Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

External Authentication (Alfresco 5.2enterprise)with SSO not work for http header shows simple auth dialog

Go to answer
g_rathod
Star Contributor
Star Contributor

‎04-21-2017 10:06 AM

We configured SSO based authentication with header set and we are facing one issue,  while hitting 

even with http://hostname:8080/share  it shows (gives) me popup asking for credentials (simple authentication dialog)

I twice checked configuration as per the docs.alfresco.com  ( we are using alfresco 5.2 )

http://docs.alfresco.com/5.2/tasks/auth-alfrescoexternal-sso.html 

How do I successfully get into login page atleast with providing port  ( consider I am not using LB URL for siteminder auth) even with port it ask for this simple authentication then if I do cancel , it redirect me to share login page.

Here is my share-config-custom

<config evaluator="string-compare" condition="Remote">
<remote>

<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>

<!--
<ssl-config>
<keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
<keystore-type>pkcs12</keystore-type>
<keystore-password>alfresco-system</keystore-password>

<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
<truststore-type>JCEKS</truststore-type>
<truststore-password>kT9X6oe68t</truststore-password>

<verify-hostname>true</verify-hostname>
</ssl-config>
-->
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>

<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SM_USER</userHeader>
</connector>

<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
<!--
<endpoint>
<id>alfresco-feed</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint> -->

<endpoint>
<id>alfresco-api</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Public API - user access</name>
<description>Access to Alfresco Repository Public API that require user authentication.
This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
-->
</remote>
</config>

==============================

What is wrong here ?

Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
g_rathod
Star Contributor
Star Contributor

‎05-11-2017 03:14 AM

I contacted alfresco support and it is official bug.

https://issues.alfresco.com/jira/browse/MNT-17858

View answer in original post

0 Kudos
10 REPLIES 10

Go to answer
g_rathod
Star Contributor
Star Contributor

‎05-02-2017 07:13 AM

one thing I observed that, uptil 5.1.x they are using different filter and from alfresco 5.2 they use different filter

for 5.1.x  (share/WEB-INF/web.xml) filter they used

<filter>
<description>Share SSO authentication support filter.</description>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.alfresco.web.site.servlet.SSOAuthenticationFilter</filter-class>
<init-param>
<param-name>endpoint</param-name>
<param-value>alfresco</param-value>
</init-param>
</filter>

while  5.2 filter (share/WEB-INF/web.xml) uses

<filter>
<description>Share SSO authentication support filter.</description>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.springframework.extensions.webscripts.servlet.BeanProxyFilter</filter-class>
<init-param>
<param-name>beanName</param-name>
<param-value>SSOAuthenticationFilter</param-value>
</init-param>
</filter>
0 Kudos

Go to answer
idwright
Star Collaborator
Star Collaborator

‎05-02-2017 10:12 AM

I haven't fully got to grips with 5.2 yet but I do notice that you are missing the noauth endpoint

I can't quite read your XML due to the formatting so I'm not sure if your api endpoint is enabled - it needs to be.

You could try this for reference: alfresco-cas/share-config-custom.xml at ACE-5661 · wrighting/alfresco-cas · GitHub (but note the maven properties for replacement)

0 Kudos

Go to answer
g_rathod
Star Contributor
Star Contributor
In response to idwright

‎05-03-2017 01:39 AM

Dear Ian Wright,

I already tried setting up endpoints.

Here is my share-config-custom.xml   ( Still it is not working)

=============================================

Also find my chain declaration in alfresco-global.properties

##External authentication
##################################################
authentication.chain=external1:external,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=SM_USER

And   share-config-custom.xml   looks like below  ::

tried various combinations instead  /wcs  I tried  /s

 <!-- External Authentication configuration -->
   <config evaluator="string-compare" condition="Remote">
      <remote>
          <!--
         <ssl-config>
            <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
            <keystore-type>pkcs12</keystore-type>
            <keystore-password>alfresco-system</keystore-password>

            <truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
            <truststore-type>JCEKS</truststore-type>
            <truststore-password>password</truststore-password>

            <verify-hostname>false</verify-hostname>
         </ssl-config> -->

                 
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SM_USER</userHeader>
         </connector>
           
            <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>none</identity>
         </endpoint>
           
           <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
         
         <endpoint>
            <id>alfresco-feed</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> 
            <connector-id>alfrescoHeader</connector-id> 
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
         
         <endpoint>
            <id>alfresco-api</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Public API - user access</name>
            <description>Access to Alfresco Repository Public API that require user authentication.
                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Help appreciated,  as  struggling since last 4 days. Didn't get any resolution on this.

0 Kudos

Go to answer
g_rathod
Star Contributor
Star Contributor

‎05-03-2017 05:57 AM

Strange thing I observed is even with  host:8080/share  (where there is no web server or SSO come into picture) still it is asking for basic authentication popup before share login page.

Ideally it should give me direct share login page. 

so seems  Alfresco 5.2 BUG

0 Kudos

Go to answer
idwright
Star Collaborator
Star Collaborator
In response to g_rathod

‎05-03-2017 06:15 AM

I'm assuming that you're running the latest CE - there is a bug logged and fixed against an earlier version for this behaviour [ACE-5661] External authentication Problem with CAS - Alfresco JIRA 

0 Kudos

Go to answer
g_rathod
Star Contributor
Star Contributor
In response to idwright

‎05-03-2017 06:28 AM

Hi Ian wright,

we are using  alfresco version    alfresco-content-services-installer-5.2.0-linux-x64.bin

And link you shared also told about fixed version is 5.2  so confused , is there any minor new version introduced then let us know with fixes.

0 Kudos

Go to answer
idwright
Star Collaborator
Star Collaborator
In response to g_rathod

‎05-03-2017 06:31 AM

I'm community edition only so can't help there I'm afraid.

You should be able to search JIRA to see which tags apply to that bug

0 Kudos

Go to answer
g_rathod
Star Contributor
Star Contributor

‎05-11-2017 03:14 AM

I contacted alfresco support and it is official bug.

https://issues.alfresco.com/jira/browse/MNT-17858

0 Kudos

Go to answer
cesarista
World-Class Innovator
World-Class Innovator

‎10-19-2017 01:58 PM

Hi, did you find any walkaround ?

I can reproduce this in Alfresco 5.1.2 and Alfresco 5.2.1 but in jira it is flagged as not a bug.

But the behaviour is different with Alfresco 5.0.3.

Regards.

--C.

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC