External Authentication (Alfresco 5.2enterprise)with SSO not work for http header shows simple auth dialog

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Active Member II

External Authentication (Alfresco 5.2enterprise)with SSO not work for http header shows simple auth dialog

We configured SSO based authentication with header set and we are facing one issue,  while hitting 

even with http://hostname:8080/share  it shows (gives) me popup asking for credentials (simple authentication dialog)

I twice checked configuration as per the docs.alfresco.com  ( we are using alfresco 5.2 )

http://docs.alfresco.com/5.2/tasks/auth-alfrescoexternal-sso.html 

How do I successfully get into login page atleast with providing port  ( consider I am not using LB URL for siteminder auth) even with port it ask for this simple authentication then if I do cancel , it redirect me to share login page.

Here is my share-config-custom

<config evaluator="string-compare" condition="Remote">
<remote>

<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>

<!--
<ssl-config>
<keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
<keystore-type>pkcs12</keystore-type>
<keystore-password>alfresco-system</keystore-password>

<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
<truststore-type>JCEKS</truststore-type>
<truststore-password>kT9X6oe68t</truststore-password>

<verify-hostname>true</verify-hostname>
</ssl-config>
-->
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>

<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SM_USER</userHeader>
</connector>

<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
<!--
<endpoint>
<id>alfresco-feed</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint> -->

<endpoint>
<id>alfresco-api</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Public API - user access</name>
<description>Access to Alfresco Repository Public API that require user authentication.
This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
-->
</remote>
</config>

==============================

What is wrong here ?

10 Replies
Highlighted
Active Member II

Re: External Authentication with SSO not work for http header shows simple auth dialog

one thing I observed that, uptil 5.1.x they are using different filter and from alfresco 5.2 they use different filter

for 5.1.x  (share/WEB-INF/web.xml) filter they used

<filter>
<description>Share SSO authentication support filter.</description>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.alfresco.web.site.servlet.SSOAuthenticationFilter</filter-class>
<init-param>
<param-name>endpoint</param-name>
<param-value>alfresco</param-value>
</init-param>
</filter>

while  5.2 filter (share/WEB-INF/web.xml) uses

<filter>
<description>Share SSO authentication support filter.</description>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.springframework.extensions.webscripts.servlet.BeanProxyFilter</filter-class>
<init-param>
<param-name>beanName</param-name>
<param-value>SSOAuthenticationFilter</param-value>
</init-param>
</filter>
Highlighted
Senior Member

Re: External Authentication with SSO not work for http header shows simple auth dialog

I haven't fully got to grips with 5.2 yet but I do notice that you are missing the noauth endpoint

I can't quite read your XML due to the formatting so I'm not sure if your api endpoint is enabled - it needs to be.

You could try this for reference: alfresco-cas/share-config-custom.xml at ACE-5661 · wrighting/alfresco-cas · GitHub (but note the maven properties for replacement)

Highlighted
Active Member II

Re: External Authentication with SSO not work for http header shows simple auth dialog

Dear Ian Wright,

I already tried setting up endpoints.

Here is my share-config-custom.xml   ( Still it is not working)

=============================================

Also find my chain declaration in alfresco-global.properties

##External authentication
##################################################
authentication.chain=external1:external,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=SM_USER

And   share-config-custom.xml   looks like below  ::

tried various combinations instead  /wcs  I tried  /s

 <!-- External Authentication configuration -->
   <config evaluator="string-compare" condition="Remote">
      <remote>
          <!--
         <ssl-config>
            <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
            <keystore-type>pkcs12</keystore-type>
            <keystore-password>alfresco-system</keystore-password>

            <truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
            <truststore-type>JCEKS</truststore-type>
            <truststore-password>password</truststore-password>

            <verify-hostname>false</verify-hostname>
         </ssl-config> -->


                
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SM_USER</userHeader>
         </connector>
          
            <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>none</identity>
         </endpoint>
          
           <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
        
         <endpoint>
            <id>alfresco-feed</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
        
         <endpoint>
            <id>alfresco-api</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Public API - user access</name>
            <description>Access to Alfresco Repository Public API that require user authentication.
                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Help appreciated,  as  struggling since last 4 days. Didn't get any resolution on this.

Highlighted
Active Member II

Re: External Authentication with SSO not work for http header shows simple auth dialog

Strange thing I observed is even with  host:8080/share  (where there is no web server or SSO come into picture) still it is asking for basic authentication popup before share login page.

Ideally it should give me direct share login page. 

so seems  Alfresco 5.2 BUG

Highlighted
Senior Member

Re: External Authentication with SSO not work for http header shows simple auth dialog

I'm assuming that you're running the latest CE - there is a bug logged and fixed against an earlier version for this behaviour [ACE-5661] External authentication Problem with CAS - Alfresco JIRA 

Highlighted
Active Member II

Re: External Authentication with SSO not work for http header shows simple auth dialog

Hi Ian wright,

we are using  alfresco version    alfresco-content-services-installer-5.2.0-linux-x64.bin

And link you shared also told about fixed version is 5.2  so confused , is there any minor new version introduced then let us know with fixes.

Highlighted
Senior Member

Re: External Authentication with SSO not work for http header shows simple auth dialog

I'm community edition only so can't help there I'm afraid.

You should be able to search JIRA to see which tags apply to that bug

Highlighted
Active Member II

Re: External Authentication (Alfresco 5.2enterprise)with SSO not work for http header shows simple auth dialog

I contacted alfresco support and it is official bug.

https://issues.alfresco.com/jira/browse/MNT-17858

Highlighted
Advanced

Re: External Authentication (Alfresco 5.2enterprise)with SSO not work for http header shows simple auth dialog

Hi, did you find any walkaround ?

I can reproduce this in Alfresco 5.1.2 and Alfresco 5.2.1 but in jira it is flagged as not a bug.

But the behaviour is different with Alfresco 5.0.3.

Regards.

--C.