History

LanguageSelection » IndexEN »

Http Header based Single Sign On

CAS is supported through a particular Maven profile (cas).

Any HTTP header based authentication is supported for internal users, such as CA (ex Netegrity) SiteMinder or LemonLDAP::NG. The following procedure is described with a LemonLDAP::NG integration. This sample architecture is based on the following elements :
  • a host named linshare.example.com
  • a LinShare instance running on localhost on port 8080

LinShare configuration

The configuration must be done through different settings in linshare.properties :

# LemonLDAP::NG / SiteMinder HTTP request authenticator
sso.header.user: contains the (default LemonLDAP::NG value to Auth-User)
sso.header.allowfrom: contains the IP address of the reverse proxy allowed to pass the header that must be trusted by LinShare

Finally, you must rename src/main/resources/DISABLEDspringContext-securityLLNG.xml to src/main/resources/springContext-security.xml.

LemonLDAP::NG configuration

Open the LemonLDAP::NG manager, under the virtual hosts node, add or modify a virtual host for LinShare with the following parameters:
  • Add a HTTP Header:
    Auth-User => $mail
  • Specify the logout URL into the rules sub node:
    ^/j_spring_security_logout => logout_app_sso http://linshare.example.com/

Clic on the saved button, and restart the Apache server.

Apache configuration

You must set a virtual host to be able access to LinShare.

<VirtualHost *:80>
    ServerName linshare.example.com

    PerlHeaderParserHandler My::Package
    ProxyPreserveHost On
    RewriteEngine On
    RewriteRule /(.*)$ http://localhost:8080/$1 [P]

    <Location /reload>
       Order deny,allow
       Deny from all
       Allow from 127.0.0.0/8
       PerlHeaderParserHandler My::Package->refresh
    </Location>

    <Location /(.*/)logout>
       PerlHeaderParserHandler My::Package->logout
    </Location>

    <Location /download/>
       PerlHeaderParserHandler My::Package->unprotect
    </Location>
    <Location /documentrestservice/>
       PerlHeaderParserHandler My::Package->unprotect
    </Location>
    <Location /userrestservice/>
       PerlHeaderParserHandler My::Package->unprotect
    </Location>
    <Location /sharerestservice/>
       PerlHeaderParserHandler My::Package->unprotect
    </Location>
</VirtualHost>

LemonLDAP::NG handler and SSL

If you are using HTTPS, the handler should redirect user on HTTPS.

If you are using LemonLDAP handler, there are three cases:

  • The version you use is 0.9.4 or older:
    Edit /var/lib/lemonldap-ng/handler/MyHander.pm and set https => 1.
  • The version you use is 0.9.5:
    Edit /etc/lemonldap-ng/lemonldap-ng.ini and set https=1 into the handler section.
  • The version you use is higher than 0.9.5:
    Open the manager of LemonLDAP::NG, and add an option associated to the virtualhost, which will contains "https => 1".

Also available in: HTML TXT