Help

External Authentication using Shibboleth

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
criedlberger
Active Member
‎22 Jan 2020 5:21 PM

External Authentication using Shibboleth

Hi there, we are having an issue using header based external authentication using shibboleth in Alfresco 5.2. User passwords are being corrupted and cannot login even after we change the password. After disabling external authentication in the authentication chain everything starts to work again. I have included the following setup for the files we are using in alfresco, apache and shibboleth:

alfresco-global.properties:
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.defaultAdministratorUserNames=admin
 apache conf:
<VirtualHost *:80>#DocumentRoot '/home/alfresco/apps/httpd-2.2.17/htdocs'
ServerName https://ourserver.com
UseCanonicalName On
#ErrorLog '/home/alfresco/apps/httpd-2.2.17/logs/error_log'
#TransferLog '/home/alfresco/apps/httpd-2.2.17/logs/access_log'#Remove header to close hole to access Alfresco with arbitrary user
RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off
RewriteEngine On# Ignore Shibboleth
ProxyPass /Shibboleth.sso !# Alfresco Surfconext
ProxyPass /surfconext ajp://alfresco:8009/alfresco/s/board/api/auth
#ProxyPassReverse /surfconext http://192.168.65.2:3001/ProxyPass / http://exam-board-svc
ProxyPassReverse / http://exam-board-svc</VirtualHost>
shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
          xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
          xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
          clockSkew="180">    <ApplicationDefaults entityID="https://ourserver.com/Shibboleth"
                         REMOTE_USER="Shib-eduPersonPN Shib-eduPersonPrincipalName persistent-id targeted-id">
        <Sessions lifetime="30" timeout="30" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="https" maxTimeSinceAuthn="60">
            <SSO entityID="https://engine.surfconext.nl/authentication/idp/metadata" forceAuthn="true">SAML2</SSO>
            <Logout>SAML2 Local</Logout>
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status"            Location="/Status"/>
            <Handler type="Session"           Location="/Session" showAttributeValues="true"/>
            <Handler type="DiscoveryFeed"     Location="/DiscoFeed"/>
        </Sessions>
        <Errors supportContact="out.email@ourserver.com" logoLocation="https://www.ourserver.com/gfx/logo.png" styleSheet="/shibboleth-sp/main.css"/>
        <MetadataProvider type="XML" url="https://metadata.surfconext.nl/idp-metadata.xml" backingFilePath="metadata-surfconext.xml" reloadInterval="3600000">
            <MetadataFilter type="Signature" certificate="/etc/shibboleth/surfconext.pem"/>
        </MetadataProvider>
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" key="shib.key" certificate="shib.crt"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

Does anyone know how External Authorization might be causing this issue.

Thanks

 

 

Labels
0 Kudos
3 Replies
openpj
Moderator
Moderator
‎23 Jan 2020 11:10 AM

Re: External Authentication using Shibboleth

External authentication in the default installation of Alfresco is implemented only using HTTP Header federation.

Looking at your Shibboleth configuration I see only SAML2 and XML that are both not supported by Alfresco. SAML2 is supported only if you install the dedicated plugin or if you use the Alfresco Identity Server (Keycloak).

Your apache conf seems wrong:

RequestHeader unset X-Alfresco-Remote-UserProxyRequests Off

it should be:

RequestHeader unset X-Alfresco-Remote-User
ProxyRequests Off

Maybe this could be a problem.

0 Kudos
criedlberger
Active Member
‎29 Jan 2020 4:45 PM

Re: External Authentication using Shibboleth

I am not sure why you say it doesn't support SAML 2.0 when the documentation directly contradicts this: https://docs.alfresco.com/saml/concepts/saml-prereqs.html

Maybe I am misunderstanding, could you maybe explain a little more, also the issue with the apache conf was just a copy and paste error, sorry about that.

 

mjw
Customer
‎10 Feb 2020 5:16 PM

Re: External Authentication using Shibboleth

The documentation you link to mentions, that you have to install this separatly. I guess that's what @openpj was refering to as the "dedicated plugin" which seems to be available to paying customers only.

My understanding would be that the prefered way for SAML SSO would be to use the Identity Services (Keycloak) as the glue between ACS/APS and Shibboleth. But it's basically a guess, so do your own research. Smiley Wink

0 Kudos
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.