Authentication and User Management

Generic SSO Authentication

Updated: July 17, 2023

This plugin assumes Nuxeo is behind a authenticating reverse proxy that transmit user identity using HTTP headers. For instance, you will configure this plugin if an Apache reverse proxy using client certificates does the authentication or for SSO system - example Central Authentication System V2. To install and configure this plugin this plugin:

  1. Download the nuxeo-platform-login-mod_sso addon.
  2. Put it in $TOMCAT_HOME/nxserver/bundles/ or $JBOSS_HOME/server/default/deploy/nuxeo.ear/bundles and restart the server.
  3. Add the plugin into the authentication chain.

Contribute an XML extension from the following content. Adapt the authenticationChain element content with the list of plugins you want to use.

  <extension
    target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
    point="chain">
    <authenticationChain>
      <plugins>
        <plugin>BASIC_AUTH</plugin>
        <plugin>ANONYMOUS_AUTH</plugin>
        <plugin>THE_PLUGIN_I_WANT_TO_USE</plugin>
      </plugins>
    </authenticationChain>
  </extension>
Use `PROXY_AUTH`.
  1. Configure the plugin via the following XML descriptor that should be contributed in your Studio project, or copied into nxserver/config (XML file must be suffixed by -config.xml).

     <component name="org.nuxeo.ecm.platform.authenticator.mod.sso.config">
    
      <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
      <require>org.nuxeo.ecm.platform.login.Proxy</require>
    
      <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
        <authenticationPlugin name="PROXY_AUTH">
          <loginModulePlugin>Trusting_LM</loginModulePlugin>
          <parameters>
            <\!-\- configure here the name of the http header that is used to retrieve user identity -->
            <parameter name="ssoHeaderName">remote_user</parameter>
            <parameter name="ssoNeverRedirect">false</parameter>
          </parameters>
        </authenticationPlugin>
      </extension>
    </component>
    

    The ssoNeverRedirect parameter should be set to true if the PROXY_AUTH is used with REST calls, where you don't want to redirect the response.

  2. Save.