just" give you a ticket - the one web script that does exists requires you to actually provide username and password. I just wrote myself a tiny custom web script that I then called with active external authentication.
The web script is as simple as the following FTL:
{<#escape x as jsonUtils.encodeJSONString(x)> "ticket" : "${session.ticket}"</#escape>}Regards
Axel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2014 05:26 PM
Hi Axel,
Thanks, this works brilliantly!
Thanks, this works brilliantly!
