Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- SSO with OpenAM
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SSO with OpenAM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2012 05:48 PM
Hi All
I am using OpenAM as our authentication server and need to get Alfresco and Share community 4.0.d involved in the same architecture.
However, I am having serious issues here. Usually when OpenAM (previously OpenSSO) is configured to work with web application we do the following :
1. add the OpenAM filter to the web.xml file
2. configure some policies on OpenAM for the protected resources on the Web Application being SSO'ed.
3. Add references to the login page, login error page and logout page.
When a protected resource is then requested in the application, the OpenAM filter will redirect the user to the OpenAM login page, the use logs in and then the application is able to use the HttpServletRequest to get the user principal and check isUserInRole().
However, it seems there is another way to do this with Alfresco and Share but I cannot understand how they would be able to redirect to the OpenAM application when I enter the URL http://<server>:<port>/share into the browser address bar. !!!!
Basically I never want to see the Share or Alfresco login pages. We always want our users ONLY in OpenAM and force Alfresco and Share to trust them as externally Authenticated. Alfresco would then create a user of it's own but the user record will be externally managed i.e. passwords etc are not managed by Alfresco.
From all the SSO options I can see in the Documentation this scenario does not seem to be covered.
There was an old integration for Alfresco with OpenSSO from sourcesence but this is not a good option in our case as it uses the concept of the OpenSSO AM properties file for the agent configuration instead of the remote server agent configuration.
So, the question is….. Can I configure Alfresco and Share so that they redirect to OpenAM and trust all authenticated users using out of the box functionality and configuration OR do I have to create my own SSOAthentication Filter for Alfresco and Share that uses the OpenAM SDK to get them to participate in our SSO configuration?
If I have to do this, what is Share expecting to see in the way of cookies or headers such that it will not present it's own login page?
I can't believe that nobody has already done this with Alfresco. OpenAM (OpenSSO) is a widely used and excellent AAA SSO Solution.
Regards
Steve
I am using OpenAM as our authentication server and need to get Alfresco and Share community 4.0.d involved in the same architecture.
However, I am having serious issues here. Usually when OpenAM (previously OpenSSO) is configured to work with web application we do the following :
1. add the OpenAM filter to the web.xml file
2. configure some policies on OpenAM for the protected resources on the Web Application being SSO'ed.
3. Add references to the login page, login error page and logout page.
When a protected resource is then requested in the application, the OpenAM filter will redirect the user to the OpenAM login page, the use logs in and then the application is able to use the HttpServletRequest to get the user principal and check isUserInRole().
However, it seems there is another way to do this with Alfresco and Share but I cannot understand how they would be able to redirect to the OpenAM application when I enter the URL http://<server>:<port>/share into the browser address bar. !!!!
Basically I never want to see the Share or Alfresco login pages. We always want our users ONLY in OpenAM and force Alfresco and Share to trust them as externally Authenticated. Alfresco would then create a user of it's own but the user record will be externally managed i.e. passwords etc are not managed by Alfresco.
From all the SSO options I can see in the Documentation this scenario does not seem to be covered.
There was an old integration for Alfresco with OpenSSO from sourcesence but this is not a good option in our case as it uses the concept of the OpenSSO AM properties file for the agent configuration instead of the remote server agent configuration.
So, the question is….. Can I configure Alfresco and Share so that they redirect to OpenAM and trust all authenticated users using out of the box functionality and configuration OR do I have to create my own SSOAthentication Filter for Alfresco and Share that uses the OpenAM SDK to get them to participate in our SSO configuration?
If I have to do this, what is Share expecting to see in the way of cookies or headers such that it will not present it's own login page?
I can't believe that nobody has already done this with Alfresco. OpenAM (OpenSSO) is a widely used and excellent AAA SSO Solution.
Regards
Steve
Labels:
- Labels:
-
Archive
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2015 10:06 PM
Hi All,
With the steps defined I was able to come to a stage where the redirection to the OpenAM is happening. But as I am using a Realm which is not root realm i am not able to get authentication from the OpenAM.
I have posted the same in http://stackoverflow.com/questions/29142520/alfresco-openam-integration-needed-with-a-realm-in-login... to get some help.
As I have posted there too the properties changed are OpenSSOAgentBootstrap.properties to reflect the realm
com.sun.identity.agents.config.organization.name = /LdapRealm
and the OpenSSOAgentConfiguration.properties are changed as below
com.sun.identity.agents.config.login.url[0]=http://verify.organisation.com:8080/OpenAM/XUI/#login/&realm=LdapRealm
Somehow i am not able to get the realm working.
There is one more thing which i am doing is I am using mail to login alfresco. I was successfully able to login to alfresco using mail.I used the following steps in the link.
http://serverfault.com/questions/646674/how-do-i-solve-the-alfresco-ldap-login-by-e-mail-address-qua...
but now as i have to use OpenAM so i want the same login which worked for ldap to work with openAM.
