The official documentation is at: http://docs.alfresco.com
AuthenticationSingle Sign On
Please Note: This article describes configuration methods now outdated in the Alfresco version 3.2 release. For a more up to date description, refer to Alfresco With mod_auth_cas.
This article is a not very good translation of an article found in the French version of this wiki. I do not speak French so the translation might not be perfect. I didn't found any better documentation than this one about using CAS with Alfresco so I decided to translate it as well as I could.
Central Authentication Service ( from now on CAS ) is a Single Sign On service providing system.
This document describes how to modify Alfresco in order for it to work with CAS.
Alfresco uses Acegi for the authentication and authorisation. Acegi is supposed to provide ways to authenticate with CAS but I've not been able to achieve so.
Tomcat with SSL
Check this doc : http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
JVM and CAS
In order for the CAS client to work it is mandatory that the JVM knows the certificate that the CAS Server uses to establish the SSL connection.
That's neccessary in order to validate the ticket shared among the server and the client. To add the servers certificate use JVM's keytool command:
# export of the certificat from the CAS tomcat server to the file CAS.bin.export
keytool -export -keystore /where/is/the/file.keystore -alias my_alias -storepass serverks -file CAS.bin.export
# import the certificat from the file CAS.bin.export to the Alfresco's JVM
# default password for the keystore is : changeit
keytool -import -alias my_alias -file CAS.bin.export -keystore $JAVA_HOME/jre/lib/security/cacerts
Using CAS Client in Alfresco
Download Yale's implementation of the Java client here and place casclient.jar file in tomcat/shared/lib/.
Modifications of Alfresco
web.xml file allows to define a set of filters that would be applied to authentication.
- get the example file for web.xml
- Backup the original web.xml
- place the file in tomcat/webapps/alfresco/WEB-INF
- modify the URLs for Authentication Filter filter, this URLs should point to your CAS Server (and must be equal to the domain name exposed in the certificate)
Let's add a redirection (response.sendRedirect) in order to go to CAS Server's logout page when leaving CAS. This a first step in order to add Single Sign Off capabilities.
We need to edit tomcat/webapps/alfresco/jsp/relogin.jsp and add this :
// logout CAS
here (around line 38 ):
The file CasAuthenticationFilter.java is a new filter based on NovellIChainsHTTPRequestAuthenticationFilter.java. We also need to replace Alfresco's BaseServlet class in order to change the value of ARG_TICKET. ARG_TICKET collides with the variable ticket that CAS uses. So, in order to solve the problem, we change the value of ARG_TICKET. That is a nasty solution and implies to manage to recompile the BaseServlet Class by hand for each different Alfresco version you use Â¿ Is there a better solution ?
- get this java files :
- place this files into Alfrescos source directory, wherever they should go
- compile them
- copy the generate .class files in tomcat/webapps/alfresco/WEB-INF/classes/org/alfresco/web/app/servlet
As the authentication is done by CAS as well as by Alfresco, we will tell Alfresco to allow everyone. We can achieve this by simply adding a file called cas-context.xml in tomcat/shared/classes/alfresco/extension/ with this content:
<bean id='authenticationComponent' class='org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl'>
Main reference for this article