Hi Mike, We've got a similar situation (SSO based on request headers), and have a solution running that works well.
I gave a presentation on this yesterday at the Magnolia conference, "User Management and SSO for Austrian Government", see: http://www.magnolia-cms.com/community/magnolia-conference/program/community-day/presentations/lfrz.html Looks like the slides and video aren't up yet, but I guess they should be soon. In the meantime, I can outline what a solution might look like: - Logins are handled by Magnolia's LoginFilter, which makes use of different (configurable) "LoginHandlers". - You will need to write a LoginHandler class which reads your HTTP-Headers, and sets up a custom "CallbackHandler" for JAAS - You will need to write a custom JAAS AuthenticationModule which uses your CallbackHandler to obtain the headers, does any other work you need to do (ie talk to AD to obtain the roles and groups) and then sets up the magnolia user. - You can then configure your LoginHandler in the LoginFilter configuration, and your AuthenticationModule in the jaas.config file. - I would extend magnolias default "JCRAuthenticationModule" and override "validateUser" - Defer to the superclass if you don't have an instance of your custom CallbackHandler - in this way the standard Form-Login will still work as well - When testing this, use a fresh Magnolia Instance that does not contain important data, as you can easily lock yourself out if things go wrong... You'll probably have to study the code a bit for the JCRAuthenticationModule and the FormLoginHandler to figure out how things fit together, but it's definitely doable, and works really well once it's all set up right. Regards from Vienna, Richard -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Mike Wilson (via Magnolia Forums) Gesendet: Dienstag, 04. September 2012 14:51 An: Magnolia User List Betreff: [magnolia-user] Re: suggestions for implementation of AD login when authentication is done externally Looking a bit more it seems Magnolias NTLM/SSO configuration is similar. Having our servers on Linux we cannot use Waffle though. I will try to replace the Waffle JAAS module with something else and then configure the AD module with ssoSlave=true. Suggestions? -- Context is everything: http://forum.magnolia-cms.com/forum/thread.html?threadId=878e325c-2ac2-4b8f-8575-640c0c0740f3 ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ---------------------------------------------------------------- ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ----------------------------------------------------------------
