LDAP and SSO Authentication Handler | Community
Skip to main content
A
Anonymous
October 16, 2015
Solved

LDAP and SSO Authentication Handler

  • October 16, 2015
  • 4 replies
  • 1036 views

Hi,

We are using ldap login module to create users in CQ from Ldap. We want to use SSO handler for authentication by cookies. I saw on ldap documentation that we need trust_credentials_attribute="TrustedInfo" parameter to make it work.

 Putting this paramter alone in ldap_login.conf file isn't working for us. I don't know what this attribute will do because looking at the source of SSOAuthenticaitonHandler, if i just pass the uid of the user in the cookie and give it the highest rank among all authentication handlers then it will work.

Also, do i need to have this attribute trust_credentials_attribute="TrustedInfo" configured within repository.xml because we have already deleted the below  from the repository xml file as we aren't using CRXLoginModule.

 <LoginModule class="com.day.crx.core.CRXLoginModule">
            <param name="anonymousId" value="anonymous"/>
            <param name="adminId" value="admin"/>
            <param name="disableNTLMAuth" value="true"/>
            <param name="tokenExpiration" value="43200000"/>
            <!-- param name="trust_credentials_attribute" value="TrustedInfo"/ -->
        </LoginModule>

We are yet to release the application so below is not applicable.

If SSO was previously already configured for use without LDAP by setting the trust_credentials_attribute in repository.xml, note that the subsequent enabling of LDAP will remove that setting, and SSO needs to be configured again in this regard.

Also, is the authenticationInfo object always passed in all requests even for anonymous objects or it only used in requests which have authenticated users? All the subsequent requests will be handler by TokenBasedAuthenticationHandler or would they still go through SSO?

Thanks for your help in advance

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

kumarlal123 wrote...

 

Also, is the authenticationInfo object always passed in all requests even for anonymous objects or it only used in requests which have authenticated users? All the subsequent requests will be handler by TokenBasedAuthenticationHandler or would they still go through SSO?

Thanks for your help in advance

 

 

In the request if there are no user (anonymous) details authenticationInfo will not be passed. Hence not passed for all request.   SSO extracts credentials however uses token util to issue login-token. Subsequent request the login-token cookie  get validated by default TokenAuthenticationHandler. 

4 replies

S
Sam205505050
Level 6
October 16, 2015

If you are using SSO with LDAP then specify TrustedInfo in ldap.conf and if you are using SSO alone then specify TrustedInfo info in repository.xml. I hope you have already defined the cookie name in SSO Auth handler and the same cookie you are using in your servlet or other way of calling CQ.

Sham_HC
Sham_HCAccepted solution
Level 10
October 16, 2015

kumarlal123 wrote...

 

Also, is the authenticationInfo object always passed in all requests even for anonymous objects or it only used in requests which have authenticated users? All the subsequent requests will be handler by TokenBasedAuthenticationHandler or would they still go through SSO?

Thanks for your help in advance

 

 

In the request if there are no user (anonymous) details authenticationInfo will not be passed. Hence not passed for all request.   SSO extracts credentials however uses token util to issue login-token. Subsequent request the login-token cookie  get validated by default TokenAuthenticationHandler. 

A
Anonymous
October 16, 2015

Sam205505050 wrote...

If you are using SSO with LDAP then specify TrustedInfo in ldap.conf and if you are using SSO alone then specify TrustedInfo info in repository.xml. I hope you have already defined the cookie name in SSO Auth handler and the same cookie you are using in your servlet or other way of calling CQ.

 

Hi Sam,

Thanks for your reply. I don't really want to use the SSO Authentication handler  so i have created my own Authentication Handler which does something similar to SSO handler like

SimpleCredentials credentials = new SimpleCredentials(user, "no_password_needed".toCharArray());

credentials.setAttribute("TrustedInfo", SSO_COOKIE);
info = new AuthenticationInfo("SSO");
info.put("user.jcr.credentials", credentials);
return info;

//There is more logic but i have removed as it was not necessary

However, before i do the SSO handling, i check for the presence of SSO_COOKIE. If the cookie is not present then as we ask for crendentials. The problem is when correct creds are being passed, the authenticationSucceeded method is being called twice or more and after the first request info object in null in all subsequent requests. The multiple requests have to do with multiple resources like css and js being requested. What i want is that once the user provides their credentials the authenticationSucceeded method be called only once and there on every request should invoke my SSO handler if the cookie is present.

Any help or pointer will be appreciated. We are using LDAP login module to validate credentials.

S
Sam205505050
Level 6
October 16, 2015

kumarlal123 wrote...

Sam205505050 wrote...

If you are using SSO with LDAP then specify TrustedInfo in ldap.conf and if you are using SSO alone then specify TrustedInfo info in repository.xml. I hope you have already defined the cookie name in SSO Auth handler and the same cookie you are using in your servlet or other way of calling CQ.

 

Hi Sam,

Thanks for your reply. I don't really want to use the SSO Authentication handler  so i have created my own Authentication Handler which does something similar to SSO handler like

SimpleCredentials credentials = new SimpleCredentials(user, "no_password_needed".toCharArray());

credentials.setAttribute("TrustedInfo", SSO_COOKIE);
info = new AuthenticationInfo("SSO");
info.put("user.jcr.credentials", credentials);
return info;

//There is more logic but i have removed as it was not necessary

However, before i do the SSO handling, i check for the presence of SSO_COOKIE. If the cookie is not present then as we ask for crendentials. The problem is when correct creds are being passed, the authenticationSucceeded method is being called twice or more and after the first request info object in null in all subsequent requests. The multiple requests have to do with multiple resources like css and js being requested. What i want is that once the user provides their credentials the authenticationSucceeded method be called only once and there on every request should invoke my SSO handler if the cookie is present.

Any help or pointer will be appreciated. We are using LDAP login module to validate credentials.

 

you will have to check if Cookie is valid or not inside the authenticationSucceeded method. Something like below - 

@Override
    public boolean authenticationSucceeded(HttpServletRequest request,
            HttpServletResponse response, AuthenticationInfo authInfo) {

        if (!isCookieValid(request,response)) {
            return false;
        }

        boolean result;

        if (DefaultAuthenticationFeedbackHandler.handleRedirect(request,
                response)) {
            result = false;
        } else {
            someMethodToRedirectUser() // If required

            result = true;
        }

        log.info("Authentication Succeeded is :" + result);
        return result;
    }

Terms & ConditionsAccessibility statement

Loading footer...