Developer Documentation Center

Authentication and User Management

Updated: July 17, 2023

Functional Overview

Default Authentication Mode - Login Page

By default on the Nuxeo Platform, user gets authenticated by filling username / password on the login page. That information is checked against the one stored in database, or transmitted to the configured identity provider. If username or password is invalid, a message is sent to the user. Default password of user Administrator is Administrator, if you didn't change anything. Password of each users can be changed either by the user himself, or by the administrators in the Admin Center. Complexity of the password is checked against a regexp that can be changed.

Other Authentication Protocols

The login page is not the only way to authenticate a user against the Nuxeo Platform, some other protocols can be used, sometimes requiring to install an additional module (See Installation and Configuration tab)

  • basic authentication (built-in)
  • token (Nuxeo Platform proprietary) (built-in)
  • OAuth2 (built-in)
  • SAML (addon)
  • 2 Steps (with SMS for instance) (Addon)
  • trusted (for instance requests coming from that particular IP adress do not need to validate authentication) (built-in)
  • Open ID (addon)
  • Kerberos (built-in)
  • CAS / CAS2 (built-in)
  • NTLM (built-in)
  • redirecting to a remote identity management solution then having the user fall back authenticated to the Nuxeo Platform (SSO servers, Open Id, Portals, ...) (built-in or plugin, depending on the case)

Thanks to the plugability of the authentication layer (see implementation section), it is easy to write a custom authentication protocol when necessary.

Compatible IdM Solutions

Default configuration checks identity against a Java implementation inside the Nuxeo Platform. By configuration and addition of some modules, and following the above list of supported protocols,the Nuxeo Platform can be integrated with various identity providers:

Unauthenticated Access

Anonymous user

A configuration allows to have the user automatically logged in as a user called "anonymous", for which some specific permissions have been set. The name of that user is configurable, and allows to simulate an "unauthenticated" access to the Nuxeo Platform. The users having the Manage permission on a repository can reference that anonymous user as any other user and declare some folders and documents accessible to everybody.

See the page Anonymous Authentication.

Unauthenticated URLs

It is also possible to define a list of URL patterns for which no authentication is required (so not using the anonymous user either). That way you can say that a specific website generated by the platform is available without authentication while the other pages served by the platform sends the user to the login page. When browsing those URLs, no principal is created, which means no access to the repository can be done.

User and Groups Provisioning

Storage Options for Users and Groups

The UserManager is the component in charge of managing users and groups. Default implementation stores them in the Nuxeo Platform via the "directory" abstraction, one directory for users, and one for groups, using for each either

  • an SQL implementation (thus storing users and groups on the underlying RDBMS).
  • an LDAP implementation
  • a Nuxeo Platform repository implementation (Users and Groups are then "documents")
  • Custom implementation for calling remote webservice is also sometimes used.

It is possible to reference a meta-directory that would be the result of the merge of several directories, that would be a mix of different implementations (LDAP, SQL...) and different hosts. For instance part of the users can be handled in the corporate LDAP server, and part in the Nuxeo Platform database. This situation is referenced as multi-directory in the documentation.

Features Available Around Users and Groups Management

When users are dealt through directory abstraction (so 90% of the cases), the Nuxeo Platform provides user interfaces (and REST APIs) for handling:

  • User CRUD by administrators
  • User password management by administrator
  • Groups CRUD and assignment by administrator (including management of sub-groups)
  • User profile management by user itself
  • Password management by user itself
  • User and groups Search (for filling a metadata, assigning an ACL, selecting a specific user in a search filter,...)
  • User Invitation: A Nuxeo addon adds to default Nuxeo Platform UI and services for inviting by email a future user that would not have yet an account in the platform. For more information, please see the documentation Managing users and groups.

Virtual Users

It is also possible to declare a set of "virtual" users, that are defined in the application although they don't exist on the user directory the instance is plugged to.

User Profile

A set of properties are stored by default for any user in the Nuxeo Platform:

  • username
  • first name
  • last name
  • company
  • email.

Those properties can come from the IdM the Nuxeo Platform is integrated to. To extend the list of available fields for a user, see the page How to add New Fields to The User Profile or Group Profile.

Authentication Schemes Use

You may want to use other authentication protocols and / or identity providers.

Most of the time, an "authentication plugin" has to be configured. The Nuxeo Platform provides some by default, but you sometimes have to install a specific addon.

In any case, you have to configure the "authentication chain".

Contribute an XML extension from the following content. Adapt the authenticationChain element content with the list of plugins you want to use.

  <extension
    target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
    point="chain">
    <authenticationChain>
      <plugins>
        <plugin>BASIC_AUTH</plugin>
        <plugin>ANONYMOUS_AUTH</plugin>
        <plugin>THE_PLUGIN_I_WANT_TO_USE</plugin>
      </plugins>
    </authenticationChain>
  </extension>

The Nuxeo Platform will use the plugins in the order they are chained. First attempt for each plugin will be to retrieve credentials (see implementation for better understanding). If no credential is found, it will try to call the showLoginPrompt method for each of the plugin up until one is successful.

Below we list all the available authentication plugins and instructions for installation or links to their documentation.

Customization

Customizing the Login Page

You can customize the login page using Nuxeo Studio (background picture, colors, logo).

Integrating with a Webservice Based Identify Provider

You can build a custom directory that will wrap your webservice.

You can use this sample as a starting point.