This plugin assumes Nuxeo is behind a authenticating reverse proxy that transmit user identity using HTTP headers. For instance, you will configure this plugin if an Apache reverse proxy using client certificates does the authentication or for SSO system - example Central Authentication System V2. To install and configure this plugin this plugin:
- Download the
nuxeo-platform-login-mod_ssoaddon. - Put it in
$TOMCAT_HOME/nxserver/bundles/or$JBOSS_HOME/server/default/deploy/nuxeo.ear/bundlesand restart the server. - Add the plugin into the authentication chain.
Contribute an XML extension from the following content. Adapt the authenticationChain element content with the list of plugins you want to use.
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<plugin>BASIC_AUTH</plugin>
<plugin>ANONYMOUS_AUTH</plugin>
<plugin>THE_PLUGIN_I_WANT_TO_USE</plugin>
</plugins>
</authenticationChain>
</extension>
Use `PROXY_AUTH`.
Configure the plugin via the following XML descriptor that should be contributed in your Studio project, or copied into
nxserver/config(XML file must be suffixed by -config.xml).<component name="org.nuxeo.ecm.platform.authenticator.mod.sso.config"> <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require> <require>org.nuxeo.ecm.platform.login.Proxy</require> <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators"> <authenticationPlugin name="PROXY_AUTH"> <loginModulePlugin>Trusting_LM</loginModulePlugin> <parameters> <\!-\- configure here the name of the http header that is used to retrieve user identity --> <parameter name="ssoHeaderName">remote_user</parameter> <parameter name="ssoNeverRedirect">false</parameter> </parameters> </authenticationPlugin> </extension> </component>The
ssoNeverRedirectparameter should be set to true if thePROXY_AUTHis used with REST calls, where you don't want to redirect the response.Save.