Nuxeo Server

Generic SSO Authentication

Updated: March 18, 2024

This plugin assumes Nuxeo is behind an authenticating reverse proxy that transmits user identity using HTTP headers. For instance, you will configure this plugin if an Apache reverse proxy using client certificates does the authentication or for SSO system - example Central Authentication System V2.

To install and configure this plugin:

  1. Download the nuxeo-platform-login-mod_sso addon.
  2. Put it in $TOMCAT_HOME/nxserver/bundles/ or $JBOSS_HOME/server/default/deploy/nuxeo.ear/bundles and restart the server.
  3. Add the plugin into the authentication chain. Contribute an XML extension from the following content. Adapt the authenticationChain element content with the list of plugins you want to use.

    <extension
    target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
    point="chain">
    <authenticationChain>
      <plugins>
        <plugin>BASIC_AUTH</plugin>
        <plugin>ANONYMOUS_AUTH</plugin>
        <plugin>THE_PLUGIN_I_WANT_TO_USE</plugin>
      </plugins>
    </authenticationChain>
    </extension>
    

    Use PROXY_AUTH.

  4. Create an XML extension with the following content:

     <component name="org.nuxeo.ecm.platform.authenticator.mod.sso.config">
    
      <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
      <require>org.nuxeo.ecm.platform.login.Proxy</require>
    
      <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
        <authenticationPlugin name="PROXY_AUTH">
          <loginModulePlugin>Trusting_LM</loginModulePlugin>
          <parameters>
            <\!-\- configure here the name of the http header that is used to retrieve user identity -->
            <parameter name="ssoHeaderName">remote_user</parameter>
            <parameter name="ssoNeverRedirect">false</parameter>
          </parameters>
        </authenticationPlugin>
      </extension>
    </component>
    

    Notes: Your XML extension's name must end with -config.xml.

  5. Adapt the content of the loginModulePlugin section. Note: The ssoNeverRedirect parameter should be set to true if the PROXY_AUTH is used with REST calls, where you don't want to redirect the response.

  6. Save.