cancel
Showing results for 
Search instead for 
Did you mean: 

External Authentication (Alfresco 5.2enterprise)with SSO not work for http header shows simple auth dialog

g_rathod
Star Contributor
Star Contributor

We configured SSO based authentication with header set and we are facing one issue,  while hitting 

even with http://hostname:8080/share  it shows (gives) me popup asking for credentials (simple authentication dialog)

I twice checked configuration as per the docs.alfresco.com  ( we are using alfresco 5.2 )

http://docs.alfresco.com/5.2/tasks/auth-alfrescoexternal-sso.html 

How do I successfully get into login page atleast with providing port  ( consider I am not using LB URL for siteminder auth) even with port it ask for this simple authentication then if I do cancel , it redirect me to share login page.

Here is my share-config-custom

<config evaluator="string-compare" condition="Remote">
<remote>

<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>

<!--
<ssl-config>
<keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
<keystore-type>pkcs12</keystore-type>
<keystore-password>alfresco-system</keystore-password>

<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
<truststore-type>JCEKS</truststore-type>
<truststore-password>kT9X6oe68t</truststore-password>

<verify-hostname>true</verify-hostname>
</ssl-config>
-->
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>

<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SM_USER</userHeader>
</connector>

<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
<!--
<endpoint>
<id>alfresco-feed</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint> -->

<endpoint>
<id>alfresco-api</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Public API - user access</name>
<description>Access to Alfresco Repository Public API that require user authentication.
This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
-->
</remote>
</config>

==============================

What is wrong here ?

1 ACCEPTED ANSWER

g_rathod
Star Contributor
Star Contributor

I contacted alfresco support and it is official bug.

https://issues.alfresco.com/jira/browse/MNT-17858

View answer in original post

10 REPLIES 10

g_rathod
Star Contributor
Star Contributor

one thing I observed that, uptil 5.1.x they are using different filter and from alfresco 5.2 they use different filter

for 5.1.x  (share/WEB-INF/web.xml) filter they used

<filter>
<description>Share SSO authentication support filter.</description>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.alfresco.web.site.servlet.SSOAuthenticationFilter</filter-class>
<init-param>
<param-name>endpoint</param-name>
<param-value>alfresco</param-value>
</init-param>
</filter>

while  5.2 filter (share/WEB-INF/web.xml) uses

<filter>
<description>Share SSO authentication support filter.</description>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.springframework.extensions.webscripts.servlet.BeanProxyFilter</filter-class>
<init-param>
<param-name>beanName</param-name>
<param-value>SSOAuthenticationFilter</param-value>
</init-param>
</filter>

idwright
Star Collaborator
Star Collaborator

I haven't fully got to grips with 5.2 yet but I do notice that you are missing the noauth endpoint

I can't quite read your XML due to the formatting so I'm not sure if your api endpoint is enabled - it needs to be.

You could try this for reference: alfresco-cas/share-config-custom.xml at ACE-5661 · wrighting/alfresco-cas · GitHub (but note the maven properties for replacement)

Dear Ian Wright,

I already tried setting up endpoints.

Here is my share-config-custom.xml   ( Still it is not working)

=============================================

Also find my chain declaration in alfresco-global.properties

##External authentication
##################################################
authentication.chain=external1:external,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=SM_USER

And   share-config-custom.xml   looks like below  ::

tried various combinations instead  /wcs  I tried  /s

 <!-- External Authentication configuration -->
   <config evaluator="string-compare" condition="Remote">
      <remote>
          <!--
         <ssl-config>
            <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
            <keystore-type>pkcs12</keystore-type>
            <keystore-password>alfresco-system</keystore-password>

            <truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
            <truststore-type>JCEKS</truststore-type>
            <truststore-password>password</truststore-password>

            <verify-hostname>false</verify-hostname>
         </ssl-config> -->


                
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SM_USER</userHeader>
         </connector>
          
            <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>none</identity>
         </endpoint>
          
           <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
        
         <endpoint>
            <id>alfresco-feed</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
        
         <endpoint>
            <id>alfresco-api</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Public API - user access</name>
            <description>Access to Alfresco Repository Public API that require user authentication.
                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Help appreciated,  as  struggling since last 4 days. Didn't get any resolution on this.

g_rathod
Star Contributor
Star Contributor

Strange thing I observed is even with  host:8080/share  (where there is no web server or SSO come into picture) still it is asking for basic authentication popup before share login page.

Ideally it should give me direct share login page. 

so seems  Alfresco 5.2 BUG

idwright
Star Collaborator
Star Collaborator

I'm assuming that you're running the latest CE - there is a bug logged and fixed against an earlier version for this behaviour [ACE-5661] External authentication Problem with CAS - Alfresco JIRA 

Hi Ian wright,

we are using  alfresco version    alfresco-content-services-installer-5.2.0-linux-x64.bin

And link you shared also told about fixed version is 5.2  so confused , is there any minor new version introduced then let us know with fixes.

idwright
Star Collaborator
Star Collaborator

I'm community edition only so can't help there I'm afraid.

You should be able to search JIRA to see which tags apply to that bug

g_rathod
Star Contributor
Star Contributor

I contacted alfresco support and it is official bug.

https://issues.alfresco.com/jira/browse/MNT-17858

cesarista
World-Class Innovator
World-Class Innovator

Hi, did you find any walkaround ?

I can reproduce this in Alfresco 5.1.2 and Alfresco 5.2.1 but in jira it is flagged as not a bug.

But the behaviour is different with Alfresco 5.0.3.

Regards.

--C.