Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

External Authentication using Shibboleth

criedlberger
Champ on-the-rise
Champ on-the-rise

‎01-22-2020 12:21 PM

Hi there, we are having an issue using header based external authentication using shibboleth in Alfresco 5.2. User passwords are being corrupted and cannot login even after we change the password. After disabling external authentication in the authentication chain everything starts to work again. I have included the following setup for the files we are using in alfresco, apache and shibboleth:

alfresco-global.properties:
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.defaultAdministratorUserNames=admin
 apache conf:
<VirtualHost *:80>#DocumentRoot '/home/alfresco/apps/httpd-2.2.17/htdocs'
ServerName https://ourserver.com
UseCanonicalName On
#ErrorLog '/home/alfresco/apps/httpd-2.2.17/logs/error_log'
#TransferLog '/home/alfresco/apps/httpd-2.2.17/logs/access_log'#Remove header to close hole to access Alfresco with arbitrary user
RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off
RewriteEngine On# Ignore Shibboleth
ProxyPass /Shibboleth.sso !# Alfresco Surfconext
ProxyPass /surfconext ajp://alfresco:8009/alfresco/s/board/api/auth
#ProxyPassReverse /surfconext http://192.168.65.2:3001/ProxyPass / http://exam-board-svc
ProxyPassReverse / http://exam-board-svc</VirtualHost>
shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
          xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
          xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
          clockSkew="180">    <ApplicationDefaults entityID="https://ourserver.com/Shibboleth"
                         REMOTE_USER="Shib-eduPersonPN Shib-eduPersonPrincipalName persistent-id targeted-id">
        <Sessions lifetime="30" timeout="30" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="https" maxTimeSinceAuthn="60">
            <SSO entityID="https://engine.surfconext.nl/authentication/idp/metadata" forceAuthn="true">SAML2</SSO>
            <Logout>SAML2 Local</Logout>
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status"            Location="/Status"/>
            <Handler type="Session"           Location="/Session" showAttributeValues="true"/>
            <Handler type="DiscoveryFeed"     Location="/DiscoFeed"/>
        </Sessions>
        <Errors supportContact="out.email@ourserver.com" logoLocation="https://www.ourserver.com/gfx/logo.png" styleSheet="/shibboleth-sp/main.css"/>
        <MetadataProvider type="XML" url="https://metadata.surfconext.nl/idp-metadata.xml" backingFilePath="metadata-surfconext.xml" reloadInterval="3600000">
            <MetadataFilter type="Signature" certificate="/etc/shibboleth/surfconext.pem"/>
        </MetadataProvider>
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" key="shib.key" certificate="shib.crt"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

Does anyone know how External Authorization might be causing this issue.

Thanks

Labels:
0 Kudos
3 REPLIES 3

openpj
Elite Collaborator
Elite Collaborator

‎01-23-2020 06:10 AM

External authentication in the default installation of Alfresco is implemented only using HTTP Header federation.

Looking at your Shibboleth configuration I see only SAML2 and XML that are both not supported by Alfresco. SAML2 is supported only if you install the dedicated plugin or if you use the Alfresco Identity Server (Keycloak).

Your apache conf seems wrong:

RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off

it should be:

RequestHeader unset X-Alfresco-Remote-User
ProxyRequests Off

Maybe this could be a problem.

0 Kudos

criedlberger
Champ on-the-rise
Champ on-the-rise
In response to openpj

‎01-29-2020 11:45 AM

I am not sure why you say it doesn't support SAML 2.0 when the documentation directly contradicts this: https://docs.alfresco.com/saml/concepts/saml-prereqs.html

Maybe I am misunderstanding, could you maybe explain a little more, also the issue with the apache conf was just a copy and paste error, sorry about that.

mjw
Champ on-the-rise
Champ on-the-rise
In response to criedlberger

‎02-10-2020 12:16 PM

The documentation you link to mentions, that you have to install this separatly. I guess that's what @openpj was refering to as the "dedicated plugin" which seems to be available to paying customers only.

My understanding would be that the prefered way for SAML SSO would be to use the Identity Services (Keycloak) as the glue between ACS/APS and Shibboleth. But it's basically a guess, so do your own research. Smiley Wink

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC