External Authentication using Shibboleth

cancel
Showing results for 
Search instead for 
Did you mean: 
criedlberger
Active Member

External Authentication using Shibboleth

Hi there, we are having an issue using header based external authentication using shibboleth in Alfresco 5.2. User passwords are being corrupted and cannot login even after we change the password. After disabling external authentication in the authentication chain everything starts to work again. I have included the following setup for the files we are using in alfresco, apache and shibboleth:

alfresco-global.properties:
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.defaultAdministratorUserNames=admin
 apache conf:
<VirtualHost *:80>#DocumentRoot '/home/alfresco/apps/httpd-2.2.17/htdocs'
ServerName https://ourserver.com
UseCanonicalName On
#ErrorLog '/home/alfresco/apps/httpd-2.2.17/logs/error_log'
#TransferLog '/home/alfresco/apps/httpd-2.2.17/logs/access_log'#Remove header to close hole to access Alfresco with arbitrary user
RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off
RewriteEngine On# Ignore Shibboleth
ProxyPass /Shibboleth.sso !# Alfresco Surfconext
ProxyPass /surfconext ajp://alfresco:8009/alfresco/s/board/api/auth
#ProxyPassReverse /surfconext http://192.168.65.2:3001/ProxyPass / http://exam-board-svc
ProxyPassReverse / http://exam-board-svc</VirtualHost>
shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180"> <ApplicationDefaults entityID="https://ourserver.com/Shibboleth"
REMOTE_USER="Shib-eduPersonPN Shib-eduPersonPrincipalName persistent-id targeted-id">
<Sessions lifetime="30" timeout="30" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="https" maxTimeSinceAuthn="60">
<SSO entityID="https://engine.surfconext.nl/authentication/idp/metadata" forceAuthn="true">SAML2</SSO>
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status"/>
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="out.email@ourserver.com" logoLocation="https://www.ourserver.com/gfx/logo.png" styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" url="https://metadata.surfconext.nl/idp-metadata.xml" backingFilePath="metadata-surfconext.xml" reloadInterval="3600000">
<MetadataFilter type="Signature" certificate="/etc/shibboleth/surfconext.pem"/>
</MetadataProvider>
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="shib.key" certificate="shib.crt"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

Does anyone know how External Authorization might be causing this issue.

Thanks

 

 

3 Replies
openpj
Moderator
Moderator

Re: External Authentication using Shibboleth

External authentication in the default installation of Alfresco is implemented only using HTTP Header federation.

Looking at your Shibboleth configuration I see only SAML2 and XML that are both not supported by Alfresco. SAML2 is supported only if you install the dedicated plugin or if you use the Alfresco Identity Server (Keycloak).

Your apache conf seems wrong:

RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off

it should be:

RequestHeader unset X-Alfresco-Remote-User
ProxyRequests Off

Maybe this could be a problem.

criedlberger
Active Member

Re: External Authentication using Shibboleth

I am not sure why you say it doesn't support SAML 2.0 when the documentation directly contradicts this: https://docs.alfresco.com/saml/concepts/saml-prereqs.html

Maybe I am misunderstanding, could you maybe explain a little more, also the issue with the apache conf was just a copy and paste error, sorry about that.

 

mjw
Customer

Re: External Authentication using Shibboleth

The documentation you link to mentions, that you have to install this separatly. I guess that's what @openpj was refering to as the "dedicated plugin" which seems to be available to paying customers only.

My understanding would be that the prefered way for SAML SSO would be to use the Identity Services (Keycloak) as the glue between ACS/APS and Shibboleth. But it's basically a guess, so do your own research. Smiley Wink