Using an external sso system for authentication

I am brand new to Nuxeo. I would like to authenticate users logging onto Nuxeo identified by a username and password against an external SSO system accessed via our existing web service.

I have read much Nuxeo documentation and am pretty confused as to the steps required.

I thought that the first step would be to create and register my own LoginPlugin and register it in the LoginPluginRegistry. This did not work, as my java class (myLoginPlugin) fails to load (null pointer exception). But even if it did load, I'm not sure about how next to proceed.

I am also examining the PluggableAuthenticationService as a possible extension point.

Can someone provide a step-by-step list of extension points and components that I will have to configure/provide to make this work? I've studied a lot of documentation and am pretty confused. Perhaps there is a sample or a tutorial that does this?

Thank you

0 votes

5 answers

4554 views

ANSWER



You can find all the documentation here.

So here are steps:

  • create you nuxeo plugin project (from IDE, it's easy)
  • create a new component to contribute your LoginPlugin (if the user identity validation is not default one - see the documentation above)
  • create a new component to contribute your authenticator (and refer your loginModule if required)
  • implement your authenticator class
  • Create your authentication chain
  • There is also the user management configuration. If you are using other thing that LDAP or SQL repository, you will have to define your user manager.

If you use a LDAP or a SQL table for user management, you will just have to:

1 votes



I add also a documentation about the User Manager, here.
03/15/2012

Thanks for providing the steps. Very useful. I have created both a NuxeoAuthenticationPlugin, and a LoginPlugin. Initially my Authenticator was not loading, but that was caused by some improper XML. I have fixed that, but now when presenting the login page, I get a NullPointerException from the NuxeoAuthenticationFilter class as follows…

protected boolean handleLoginPrompt(HttpServletRequest httpRequest,
            HttpServletResponse httpResponse) {

        String baseURL = service.getBaseURL(httpRequest);

        // go through plugins to get UserIndentity
        for (String pluginName : service.getAuthChain(httpRequest)) {
            **NuxeoAuthenticationPlugin plugin = service.getPlugin(pluginName);**
            AuthenticationPluginDescriptor descriptor = service.getDescriptor(pluginName);

            if (plugin.needLoginPrompt(httpRequest)) {
                if (descriptor.getNeedStartingURLSaving()) {
                    saveRequestedURLBeforeRedirect(httpRequest, httpResponse);
                }
                return plugin.handleLoginPrompt(httpRequest, httpResponse,
                        baseURL);
            }
        }

It appears that **service.getPlugin(pluginName); does not return my class object.

So here is what my XML looks like for my Authenticator.

<?xml version="1.0"?>

<component name="org.sharp.clouddesk.SharpAuthenticator" version="1.0">

  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>

  <implementation class="org.sharp.clouddesk.SharpAuthenticator" />

   <extension 
            target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"  
            point="authenticators">
        <authenticationPlugin
            name="Sharp-SIICA_AUTH"
            enabled="true"
            class="org.sharp.clouddesk.SharpAuthenticator">
            <loginModulePlugin>Sharp_LM</loginModulePlugin>
            <parameters>
                <parameter name="cookieDomain"></parameter>
                <parameter name="cleartrustLoginUrl">http://mysite.net/cleartrust/ct_logon_en.html</parameter>
                <parameter name="cleartrustLogoutUrl">http://mysite.net/cleartrust/ct_logout_en.html</parameter>
            </parameters>
        </authenticationPlugin>
    </extension>
    <extension
      target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
      point="chain">
      <authenticationChain>
        <plugins>
            <plugin>Sharp-SIICA_AUTH</plugin>
        </plugins>
      </authenticationChain>
    </extension>
</component>

Not sure how to resolve this, and I'm not able to debug into my server code.

03/16/2012

First you don't need to have the implementation item as you don't register a new service. You only contribute to 2 extensions points. You can look what I mean by create a service, here. Read with attention the "Contribute to an Extension Point" section, if you want to understand, that.

Anyway your problem if out there :)

About remote debugging you can with Nuxeo IDE do it. Just look the documentation, here. Be focused on the "Launching the server" section.

03/17/2012

What is the value of the plugin name? did you fetch it into the init method ?

public void initPlugin(Map<String, String> parameters) {
    if (parameters.get("pluginName") != null) {
        pluginName = parameters.get("pluginName");
    }
03/19/2012


Hi,

All the documentation links mentioned above were archived and are no longer accessible. Equivalent links to the latest Nuxeo Platform version are:

You can use the toggle version to browse to previous versions or browse the PDF of archived versions.

Thanks,

Manon

0 votes



Hi Benjamin, I work with DLovat who posted this question.

In the document, http://doc.nuxeo.com/display/NXDOC/Authentication it mentions the following: “Additional Authentication Plugins Nuxeo provides a set of other authentication plugins that are not installed by default with the standard Nuxeo EP setup. These plugins can be downloaded and installed separately.”

Could you please provide me some links where I can download these additional plugins? I would like to get their code so that I can step through them and understand how they work.

0 votes



03/17/2012


We use a similar configuration, with mod_proxy_sso, here is our config file. You'll notice 3 extensions. For Nuxeo 5.5. Hope this helps you figure it out.

    <component name="local.mod_sso">
    <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
    <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
    <require>org.nuxeo.ecm.automation.server.auth.config</require>
    <require>org.nuxeo.ecm.platform.login.Proxy</require>
    <extension
        target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
        point="authenticators">
        <authenticationPlugin name="PROXY_AUTH">
            <loginModulePlugin>Trusting_LM</loginModulePlugin>
            <parameters>
                <parameter name="ssoHeaderName">REMOTE_USER</parameter>
            </parameters>
        </authenticationPlugin>
    </extension>
    <!-- Override Proxy Auth into authentication chain -->
    <extension
        target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
        point="chain">
        <authenticationChain>
            <!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
            <plugins>
                <plugin>BASIC_AUTH</plugin>
                <plugin>FORM_AUTH</plugin>
                <plugin>WEBENGINE_FORM_AUTH</plugin>
                <plugin>ANONYMOUS_AUTH</plugin>
                <plugin>WEBSERVICES_AUTH</plugin>
                <plugin>PROXY_AUTH</plugin>
            </plugins>
        </authenticationChain>
    </extension>
    <extension
        target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
        point="specificChains">
        <specificAuthenticationChain name="Automation">
            <urlPatterns>
                <url>(.*)/automation.*</url>
            </urlPatterns>
            <replacementChain>
                <plugin>AUTOMATION_BASIC_AUTH</plugin>
                <plugin>ANONYMOUS_AUTH</plugin>
                <plugin>PROXY_AUTH</plugin>
            </replacementChain>
        </specificAuthenticationChain>
    </extension>
</component>
0 votes



Mmmh, the specificChains is used to enable a specific chain on a pattern of URL. I'm not sure this his need.
03/16/2012

Did not say I was sure either :-)

Just wanted to offer another comparaison point.

03/16/2012

I just wanted to not loose him with another notion that was not related with his problem.

Thanks a lot for your contribution and participate to this site.

03/19/2012


Hi,

Have you looked at the different login plugins that already exists? Maybe you'll find one that suits you. If not, most of them also have a sample folder.

0 votes