I have removed the LDAP from the authentication chain now and using external authentication only which points to OpenAM
Any comments or suggestion please post so that I can give a try.
With the steps defined I was able to come to a stage where the redirection to the OpenAM is happening. But as I am using a Realm which is not root realm i am not able to get authentication from the OpenAM.
I have posted the same in http://stackoverflow.com/questions/29142520/alfresco-openam-integration-needed-with-a-realm-in-login... to get some help.
As I have posted there too the properties changed are OpenSSOAgentBootstrap.properties to reflect the realm
com.sun.identity.agents.config.organization.name = /LdapRealm
and the OpenSSOAgentConfiguration.properties are changed as below
com.sun.identity.agents.config.login.url[0]=http://verify.organisation.com:8080/OpenAM/XUI/#login/&realm=LdapRealm
Somehow i am not able to get the realm working.
There is one more thing which i am doing is I am using mail to login alfresco. I was successfully able to login to alfresco using mail.I used the following steps in the link.
http://serverfault.com/questions/646674/how-do-i-solve-the-alfresco-ldap-login-by-e-mail-address-qua...
but now as i have to use OpenAM so i want the same login which worked for ldap to work with openAM.
I have removed the LDAP from the authentication chain now and using external authentication only which points to OpenAM
Any comments or suggestion please post so that I can give a try.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2015 02:44 AM
(context- Using root realm, used cn (username for login) openam version 12, alfresco version 5 )
The browser the flow and redirection is happening fine but the place where it should login to alfresco it starts the cycle again. It is some kind of flicker on the firebug console. it is very difficult to even track what is going on. I removed the network to take the screen shot.
Also i could not find the header named SsoUserHeader anywhere in the header being passed. plase see below the header being passed.
—————————-
Accept application/json, text/javascript, */*; q=0.01
Accept-API-Version protocol=1.0,resource=2.0
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Content-Length 53
Content-Type application/json; charset=UTF-8
Cookie JSESSIONID=BBCD1AD7F778A6E5CA2B48ACD4D38CAF; amlbcookie=01;
JSESSIONID=(J2EE26129600)ID0180140050DB31af28211fddf2f4cabc77de540f8bfeb9c9be30End; MYSAPSSO2=; iPlanetDirectoryPro=AQIC5wM2LY4SfcyIdcTshFt34Lc_s1cQqlvv0vl4legIVoo.*AAJTSQACMDEAAlNLABQtNzA4MzE0MTQ1NjY3MDg1ODQ5MA..*
Host verify.abcro.com:8080
Referer http://verify.abcro.com:8080/OpenAM/XUI/
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
X-Requested-With XMLHttpRequest
————————-
Help if you have any idea.
The last url in the screen shot is actually not red but black but had to stop the network to take the screenshot thus the color changed
the post tab is as below
{"goto":"http://alfresco.abcro.com:8080/share/page/"}
The browser the flow and redirection is happening fine but the place where it should login to alfresco it starts the cycle again. It is some kind of flicker on the firebug console. it is very difficult to even track what is going on. I removed the network to take the screen shot.
Also i could not find the header named SsoUserHeader anywhere in the header being passed. plase see below the header being passed.
—————————-
Accept application/json, text/javascript, */*; q=0.01
Accept-API-Version protocol=1.0,resource=2.0
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Content-Length 53
Content-Type application/json; charset=UTF-8
Cookie JSESSIONID=BBCD1AD7F778A6E5CA2B48ACD4D38CAF; amlbcookie=01;
JSESSIONID=(J2EE26129600)ID0180140050DB31af28211fddf2f4cabc77de540f8bfeb9c9be30End; MYSAPSSO2=; iPlanetDirectoryPro=AQIC5wM2LY4SfcyIdcTshFt34Lc_s1cQqlvv0vl4legIVoo.*AAJTSQACMDEAAlNLABQtNzA4MzE0MTQ1NjY3MDg1ODQ5MA..*
Host verify.abcro.com:8080
Referer http://verify.abcro.com:8080/OpenAM/XUI/
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
X-Requested-With XMLHttpRequest
————————-
Help if you have any idea.
The last url in the screen shot is actually not red but black but had to stop the network to take the screenshot thus the color changed
the post tab is as below
{"goto":"http://alfresco.abcro.com:8080/share/page/"}
Related Content
- Alferso share external SSO - How to implement logout button? in Alfresco Forum
- External SSO getting Authentication prompt post login in Alfresco Forum
- Autologin Alfresco con SSO OpenAM in Alfresco Archive
- Activiti/Spring Boot- Spring Security - User and Membership management in Alfresco Archive
- Issue SSO in Alfresco Archive
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
