Ask Question
« General Questions on Nuxeo

Using an external sso system for authentication

I am brand new to Nuxeo. I would like to authenticate users logging onto Nuxeo identified by a username and password against an external SSO system accessed via our existing web service.

I have read much Nuxeo documentation and am pretty confused as to the steps required.

I thought that the first step would be to create and register my own LoginPlugin and register it in the LoginPluginRegistry. This did not work, as my java class (myLoginPlugin) fails to load (null pointer exception). But even if it did load, I'm not sure about how next to proceed.

I am also examining the PluggableAuthenticationService as a possible extension point.

Can someone provide a step-by-step list of extension points and components that I will have to configure/provide to make this work? I've studied a lot of documentation and am pretty confused. Perhaps there is a sample or a tutorial that does this?

Thank you

dlovat
Member (16)   2   1   1 		03/14/2012 ( History)
0 votes
5 answers
6516 views
ANSWER
ANSWERS

You can find all the documentation here.

So here are steps:

  • create you nuxeo plugin project (from IDE, it's easy)
  • create a new component to contribute your LoginPlugin (if the user identity validation is not default one - see the documentation above)
  • create a new component to contribute your authenticator (and refer your loginModule if required)
  • implement your authenticator class
  • Create your authentication chain
  • There is also the user management configuration. If you are using other thing that LDAP or SQL repository, you will have to define your user manager.

If you use a LDAP or a SQL table for user management, you will just have to:

Benjamin Jalon
Member (18.8K)   5   7   5 		03/15/2012 ( History)
1 votes
Benjamin Jalon
I add also a documentation about the User Manager, here.
03/15/2012
dlovat
Thanks for providing the steps. Very useful. I have created both a NuxeoAuthenticationPlugin, and a LoginPlugin. Initially my Authenticator was not loading, but that was caused by some improper XML. I have fixed that, but now when presenting the login page, I get a NullPointerException from the NuxeoAuthenticationFilter class as follows…

protected boolean handleLoginPrompt(HttpServletRequest httpRequest,
            HttpServletResponse httpResponse) {

        String baseURL = service.getBaseURL(httpRequest);

        // go through plugins to get UserIndentity
        for (String pluginName : service.getAuthChain(httpRequest)) {
            **NuxeoAuthenticationPlugin plugin = service.getPlugin(pluginName);**
            AuthenticationPluginDescriptor descriptor = service.getDescriptor(pluginName);

            if (plugin.needLoginPrompt(httpRequest)) {
                if (descriptor.getNeedStartingURLSaving()) {
                    saveRequestedURLBeforeRedirect(httpRequest, httpResponse);
                }
                return plugin.handleLoginPrompt(httpRequest, httpResponse,
                        baseURL);
            }
        }

It appears that **service.getPlugin(pluginName); does not return my class object.

So here is what my XML looks like for my Authenticator.

<?xml version="1.0"?>

<component name="org.sharp.clouddesk.SharpAuthenticator" version="1.0">

  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>

  <implementation class="org.sharp.clouddesk.SharpAuthenticator" />

   <extension 
            target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"  
            point="authenticators">
        <authenticationPlugin
            name="Sharp-SIICA_AUTH"
            enabled="true"
            class="org.sharp.clouddesk.SharpAuthenticator">
            <loginModulePlugin>Sharp_LM</loginModulePlugin>
            <parameters>
                <parameter name="cookieDomain"></parameter>
                <parameter name="cleartrustLoginUrl">http://mysite.net/cleartrust/ct_logon_en.html</parameter>
                <parameter name="cleartrustLogoutUrl">http://mysite.net/cleartrust/ct_logout_en.html</parameter>
            </parameters>
        </authenticationPlugin>
    </extension>
    <extension
      target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
      point="chain">
      <authenticationChain>
        <plugins>
            <plugin>Sharp-SIICA_AUTH</plugin>
        </plugins>
      </authenticationChain>
    </extension>
</component>

Not sure how to resolve this, and I'm not able to debug into my server code.

03/16/2012
Benjamin Jalon
First you don't need to have the implementation item as you don't register a new service. You only contribute to 2 extensions points. You can look what I mean by create a service, here. Read with attention the "Contribute to an Extension Point" section, if you want to understand, that.

Anyway your problem if out there :)

About remote debugging you can with Nuxeo IDE do it. Just look the documentation, here. Be focused on the "Launching the server" section.

