AnsweredAssumed Answered

Constrained Delegation w/ Kerberos and the double hop problem

Question asked by arbitraryname on Jan 7, 2015
Latest reply on Feb 4, 2015 by afaust
Hello,

I am evaluating Alfresco as a possible solution to our CMS needs and really think that it is the solution. A previous CMS we tried to use gave us absolute fits when we tried to implement SSO and I wanted to ask if some of our pain points are going to crop up.


Our ultimate goal is to rely on our underlying CMS' ACLs to control all data access, and leverage user impersonation/delegation throughout our environment to handle all our actions. EDIT: We also are planning to rely on the CMIS services. Will that constrain our options in anyway?

Our technology stack is mostly Java, however, we run in an environment that uses Active Directory and are forced to use constrained delegation. This gave us lots of problems because our last CMS platform could not handle that configuration.

Does Alfresco have any issues with constrained delegation that are known?


We also would like to be able to actually do the impersonation/delegation throughout all parts of our system. In our desktop and web client's we are fairly confident we can achieve this, but we are cautious to believe we can do that from inside alfresco reaching out to our web services.

Has anyone done that? Impersonated the authenticated user from within some custom features of Alfresco while calling remote services?


First off apologies if any of this is repeated or a series of novice questions. We are also open to other options like CAS, which I see is supported, but honestly our #1 goal is to use Kerberos. Thank you everyone!

Edit: I am having trouble with the Tags; sorry.

Outcomes