Using an external sso system for authentication
I am brand new to Nuxeo. I would like to authenticate users logging onto Nuxeo identified by a username and password against an external SSO system accessed via our existing web service.
I have read much Nuxeo documentation and am pretty confused as to the steps required.
I thought that the first step would be to create and register my own LoginPlugin and register it in the LoginPluginRegistry. This did not work, as my java class (myLoginPlugin) fails to load (null pointer exception). But even if it did load, I'm not sure about how next to proceed.
I am also examining the PluggableAuthenticationService as a possible extension point.
Can someone provide a step-by-step list of extension points and components that I will have to configure/provide to make this work? I've studied a lot of documentation and am pretty confused. Perhaps there is a sample or a tutorial that does this?
Thank you
You can find all the documentation here.
So here are steps:
- create you nuxeo plugin project (from IDE, it's easy)
- create a new component to contribute your LoginPlugin (if the user identity validation is not default one - see the documentation above)
- create a new component to contribute your authenticator (and refer your loginModule if required)
- implement your authenticator class
- Create your authentication chain
- There is also the user management configuration. If you are using other thing that LDAP or SQL repository, you will have to define your user manager.
If you use a LDAP or a SQL table for user management, you will just have to:
- declare directories. See this documentation.
- and bind this directory into the default user management.
protected boolean handleLoginPrompt(HttpServletRequest httpRequest,
HttpServletResponse httpResponse) {
String baseURL = service.getBaseURL(httpRequest);
// go through plugins to get UserIndentity
for (String pluginName : service.getAuthChain(httpRequest)) {
**NuxeoAuthenticationPlugin plugin = service.getPlugin(pluginName);**
AuthenticationPluginDescriptor descriptor = service.getDescriptor(pluginName);
if (plugin.needLoginPrompt(httpRequest)) {
if (descriptor.getNeedStartingURLSaving()) {
saveRequestedURLBeforeRedirect(httpRequest, httpResponse);
}
return plugin.handleLoginPrompt(httpRequest, httpResponse,
baseURL);
}
}
It appears that **service.getPlugin(pluginName); does not return my class object.
So here is what my XML looks like for my Authenticator.
<?xml version="1.0"?>
<component name="org.sharp.clouddesk.SharpAuthenticator" version="1.0">
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<implementation class="org.sharp.clouddesk.SharpAuthenticator" />
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="Sharp-SIICA_AUTH"
enabled="true"
class="org.sharp.clouddesk.SharpAuthenticator">
<loginModulePlugin>Sharp_LM</loginModulePlugin>
<parameters>
<parameter name="cookieDomain"></parameter>
<parameter name="cleartrustLoginUrl">http://mysite.net/cleartrust/ct_logon_en.html</parameter>
<parameter name="cleartrustLogoutUrl">http://mysite.net/cleartrust/ct_logout_en.html</parameter>
</parameters>
</authenticationPlugin>
</extension>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<plugin>Sharp-SIICA_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
</component>
Not sure how to resolve this, and I'm not able to debug into my server code.
Anyway your problem if out there :)
About remote debugging you can with Nuxeo IDE do it. Just look the documentation, here. Be focused on the "Launching the server" section.
What is the value of the plugin name? did you fetch it into the init method ?
public void initPlugin(Map<String, String> parameters) {
if (parameters.get("pluginName") != null) {
pluginName = parameters.get("pluginName");
}
Hi,
All the documentation links mentioned above were archived and are no longer accessible. Equivalent links to the latest Nuxeo Platform version are:
You can use the toggle version to browse to previous versions or browse the PDF of archived versions.
Thanks,
Manon
Hi Benjamin, I work with DLovat who posted this question.
In the document, http://doc.nuxeo.com/display/NXDOC/Authentication it mentions the following: “Additional Authentication Plugins Nuxeo provides a set of other authentication plugins that are not installed by default with the standard Nuxeo EP setup. These plugins can be downloaded and installed separately.”
Could you please provide me some links where I can download these additional plugins? I would like to get their code so that I can step through them and understand how they work.
We use a similar configuration, with mod_proxy_sso, here is our config file. You'll notice 3 extensions. For Nuxeo 5.5. Hope this helps you figure it out.
<component name="local.mod_sso">
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
<require>org.nuxeo.ecm.automation.server.auth.config</require>
<require>org.nuxeo.ecm.platform.login.Proxy</require>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin name="PROXY_AUTH">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<parameter name="ssoHeaderName">REMOTE_USER</parameter>
</parameters>
</authenticationPlugin>
</extension>
<!-- Override Proxy Auth into authentication chain -->
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
<plugins>
<plugin>BASIC_AUTH</plugin>
<plugin>FORM_AUTH</plugin>
<plugin>WEBENGINE_FORM_AUTH</plugin>
<plugin>ANONYMOUS_AUTH</plugin>
<plugin>WEBSERVICES_AUTH</plugin>
<plugin>PROXY_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="specificChains">
<specificAuthenticationChain name="Automation">
<urlPatterns>
<url>(.*)/automation.*</url>
</urlPatterns>
<replacementChain>
<plugin>AUTOMATION_BASIC_AUTH</plugin>
<plugin>ANONYMOUS_AUTH</plugin>
<plugin>PROXY_AUTH</plugin>
</replacementChain>
</specificAuthenticationChain>
</extension>
</component>
Just wanted to offer another comparaison point.
Thanks a lot for your contribution and participate to this site.
Hi,
Have you looked at the different login plugins that already exists? Maybe you'll find one that suits you. If not, most of them also have a sample folder.