Hyland Connect

matthias · ‎08-13-2009

Hi all,

I successfully configured v3.2 with LDAP and multi-tenant support. Now I want to archive SSO with mod_auth_cas as described in
http://wiki.alfresco.com/wiki/SSO , but it doesn't work.

- I can login with user.name@tenantdomain.com and the user password
- I've configured Apache to proxy Tomcat via mod_jk and a AJP connector.
- in server.xml tomcatAuthentication="false" is set for the AJP connector (to use Apache's authentication).
- I've done the changes to web.xml as described in the wiki.

I still can't login ("You are not authorized to use Alfresco"). Do I need to configure something else? Rewrite Rules? Any hint on this?

Thanks in advance!
Matthias

matthias · ‎08-17-2009

*bump*

Anyone?

matthias · ‎08-20-2009

Is there noone who can help me? I'm really stuck on this.

dward · ‎08-20-2009

See http://forums.alfresco.com/en/viewtopic.php?f=36&t=12666&p=42194#p42194

matthias · ‎08-25-2009

This seems not to resolve my issue.

I'm using mod_auth_cas, not CAS Server itself.

It seems, that I don't get REMOTE_USER properly to HTTPRequestAuthenticationFilter. I've also set "JkEnvVar REMOTE_USER" in my VHost.

Can I debug this somehow?

dward · ‎08-25-2009

I recently set up mod_auth_cas (as opposed to mod_cas that was mentioned in the old Wiki) and found out that the header that it sends through is called "CAS-User". REMOTE_USER is a CGI environment variable, not a header. mod_jk actually maps this to request.getRemoteUser() if you turn off tomcat authentication in the JK connector. Hope this helps.

matthias · ‎08-25-2009

It still doesn't work.

Can you confirm that the configuration on http://wiki.alfresco.com/wiki/SSO is still correct?

I tried to use "CAS-User" instead of "REMOTE_USER" as httpServletRequestAuthHeaderName, but no go. Tomcat authentication is off.

Is there anything else I can try?

dward · ‎08-26-2009

It works for me.

It's probably easier to go back to basics.

Try protecting the tomcat /examples application with CAS. If you browse to the 'snoop' JSP example you should see a Remote User value. If you browse to the servlet headers example you should see CAS-User. If not, then check your CAS configuration.

matthias · ‎08-27-2009

Ahh, thanks, dward!

The solution was:
1. The variable given to Tomcat is 'CAS-User' and not 'REMOTE_USER'.
2. Location /alfresco wasn't correctly protected by mod_auth_cas (thanks for the tip with the 'snoop' app!)

Now SSO for Alfresco works. Unfortunately not for Share. Does Share use another login configuration?

dward · ‎08-27-2009

I'm working on that one. We'll need a new connector for Share that asserts the user identity to Alfresco. And the trouble is that this must be done in a secure way or otherwise anyone could hack in with &user=admin! I have an idea and will report back when I next get the chance.