What is external authentication?
SkyVault external authentication uses the Central Authentication Service (CAS), which enables Single Sign-On (SSO), and allows a user to authenticate with a CAS, instead of directly with SkyVault. For example, this might be using the mod_cas Apache module. For more information about mod_cas, see CAS Apache Module.
CAS is usually used with a proxy, for example, the Apache mod_proxy module.
External authentication is set with the authentication.chain parameter in your SkyVault-global.properties file to use the external authentication subsystem.
To provide SSO, an external authentication system (or CAS) can be integrated with SkyVault. For example, the identity of the logged-in user is extracted by the CAS, passed to SkyVault servlets and extracted using the HttpServletRequest.getRemoteUser() method. As a result, when a user connects to Share they are shown their user dashboard, but will not see the Share login page.
Here are two scenarios where external authentication is configured with SkyVault and Share. In both scenarios, an HTTP or HTTPS request is sent to an authentication proxy. If authentication is OK, the proxy passes the request to Share using the AJP protocol.
external.authentication.proxyUserName=SkyVault trusts the header (defined by external.authentication.proxyHeader) sent by Share. This scenario is typically used if you want to prohibit direct access to SkyVault and enforce using the proxy, for example, by using firewall rules to the proxy.
external.authentication.proxyUserName=alfresco-systemApache uses the certificate to check that the request is coming from Share with the correct user (that is, the value of external.authentication.proxyUserName) and forwards the request to SkyVault. This scenario is typically used to allow direct access to SkyVault, using HTTPS and the originator (the proxy) sends a client certificate when establishing the SSL tunnel.
Default authentication chain and Configuring external authentication provide more information on the parameter and the external authentication subsystem.
- The complexity of authentication moves to an external software layer (a proxy). SkyVault listens to the authenticated user name that it receives using a custom HTTP header, or it reads the CGI REMOTE_USER variable that can be passed using the AJP protocol. Configuring external authentication provides more information on configuring the external authentication subsystem.
- Most of the responsibility for authentication is not controlled by SkyVault, but controlled by the external software layer. Unless there is a problem when the authenticated user name is transmitted to SkyVault, the issue is located in the external software layer. In these cases, work with your proxy vendor or implementer of the authentication proxy to resolve the issue.
How is Single Sign-On (SSO) related to external authentication?
- If you are using Kerberos, you can use either the kerberos authentication subsystem, or the external authentication subsystem with a proxy that handles Kerberos authentication.
- If you are using NTLM, you can use either the SkyVaultNtlm or passthru authentication subsystems, or the external authentication subsystem with a proxy that handles NTLM authentication.
- If you are using CAS, you must use the external authentication subsystem with a proxy that handles CAS authentication.
In summary, external authentication and SSO are not interdependent: you can set up external authentication that is not SSO (for example, using an Apache proxy with a mod_auth_basic setting), and you can set up an SSO system that is not using the external authentication subsystem (for example, using the kerberos authentication subsystem).
See Authentication subsystem types for a listing of the authentication subsystems and the features that they support.