Hyland Connect

bdaniel · ‎06-28-2014

Hi there,

I want to enable external authentication via http headers as described here:
http://docs.alfresco.com/4.2/tasks/auth-alfrescoexternal-sso.html
http://www.youtube.com/watch?v=5tS0XrC_-rw

After configuring my system my normal web authentication (via username and password) no longer works. The external SSO is also not working. If I set the configurations back to normal my web authentication starts working again.

Here are the steps I have followed:

1. Downloaded alfresco-community-4.2.f-installer-linux-x64.bin and ran the auto installer
2. Verified that Alfresco and Share was working fine. Created a site with some content
3. In /opt/alfresco/tomcat/shared/classes/alfresco.global.properties add:

    ### External Authentication ###
    authentication.chain=external1:external

4. In /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml set connector-id:

    <connector-id>alfrescoHeader</connector-id>

5. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-authentication.properties add:

    external.authentication.defaultAdministratorUserNames=admin
    external.authentication.enabled=true

6. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-filter.properties add:

    external.authentication.proxyUserName=alfresco-system
    external.authentication.proxyHeader=X-Alfresco-Remote-User
    external.authentication.enabled=true
    external.authentication.userIdPattern=

7. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/wcmqs-api.properties and set the admin password:

    wcmqs.api.alfresco=http://localhost:8080/alfresco
    wcmqs.api.user=admin
    wcmqs.api.password=my_admin_password_details_here

8. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/extension/wqsapi-custom.properties and set the admin password:

    wcmqs.api.alfresco=http://localhost:8080/alfresco
    wcmqs.api.user=admin
    wcmqs.api.password=my_admin_password_details_here

9. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties add

    log4j.logger.org.alfresco.web.site.servlet.SSOAuthenticationFilter=debug
    log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug
    log4j.logger.org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService=debug

10. In /opt/alfresco/tomcat/webapps/share/WEB-INF/classes/log4j.properties add

    log4j.logger.org.alfresco.web.app.servlet.DefaultRemoteUserMap=debug
    log4j.logger.org.springframework.extensions.webscripts.connector.RemoteClient=debug
    log4j.logger.org.springframework.extensions.webscripts.connector.AlfrescoAuthenticator=debug

11. service alfresco start
12. tail -f /opt/alfresco/tomcat/logs/catalina.out (wait until everything has started)
13. Use "Modify headers" add on in Firefox to try and log into Alfresco without a password as per demo in
    http://www.youtube.com/watch?v=5tS0XrC_-rw

    Result: I still get sent to the login screen. My usual password does not work any more.
    Here is the debug info from catalina.out:

2014-06-28 20:28:17,829 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
2014-06-28 20:28:17,834 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@73f2361a: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
2014-06-28 20:28:17,834 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED

14. Try to use curl to login with modified header as follows:
     curl -X GET -L -H "X-Alfresco-Remote-User: admin" http://localhost:8080/alfresco/ | less
     Result: I still get the login page

Any idea what I'm doing wrong?

Much appreciated,

Barry D.

bdaniel · ‎07-11-2014

Hi there,

What would be the best way to make external authentication via http headers as secure as possible?

So far it seems these two things are recommended:
1. Make sure that no untrusted direct access to Alfresco's HTTP or AJP ports is allowed.
2. Use SSL.

Any other things to add?

I still want users to be able to log in to Alfresco / Share directly via the web interface.

Thanks,

pnkrravi · ‎08-13-2014

Hi,
We are currently testing external sso auth through firefox modify adon to pass header. Can you please share your alfresco-global.properties file. We followed all the steps given in this but no luck so far.

Regards,
Ravi

kimberlydeborah · ‎09-17-2014

You can also referred to as SSO (Single Sign-on), is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again. So you can try start working again.

olidrouin · ‎11-25-2014

Hello,
I'd like some clarification on Barry's step #4 (i.e.: 4. In /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml set connector-id: alfrescoHeader). What is the relevant documentation regarding this step, if any?

Thank you!
Olivier.

Hyland Connect

External SSO via http headers not working.