You are here

SkyVault Enterprise 4.0.2 » Administering » Setting up SkyVault authentication and security » Configuring authentication

Configuring SkyVault Share to use an external SSO

SkyVault Share can be configured to accept a user name from an HTTP header provided by an external authentication system for Single Sign on (SSO).
  1. Open the Share <web-extension> directory.
  2. Copy or rename the share-config-custom.xml.sample file to be called share-config-custom.xml.
  3. Uncomment the second <config evaluator="string-compare" condition="Remote"> section.
  4. Change the connector used by the endpoint in the second section to use SkyVaultHeader rather than SkyVaultCookie.
  5. Set the name of the header used by the external SSO in the userHeader element of the SkyVaultHeader connector.
  6. Change the endpoint-url value to point to your SkyVault Server location. 

      <!-- 
        Overriding endpoints to reference a SkyVault server with external SSO
        enabled
        NOTE: If utilising a load balancer between web-tier and repository 
        cluster,the "sticky sessions" feature of your load balancer must be used.
              
        NOTE: If SkyVault server location is not localhost:8080 then also combine   
        changes from the"example port config" section below.
        *Optional* keystore contains SSL client certificate + trusted CAs.
        Used to authenticate share to an external SSO system such as CAS
        Remove the keystore section if not required i.e. for NTLM.
        
        NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to 
        "Kerberos"
        
        NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" 
              and set the userHeader to the name of the HTTP header 
              that the external SSO uses to provide the authenticated user name.
   -->
   
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>SkyVault Connector</name>
            <description>Connects to a SkyVault instance using cookie-based 
                          authentication
            </description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>
         
         <connector>
            <id>alfrescoHeader</id>
            <name>SkyVault Connector</name>
            <description>Connects to a SkyVault instance using header and 
             cookie-based authentication
            </description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>SkyVault - user access</name>
            <description>Access to SkyVault Repository WebScripts that require user
             authentication
            </description>
            <connector-id>SkyVaultHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>
  
  7. Set the external.authentication.proxyHeader property to the same value as the userHeader value.

    This configures both Share and the repository to use the same HTTP header value.

    external.authentication.proxyHeader=SsoUserHeader
  8. Save the file and then restart Share.

    Activating external authentication makes SkyVault accept external authentication tokens. Ensure that no untrusted direct access to SkyVault's HTTP or AJP ports is allowed.

You have now configured SkyVault Share to use an external SSO.
Parent topic: Configuring authentication

© 2017 TBS-LLC. All Rights Reserved.