Installation and Administration

Authentication, users and groups

Updated: October 16, 2020

Authentication and the Nuxeo Platform

The Nuxeo Platform authentication infrastructure is based on the JAAS standard and has been designed as pluggable as possible so that you can choose how you retrieve user information (identification) and how you validate (authentication).

You can see below a schema showing how the global authentication process works:

The blue blocks represents the pluggability points:

  • retrieving user related information (getting login/password, getting a SSO ticket ...)
  • validating user credentials against a backend (SQL DB, LDAP directory, external application ...)

You can see below the flow chart for an authentication.

Built-in Login Plug-ins

Login plug-ins are responsible for retrieving the user informations. It's usually a negotiation between the Nuxeo server and the client browser, but a SSO server may also be part of the process.

By default Nuxeo includes three login plug-ins:

  • HTTP Basic authentication
  • Form based authentication
  • Anonymous authentication

Additional login plug-ins are available as add-ons.

When needed, the security filter will determine the right login plug-in to use according to:

  • what the client browser can provide
  • the server configuration (that can be server wide or specific for some URLs)

Built-in LoginModule Plug-ins

The Nuxeo Platform uses extension points to define LoginModule plug-ins in order to avoid having to define several LoginModules.

By default there are two implementations of the LoginModule plug-ins:

  • one that checks Login/Password against the declared directories (SQL oer LDAP)
  • one that does not check the password and only checks that user exists and fetch user properties This one is useful when Nuxeo is behind a portal or a SSO server and Nuxeo can not check any password.

OAuth support

The Nuxeo Platform provides a built-in support for OAuth. Please see the dedicated OAuth Page for more info.

Available authentication modules


The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user ID and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

(extracted from Wikipedia)

The nuxeo-platform-login-cas2 defines an authentication plug-in to validate the identity using the CAS server. For further information, see Using CAS2 Authentication.


This plug-in is used when Nuxeo is behind a reverse proxy that manages the authentication and simply transmits user information as a set of HTTP headers to Nuxeo.

This is typically the case when:

  • Client Certificate authentication is used (Apache does the certificate validation and only transmit a DN to Nuxeo)
  • a custom proxy-SSO is used


This plug-in provides SPNEGO/Kerberos authentication for Nuxeo. Please read the page Using Kerberos to get started with this plug-in.


This plug-in allows NTLM V1 challenge/response over HTTP.

This plug-in does not support NTLM V2 over HTTP and for recent MS Windows auth integration, you should probably use nuxeo-platform-login-kerberos.


This plug-in is used when the Nuxeo Platform is accessed via an external app (like a portal) that wants to access Nuxeo data in the name of a given user.

Because in most cases the external app does not know the password of the user, this plug-in allows to define a shared secret between the app and the Nuxeo Platform so that the app can access Nuxeo as if it was a given user.


The Shibboleth® System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

The nuxeo-platform-login-shibboleth bundle defines:

  • an authentication plugin to map the user metadata from HTTP headers,
  • a NuxeoExceptionHandler to force the login of an anonymous user trying to access a restricted resource,
  • ShibbGroups, virtual groups based on Shibboleth attributes manageable from the UI,
  • a hierarchical group suggestion widget for the access rights management tab.

For further information, see Using Shibboleth.