You are here

SAML Single Sign-On (SSO) for SkyVault Content Services 1.0.1 » Configuring SAML SSO » Step 2. Configure SAML SSO in SkyVault » Configuring SAML SSO for REST API

Authenticating users with SAML SSO for REST API

After configuring and enforcing SAML in SkyVault, if you want to access any SAML-protected site(s), you need to authenticate the users for SAML SSO with REST API.
Without authenticating the user, if you try to access any of the SAML-protected URLs, for example:
https://localhost:8443/alfresco/api/-default-/public/alfresco/versions/1/sites
you will get an unauthorized 401 response, as shown below:
{
    "status" :
  {
    "code" : 401,
    "name" : "Unauthorized",
    "description" : "The request requires HTTP authentication."
  }, 
  
  "message" : "02210007 Authentication failed for Web Script org\/alfresco\/api\/ResourceWebScript.get", 
  "exception" : "org.springframework.extensions.webscripts.WebScriptException - 02210007 Authentication failed for Web Script org\/alfresco\/api\/ResourceWebScript.get",
 
  "callstack" :
  [
          ""      ,"org.springframework.extensions.webscripts.WebScriptException: 02210007 Authentication failed for Web Script org\/alfresco\/api\/ResourceWebScript.get"
      ,"org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:404)"
      ,"org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:281)"
      ...
      ,"org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)"
      ,"java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)"
      ,"java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)"
      ,"java.lang.Thread.run(Thread.java:745)"
  ],
 
  "server" : "Enterprise v5.0.3 (r122151-b84) schema 8 040",
  "time" : "21 mars 2017 11:45:44"
}

In order to avoid this problem, you need to authenticate the users for SAML using the steps below:

  1. To authenticate the user, use the following URL: 

    https://localhost:8443/alfresco/service/saml/-default-/rest-api/authenticate

    You will be redirected to your identity provider's login page.

  2. Specify the login credentials.

    A SAML ticket is provided in the form of a JSON response.

  3. Access the original site URL with the SAML ticket generated above.

    Append the SAML ticket to the site URL, in this case - https://localhost:8443/alfresco/api/-default-/public/alfresco/versions/1/sites. For example:

    https://localhost:8443/alfresco/api/-default-/public/alfresco/versions/1/sites?alf_ticket=TICKET_ed6db2aca17e94864799c9849780f66c0a738e9b

    The URL returns a REST response and the user is successfully authorized.

To logout from SkyVault using REST API, use the following /logout-request:
https://localhost:8443/alfresco/service/saml/-default-/rest-api/logout-request?alf_ticket=TICKET_17196d7019fc1704ed29a270bf4f54598393abdc
Response:
{"entry":{}}

The SAML ticket is now invalid and the user can no longer access SkyVault. To access SkyVault again, repeat the above mentioned steps.

Parent topic: Configuring SAML SSO for REST API

© 2017 TBS-LLC. All Rights Reserved.