SSO for osCaddie

April 15
blog author

Appno Blogger

Appnovation Coop

Single Sign On (SSO) is a key part for enterprise applications. Under osCaddie architecture, we have integration on Drupal and Alfresco; it is a good practice to introduce SSO into the integration on Drupal and Alfresco. For security, Single Sign Out is also a mandatory function. Since different organizations might have different authentication systems, the solution would set up a separated authentication center, which is a CAS contributed by JASIG. JASIG CAS can connect to multiple identity management sources, such as LDAP. In the SSO solution for Drupal and Alfresco, OpenLDAP is used as the user repository.

The server side for JASIG CAS is easy to set up: install tomcat, copy the war file and change the xml file to enable LDAP. On the other hand, it is challenging to achieve CAS client on Drupal and Alfresco. On the Drupal side, the native admin user account would be needed to manage osCaddie and other functionalities. When setting up the CAS module for Drupal, the login page for admin should be set as an exemption from SSO. When the user clicks logout within Drupal, he will be redirected to the logout page within CAS to do Single Sign Out.

To enable SSO on Alfresco, the java client from JASIG CAS would be added into Alfresco instance. Since CAS only provides authentication, to get the user profile, Alfresco should enable ‘mute’ LDAP sub system with authentication disabled. When the user logs in from CAS, Alfresco would know the user id from SSO, then Alfresco would pick up the user profile through its native LDAP authentication subsystem according to the user id. The tricky part is to Single Sign Out from Alfresco.

There are two applications with Alfresco: Explorer and Share. To Single Sign Out from Alfresco Explorer, the relogin.jsp would be a good point to redirect to CAS logout page. For Share, there is no such JSP file at all! Without any customization, it will do nothing when you click logout under SSO situation. A java class SlingshotLogoutController implements the logout function. In the solution, a new class osCaddieShareLogoutController is introduced to override the native logout logic: forcibly signing out from Alfresco, then redirecting to CAS logout page. With osCaddie SSO, the end user can visit any pages within Drupal and Alfresco with one login, and then logout securely from Drupal and Alfresco with just one click.