This plugin assumes Nuxeo is behind an authenticating reverse proxy that transmits user identity using HTTP headers. For instance, you will configure this plugin if an Apache reverse proxy using client certificates does the authentication or for SSO system - example Central Authentication System V2.
To install and configure this plugin:
- Download the nuxeo-platform-login-mod_sso addon.
- Put it in
$TOMCAT_HOME/nxserver/bundles/
or$JBOSS_HOME/server/default/deploy/nuxeo.ear/bundles
and restart the server. Add the plugin into the authentication chain. Contribute an XML extension from the following content. Adapt the
authenticationChain
element content with the list of plugins you want to use.<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain"> <authenticationChain> <plugins> <plugin>BASIC_AUTH</plugin> <plugin>ANONYMOUS_AUTH</plugin> <plugin>THE_PLUGIN_I_WANT_TO_USE</plugin> </plugins> </authenticationChain> </extension>
Use
PROXY_AUTH
.Create an XML extension with the following content:
<component name="org.nuxeo.ecm.platform.authenticator.mod.sso.config"> <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require> <require>org.nuxeo.ecm.platform.login.Proxy</require> <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators"> <authenticationPlugin name="PROXY_AUTH"> <loginModulePlugin>Trusting_LM</loginModulePlugin> <parameters> <\!-\- configure here the name of the http header that is used to retrieve user identity --> <parameter name="ssoHeaderName">remote_user</parameter> <parameter name="ssoNeverRedirect">false</parameter> </parameters> </authenticationPlugin> </extension> </component>
Notes: Your XML extension's name must end with
-config.xml
.Adapt the content of the
loginModulePlugin
section. Note: ThessoNeverRedirect
parameter should be set to true if the PROXY_AUTH is used with REST calls, where you don't want to redirect the response.- Save.