AnsweredAssumed Answered

External SSO via http headers not working.

Question asked by bdaniel on Jun 28, 2014
Latest reply on Aug 13, 2014 by pnkrravi
Hi there,

I want to enable external authentication via http headers as described here:
http://docs.alfresco.com/4.2/tasks/auth-alfrescoexternal-sso.html
http://www.youtube.com/watch?v=5tS0XrC_-rw

After configuring my system my normal web authentication (via username and password) no longer works.  The external SSO is also not working.  If I set the configurations back to normal my web authentication starts working again.

Here are the steps I have followed:

1. Downloaded alfresco-community-4.2.f-installer-linux-x64.bin and ran the auto installer
2. Verified that Alfresco and Share was working fine.  Created a site with some content
3. In /opt/alfresco/tomcat/shared/classes/alfresco.global.properties add:

    ### External Authentication ###
    authentication.chain=external1:external

4. In /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml set connector-id:

    <connector-id>alfrescoHeader</connector-id>

5. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-authentication.properties add:

    external.authentication.defaultAdministratorUserNames=admin
    external.authentication.enabled=true

6. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-filter.properties add:

    external.authentication.proxyUserName=alfresco-system
    external.authentication.proxyHeader=X-Alfresco-Remote-User
    external.authentication.enabled=true
    external.authentication.userIdPattern=


7. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/wcmqs-api.properties and set the admin password:

    wcmqs.api.alfresco=http://localhost:8080/alfresco
    wcmqs.api.user=admin
    wcmqs.api.password=my_admin_password_details_here


8. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/extension/wqsapi-custom.properties and set the admin password:

    wcmqs.api.alfresco=http://localhost:8080/alfresco
    wcmqs.api.user=admin
    wcmqs.api.password=my_admin_password_details_here

9. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties add

    log4j.logger.org.alfresco.web.site.servlet.SSOAuthenticationFilter=debug
    log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug
    log4j.logger.org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService=debug

10. In /opt/alfresco/tomcat/webapps/share/WEB-INF/classes/log4j.properties add

    log4j.logger.org.alfresco.web.app.servlet.DefaultRemoteUserMap=debug
    log4j.logger.org.springframework.extensions.webscripts.connector.RemoteClient=debug
    log4j.logger.org.springframework.extensions.webscripts.connector.AlfrescoAuthenticator=debug

11. service alfresco start
12. tail -f /opt/alfresco/tomcat/logs/catalina.out (wait until everything has started)
13. Use "Modify headers" add on in Firefox to try and log into Alfresco without a password as per demo in     
    http://www.youtube.com/watch?v=5tS0XrC_-rw 

    Result:  I still get sent to the login screen.  My usual password does not work any more.
    Here is the debug info from catalina.out:

2014-06-28 20:28:17,829  DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
2014-06-28 20:28:17,834  DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@73f2361a: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
2014-06-28 20:28:17,834  DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED


14.  Try to use curl to login with modified header as follows:
     curl -X GET -L -H "X-Alfresco-Remote-User: admin" http://localhost:8080/alfresco/ | less
     Result:  I still get the login page



Any idea what I'm doing wrong?

Much appreciated,

Barry D.

Outcomes