Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to login as internal user with SSO working?

shazada
Star Contributor
Star Contributor

‎02-17-2010 04:35 AM

Hi guys,

First of all I'm not that active at the forums, because my company has an Enterprise partnership and I normally use the Alfresco Support.
I've seen the topics created here and a lot are very useful, so I'll try to be more active and post my questions on both sides.

My situation:
I've got Alfresco 3.2 Enterprise installed.
I need to have subsystems configured like this:
- Alfresco users (external) need to login in Share
- AD/LDAP users need to be synced in Alfresco, because users need to invite users from the company. So passthru just won't be enough.
- SSO needs to work for AD/LDAP users (which are synced in Share).

My subsystems chain is:
- alfrescoNtlm, passthru, ldap
- alfrecoNtlm: sso.enabled=false
- ldap: ldap.authentication.active=false
- passthru: sso.enabled=true

I've done this, because when enabling sso in AlfrescoNtlm, I can't login with the AD/LDAP users EVEN when they are created/synced in Alfresco

By choosing this way SSO works for AD/LDAP users even in Share!
The problem is that now alfresco/external users can't login in Share. In Explorer they can use: alfresco/faces/jsp/login.jsp and they get logged in –> so no problem.
In Share I haven't found a way to use a login. I've tried share/login.jsp –> you'll get a simple (ugly) login and when I try to login –> SSO from passthru get's invoked.
This is done because of the NTLMAuthenticationFilter runs on all pages.

So I'm a bit stuck.

Thanks!
Labels:
0 Kudos
16 REPLIES 16

dward
Champ on-the-rise
Champ on-the-rise

‎03-01-2010 07:30 AM

I'm afraid this is how we would expect it to work. Due to the restrictions of the NTLM / Kerberos protocols, SSO can only be handled by a single member of the authentication chain, because we don't get a chance to retry another member on failures. So SSO is always handled by the first member of the chain with SSO enabled.

So in this scenario, it would probably be best to stop using the internal accounts, remove alfrescoNtlm from the chain and create an equivalent administrator user in AD who is either named in your passthru.authentication.defaultAdministratorUserNames list, or is a member of the ALFRESCO_ADMINISTRATORS group.
0 Kudos

shazada
Star Contributor
Star Contributor

‎03-02-2010 07:08 AM

I don't really agree with that. Because if this is how it 'should' work, then Why can you login in Explorer as an internal user?

I mean, is it hard to just bypass a certain page like the one in Explorer? alfresco\jsp\faces\login.jsp –> this one bypasses the SSO and tries Basic authentication.

In Share, every page\* goes to the NTLMAuthentication filter. I don't think it's that hard to just define a 'seperate' login page which doesn't goes through the NTLM filter and just does Basic Auth. like in Explorer.

I've searched through the NTLM filter and there is a session attribute like _login or something like that. So I have to 'define' my own page and send that attribute to the filter so it doesn't do SSO?
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎03-02-2010 07:27 AM

I see, so your complaint is that internal users can still log in using a web form with SSO enabled in Alfresco Exporer, but not in Share. I have logged a bug.

https://issues.alfresco.com/jira/browse/ALF-1923

You may be able to get around it by coding your own version of org.alfresco.web.site.servlet.NTLMAuthenticationFilter that resorts to calling redirectToLoginPage when NTLM authentication fails.
0 Kudos

open
Champ in-the-making
Champ in-the-making

‎03-03-2010 05:01 PM

We have come across this issue our selves.

Single sign on works great for our internal users, but we cant figure out how to give access to external users.

Am I correct to assume that the combination of SSO and giving external users access to Share isn't possible at this time?

Thanks
0 Kudos

shazada
Star Contributor
Star Contributor

‎03-04-2010 04:33 AM

I see, so your complaint is that internal users can still log in using a web form with SSO enabled in Alfresco Exporer, but not in Share. I have logged a bug.

https://issues.alfresco.com/jira/browse/ALF-1923

You may be able to get around it by coding your own version of org.alfresco.web.site.servlet.NTLMAuthenticationFilter that resorts to calling redirectToLoginPage when NTLM authentication fails.

Yes, you're right. Explorer works fine, it's a bug in Share.
0 Kudos

shazada
Star Contributor
Star Contributor

‎03-05-2010 05:55 AM

But how can I change the NTLMaut.filter.

Do you have any ideas? There is a login.jsp in the Share web-application. I've tried to modify it, so that it would send the login params to the NTLM filter, but eventually I'll see a SSO login.
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎03-05-2010 10:28 AM

It would involve understanding the Java class I just mentioned and modifying it.
0 Kudos

jc-lgms
Champ in-the-making
Champ in-the-making

‎09-02-2010 04:08 AM

hello,
have you find a solution?
thanks
0 Kudos

juan
Champ in-the-making
Champ in-the-making

‎10-19-2010 01:11 PM

Issue is closed, but it does not work for me…. (3.4a)

Is there any workaround?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC