SSO/External Authentication still broken in 201611EA?

cancel
Showing results for 
Search instead for 
Did you mean: 
davidd2go
Active Member

SSO/External Authentication still broken in 201611EA?

Hi

I tried to get SSO (with CAS) working on version 201611EA. According to the release notes earlier problems as reported by  in this bug should have been solved in the 201611EA release.

However I still see problems for which I filed a new bug-report here.

Since the details are described there I won't repeat them in this post.

Did anyone succeed in getting this to work on 201611EA or any other release after 5.1.f?

Regards,

David

12 Replies
idwright
Senior Member

Re: SSO/External Authentication still broken in 201611EA?

I have CAS authentication working with repo/share version 5.1.g and can confirm that I'm seeing the same thing with 5.2.b-EA/5.2.c-EA

with the same code GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS singl...

I haven't yet made any effort to diagnose this.(I recently changed my approach to this problem so may try the old approach to see what happens)

(Something seems to change in this area with every release....)

pinux
Member II

Re: SSO/External Authentication still broken in 201611EA?

Hi Ian,

also I planned to run Alfresco with CAS auth; after a lot of work trying to follow the official Alfresco approach here Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation I decied to change my way and I found your github project GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS singl... . So I installed fresh version of Alfresco Community version 5.0.d, integrated the amp file alfresco-cas-share-amp-1.2.2.amp produced; my java-cas-client-properties is:

casServerLoginUrl=https://my-server-hostname:8444/cas-webapp/login
serverName=https://my-server-hostname:8443
ticketValidatorClass=org.jasig.cas.client.validation.Cas30ServiceTicketValidator
casServerUrlPrefix=https://my-server-hostname:8444/cas-webapp

The x509 certificate of alfresco is the default one provided with Alfresco fresh installation (under $ALFRESCO_HOME/alf_data/keystore) while the x509 certificate of CAS Server was self made with the keytool -utility (keytool -genkey -alias tomcat -keyalg RSA) and when asked the common nome i used my-server-hostname.

When I try to login in Alfresco Share I'm redirect to CAS login, successfully login on CAS but whe I'm redirect to Alfresco Share I received an error. In catalina.out the error is:

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

What I'm wrong?

Could you help me to solve the problem?

Thanks in advance.

Pino

idwright
Senior Member

Re: SSO/External Authentication still broken in 201611EA?

Hi Pino,

This is almost certainly down to using self signed certificates for the CAS server.

Note this is different from the Alfresco x509 certificates.

If you can, it is much the easiest to use a full certificate e.g. using Lets Encrypt - this might help Configuring Alfresco SSL by using Let's Encrypt - keensoft 

Otherwise it's a case of getting hold of the client certificate and adding it to the cacerts file used by the java that is running tomcat - which is relatively painful to do. See SSL Troubleshooting and Reference Guide - CAS User Manual - Apereo Wiki  

pinux
Member II

Re: SSO/External Authentication still broken in 201611EA?

Hi Ian,

thanks for your reply; added the certificate to cacerts file used by tomcat JVM; now I'm receiving a new error:

ERROR [alfresco.web.site] [http-bio-8443-exec-19] javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)

Could you help me to solve the problem?

Thanks in advance,
Pino

idwright
Senior Member

Re: SSO/External Authentication still broken in 201611EA?

I think you're going to need to debug your CAS installation - perhaps look at the CAS server logs.

You could also try enabling the CAS client debug logging in Alfresco so you can see what the server is returning

pinux
Member II

Re: SSO/External Authentication still broken in 201611EA?

Ian, 

try to debug the error, but whitout success; one question: is your project GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS singl...  based on the use of mod_auth_cas described here: Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation ?

Thanks for your support.

Pino 

Highlighted
idwright
Senior Member

Re: SSO/External Authentication still broken in 201611EA?

My project does not use mod_auth_cas at all, instead it uses the CAS client jars installed as part of the amps.

It should be quite straightforward to use my project to test your CAS installation using run.sh - you should just need to change the serverName in java-cas-client.properties to http://localhost:8080 before running it.

If you are using mod_auth_cas then you can still debug it but you need to use the Apache configuration files in order to do so

(mod_auth_cas has been updated since I last looked at it)

pinux
Member II

Re: SSO/External Authentication still broken in 201611EA?

Hi Ian,

thanks for your fast reply; if I decide to follow your project (so without mod_auth_cas) but with a standalone version of Alfresco community which version of Alfresco you should suggest to use and which version of CAS?

Thanks for your support.

Pino

idwright
Senior Member

Re: SSO/External Authentication still broken in 201611EA?

My project is built using 5.1.g for both share and repository and that is what I would recommend.

5.1.g is the only recent version of share that works so while I'd prefer to use an OOTB GA version that's not really practical (it is possible but only with patching and I think it's better not to)

I'm currently on the 4.1 version of CAS but will be looking to upgrade soon - in theory this shouldn't make any difference as the java version of the cas client is the best supported client and I'm using the most recent version.