I'm trying to setup SSO for both Alfresco and Share, which are behind a F5 Big IP which is doing the authentication / session tracking etc for a number of systems behind it. After trying quite a few different things, it seems that F5's idea of how forms based SSO should work is subtly different to how it behaves in Share or Explorer, so fails in some very odd ways. So, I think I need to do something with getting the F5 to inject some additional headers into the requests it proxies, and configure the Alfresco repo to use those to authenticate the user.I've had several long reads through the SSO and Authentication Subsystem wiki pages, and I think that the External Authentication subsystem doesn't quite do what I need. As best as I can tell, that configures up a "webscriptAuthenticationFilter", which only applies to /api/login within /alfresco/wcservice/* and /alfresco/wcs/* but not any other URLs. It seems to check the header, then disable auth for the login API call, which lets Share get a ticket, but not anything else.I think what I want is a similar filter, except one that's registered as a "globalAuthenticationFilter" instead of "webscriptAuthenticationFilter", as that style of filter gets to intercept almost all the URLs. (It gets the faces ones, the wcservice ones, and several others, it's only /alfresco/service/ that it doesn't get). Writing one of these was fairly easy, thanks to the abstract BaseSSOAuthenticationFilter class which can be used as a parent. I've got the filter registered, intercepting my requests, checking for the magic http headers etc. The only thing left is for it to trigger a login where needed.This is the bit I'm getting stuck on. I've tried calling various methods from org.alfresco.web.app.servlet.AuthenticationHelper, but none of them seem to be the right thing to convince the rest of Alfresco webapp that I'm logged in, so I'm immediately sent to the faces login page. Does anyone know what the trick is to correctly have the user programatically logged into explorer from the filter? I was expecting it to be something like HttpSession session = request.getSession();
String ticket = ticketComponent.getCurrentTicket(ssoUsername, true);
AuthenticationUtil.setFullyAuthenticatedUser(ssoUsername);
AuthenticationHelper.setUser(context, request, ssoUsername, ticket, true);
AuthenticationHelper.setupThread(context, request, response, false);
createUserEnvironment(session, ssoUsername, ticket, true);
but that isn't doing the trick, and I'm still getting taken to the login page after.
