This documentation refers to the coming unreleased 5.6 version of the Nuxeo Platform. For the last stable version, you can read the 5.5 documentation.
Skip to end of metadata
Go to start of metadata

Authentication and Nuxeo EP

Nuxeo EP authentication infrastructure is based on the JAAS standard and has be designed as pluggable as possible so that you can choose you you retrieve user information (identification) and how you validate (authentication).

You can see below a schema showing how the global auth process works:

The blue blocks represents the pluggability points:

  • retrieving user related information (getting login/password, getting a SSO ticket ...),
  • validating user credentials against a backend (SQL DB, LDAP directory, external application ...).

You can see below the flow chart for an authentication.

Built-in Login Plugins

Login plugins are responsible for retrieving the user informations.

It's usually a negotiation between the Nuxeo server and the client browser, but a SSO server may also be part of the process.

By default Nuxeo includes 3 Login Plugins:

  • HTTP Basic authentication,
  • Form based authentication,
  • Anonymous authentication.

Additional Login plugins are availables as addons.

When needed, the security filter will determine the right login plugin to use according to:

  • what the client browser can provide,
  • the server configuration (that can be server wide or specific for some urls).

Built-in LoginModule Plugins

Nuxeo EP uses extension points to define LoginModule plugins in order to avoid having to define several LoginModules.

By default there are two implementations of the LoginModule plugins:

  • one that checks Login/Password against the declared directories (SQL oer LDAP),
  • one that does not check the password and only checks that user exists and fetch user properties
    (this one is useful when Nuxeo is behind a portal or a SSO server and Nuxeo can not check any password).

OAuth support

Since version 5.4.1, Nuxeo EP provides a built-in support for OAuth.
Please see the dedicated OAuth Page for more info.

Available authentication modules

nuxeo-platform-login-cas2

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user ID and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol. (extracted from wikipedia)

The nuxeo-platform-login-cas2 defines an authentication plugin to validate the identity using the CAS server.
For further information, see Using CAS2 authentication.

nuxeo-platform-login-mod_sso

This plugin is used when Nuxeo is behind a reverse proxy that manage the authentication and simply transmit user information as a set of HTTP headers to Nuxeo.

This is typically the case when:

  • Client Certificate authentication is used (Apache does the certificate validation and only transmit to Nuxeo a DN),
  • a custom proxy-SSO is used.

nuxeo-platform-login-ntlm

This plugin allows NTLM V1 challenge/response over HTTP.

This plugin does not support NTLM V2 over HTTP and for recent MS Windows  auth integration, you should probably use a CAS server with Kerberos.

nuxeo-platform-login-portal-sso

This plugin is used when Nuxeo EP is accessed via an external app (like a portal) that wants to access Nuxeo data in the name of a given user.

Because in most cases the external app does not know the password of the user, this plugin allow to define a shared secret between the app and Nuxeo EP so that the app can access Nuxeo as if it was a given user.

nuxeo-platform-login-shibboleth

The Shibboleth® System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

The nuxeo-platform-login-shibboleth bundle defines:

  • an authentication plugin to map the user metadata from HTTP headers,
  • a NuxeoExceptionHandler to force the login of an anonymous user trying to access a restricted resource,
  • ShibbGroups, virtual groups based on Shibboleth attributes manageable from the UI,
  • a hierarchical group suggestion widget for the access rights management tab.

For further information, see Using Shibboleth.

Labels:
authentication authentication Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.