03/17/2012
Benjamin Jalon

What is the value of the plugin name? did you fetch it into the init method ?

public void initPlugin(Map<String, String> parameters) {
    if (parameters.get("pluginName") != null) {
        pluginName = parameters.get("pluginName");
    }
03/19/2012

Hi,

All the documentation links mentioned above were archived and are no longer accessible. Equivalent links to the latest Nuxeo Platform version are:

You can use the toggle version to browse to previous versions or browse the PDF of archived versions.

Thanks,

Manon

Manon Lumeau
Lead Technical Writer - Product team (3.6K)   3   4   5 		07/19/2017 ( History)
0 votes

Hi Benjamin, I work with DLovat who posted this question.

In the document, http://doc.nuxeo.com/display/NXDOC/Authentication it mentions the following: “Additional Authentication Plugins Nuxeo provides a set of other authentication plugins that are not installed by default with the standard Nuxeo EP setup. These plugins can be downloaded and installed separately.”

Could you please provide me some links where I can download these additional plugins? I would like to get their code so that I can step through them and understand how they work.

Gokul Sharp
Member (50)   0   0   0 		03/17/2012 ( History)
0 votes
patrek Turcotte
Lots of it is available at https://github.com/nuxeo/nuxeo-platform-login
03/17/2012

We use a similar configuration, with mod_proxy_sso, here is our config file. You'll notice 3 extensions. For Nuxeo 5.5. Hope this helps you figure it out.

    <component name="local.mod_sso">
    <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
    <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
    <require>org.nuxeo.ecm.automation.server.auth.config</require>
    <require>org.nuxeo.ecm.platform.login.Proxy</require>
    <extension
        target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
        point="authenticators">
        <authenticationPlugin name="PROXY_AUTH">
            <loginModulePlugin>Trusting_LM</loginModulePlugin>
            <parameters>
                <parameter name="ssoHeaderName">REMOTE_USER</parameter>
            </parameters>
        </authenticationPlugin>
    </extension>
    <!-- Override Proxy Auth into authentication chain -->
    <extension
        target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
        point="chain">
        <authenticationChain>
            <!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
            <plugins>
                <plugin>BASIC_AUTH</plugin>
                <plugin>FORM_AUTH</plugin>
                <plugin>WEBENGINE_FORM_AUTH</plugin>
                <plugin>ANONYMOUS_AUTH</plugin>
                <plugin>WEBSERVICES_AUTH</plugin>
                <plugin>PROXY_AUTH</plugin>
            </plugins>
        </authenticationChain>
    </extension>
    <extension
        target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
        point="specificChains">
        <specificAuthenticationChain name="Automation">
            <urlPatterns>
                <url>(.*)/automation.*</url>
            </urlPatterns>
            <replacementChain>
                <plugin>AUTOMATION_BASIC_AUTH</plugin>
                <plugin>ANONYMOUS_AUTH</plugin>
                <plugin>PROXY_AUTH</plugin>
            </replacementChain>
        </specificAuthenticationChain>
    </extension>
</component>
patrek Turcotte
Member (1.6K)   2   4   5 		03/16/2012 ( History)
0 votes
Benjamin Jalon
Mmmh, the specificChains is used to enable a specific chain on a pattern of URL. I'm not sure this his need.
03/16/2012
patrek Turcotte
Did not say I was sure either :-)

Just wanted to offer another comparaison point.

03/16/2012
Benjamin Jalon
I just wanted to not loose him with another notion that was not related with his problem.

Thanks a lot for your contribution and participate to this site.

03/19/2012

Hi,

Have you looked at the different login plugins that already exists? Maybe you'll find one that suits you. If not, most of them also have a sample folder.

Laurent Doguin
Member (6.6K)   2   5   5 		03/14/2012 ( History)
0 votes
Follow
Tags
Linked Questions
Related Questions
How to debug a plugin?
nuxeo-platform-login-portal-sso 401 Server Error?
Nuxeo connect errors
I uninstalled Social Collaboration and now cannot login - resolved
SSO with Portal NUXEO LTS 2019
Can Nuxeo work only on Mongodb and NO rdbms ?
SSO with SAML
Cannot registering instance
How to allow authentication with readable username instead of uid using LDAP and httpAutomationClient ?