Agenda
• Introduction!• Talk objectives!
• Repository Authentication!
• Share Authentication!
• External Authentication!• External SSO Demo!
• Debugging tricks!
• Questions
Introduction
• Mehdi Belmekki • Technical consultant, Professional Service Team
• 5 years experience : • Born and grow-up in Community : Graduated Community Contributor • High-school Partners : Graduated RD • University of Alfresco: Undergraduate Consultant ACA/ACE
• Based in Paris, France !• [email protected]!!!
Talk objectives
• Give a global overview of Repository authentication subsystems.
• Explain how Share gets authenticated against the Repository
• How External Authentication works with Share/Repository
• Be able to configure SSO Filter for Share, with External Authentication
• Debugging tricks
Repository Authentication : Before subsystems • Up to version 3.1 • Spring configuration subdivided into themed-context files • Authentication-services-context.xml • Authority-services-context.xml • Rendition-services-context.xml • …
• All loaded into single Spring Application Context • Customized by overriding bean’s definition • Highly-coupled components :
Repository Authentication : Before subsystems - Limitations • Everything global, managed by the same component!
• Hard to separate dependencies!
• Supportability / Upgradeability!• Configuration / Customization ? • Basic admin tasks required Spring understanding • Hard to maintain compatibility with old configuration
• Server restarts for any changes on the configuration!
• Switching between supported authentications mechanisms, involved simultaneous editing of several files!
• Template configuration could not be used without editing due to the uniqueness of namespacing e.g two LDAP directories!
Repository Authentication : After subsystems • A subsystem is a separate module responsible for a sub-part of Alfresco functionality • Can be started, stopped, configured independently
• Has its own isolated Spring bean container and configuration
• Can have multiple instances!
Repository Authentication : After subsystems – Subsystem’s actions • Clearly define its interfaces with the rest of the system!• Automatically expose its configuration properties for editing via JMX (enterprise
only)!• Change configuration without server restart!• All edited properties are persisted in the database and synchronized across the
cluster.!
Repository Authentication : Subsystem components
• Authentication Component!• Authentication Data Access Object (DAO)!• Authentication Service!• User Registry Export Service (optional)!• Authentication Filters!• Provide form or SSO-Based login functions for the following:!• Web Client!• WebDav!• WebScripts!• Sharepoint Protocol!
• File Server Authentiticators!• CIFS Protocol (optional)!• FTP Protocol!
Repository Authentication : OOTB Mechanisms – 5 types of subsystems
• alfrescoNtlm • Native Alfresco authentication • optional NTLM v2-based single sign-on (SSO)
• ldap • Authentication via an LDAP server • Optional user registry exportldap-ad variant exists with preconfigured defaults for Active Directory
• external • Authentication by the application server • E.g. CAS, Websphere LTPA • User identity asserted to Alfresco via HttpServletRequest.getRemoteUser() or configured HTTP
header
Repository Authentication : OOTB Mechanisms – 5 types of subsystems
• kerberos • Authentication with a Kerberos Realm • Optional SPNEGO-based single sign-on (SSO) • Starting from v3.4: Sharepoint Protocol, Webscript and Share support
• passthru • Authentication via a Windows domain server • Optional NTLM v1-based single sign-on (SSO) • Supports CIFS authentication
!
Repository Authentication : Advantages of Subsystems
• Each subsystem is a coordinated stack of compatible components • No danger of e.g. Using the wrong CIFS authenticator with the wrong authentication
component
• Common parameters are shared • No need to paste the same Kerberos parameters multiple times into different configuration
files
• No need to edit web.xml – ever! • Web.xml uses generic filters that call into the authentication subsystem • You can hot swap from one filter to another
• Easily chained
Repository Authentication : Chaining Mechanism
• Some enterprise customers may store user authentication data in multiple systems • Local Alfresco • Active Directory • LDAP • Kerberos
• There may be more than one instance of each type • E.g. multiple LDAP directories
• One system may support different protocols for different purposes • E.g. Active Directory with LDAP for User Registry Export and Kerberos for Authentication
• Rather than tie Alfresco exclusively to one of those systems and protocols, our customers want it all!
Repository Authentication : Chaining Mechanism
• An authentication component is configured for each system and added to an ordered list or ‘chain’
• On a user login, Alfresco tries the credentials against each of the components in the chain
• If a chain member accepts the credentials the login succeeds • If no chain member accepts, the login fails
Repository Authentication : Authentication Mechanism
Decision
Ok LoginPage
ChainingSubsystemProxyFactory
ldap alfrescoNtlm external
Users requests (e.g Explorer Web Client)
AuthenticationFilter
Share Authentication : Connectors, Endpoints, Credentials, Authenticators
Connectors
• Responsible of establishing connection/communication with a remote location
• e.g Alfresco Repository
Endpoints
• URL link to a remote resource • Share connectors point to Alfresco Webscript service url
Authenticators
• Plugged into connector to allow handshake with the remote location (e.g Alfresco Repository, using login/password against api/login webscript)
Credentials
• User credentials (username/password) are used to get Endpoint credentials (Alfresco Ticket for example)
External authentication • Integrate Alfresco with any external authentication system.!
• Can be integrated with your application server in such a way that the identity of the logged-in user is passed to servlets via the HttpServletRequest.getRemoteUser() method. !
• Compatible with a number of SSO solutions, including Central Authentication Service (CAS).!
• The subsystem also allows a proxy user to be configured, such that requests made through this proxy user are made in the name of an alternative user, whose name is carried in a configured HTTP request header!
• Activating external authentication makes Alfresco accept external authentication tokens, make sure that no untrusted direct access to Alfresco's HTTP or AJP ports is allowed!
External Authentication : Single Sign On prior to Alfresco 4
• Custom Alfresco repo filter!• Changes in web.xml!
• Custom Share filter!• Changes in web.xml!
• Custom authentication webscript (Repo-side)!
• Custom Connector!• Custom Authenticator!!
External Authentication : Single Sign On Alfresco 4 onward
• Subsystem configuration • No need to change web.xml files (either in Repo or Share side)
• No need to code new authentication webscript. It’s provided now OOTB • Easy to maintain • Benefit from all subsystem’s features and capabilities • Easy to support and maintain • No change after version upgrade • Modularity
External Authentication : SSO Configuration
Share • Uncomment remote section in share-config-custom.xml !
• Replace AlfrescoCookie by HeaderConnector!• Set the name of the header used by the external SSO in the
userHeader element of the alfrescoHeader connector!
Repository • Alfresco-global.properties!
• authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm!
Debugging tricks : External Auth/SSO
Repository
• Enable logging for repository authentication :!• org.alfresco.web.site.servlet.SSOAuthenticationFilter!
• org.alfresco.repo.security.authentication.AuthenticationUtil!• Enable logging for Chaining :!
• org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService!
Debugging tricks : External Auth/SSO
Share
• Enable logging for :!• org.alfresco.web.app.servlet.DefaultRemoteUserMap!
• org.springframework.extensions.webscripts.connector.RemoteClient!• org.springframework.extensions.webscripts.connector.AlfrescoAuth
enticator!• Use firebug to trace header properties and Modify-Header plugin to
force header re-write!