Online demo
Download
Contact

Because information matters

  • Doc direct access URL using SSO

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
It is currently Thu Apr 25, 2024 8:40 pm

Doc direct access URL using SSO

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

Doc direct access URL using SSO

 #12180  by zsazsa
 
I have configured OpenKM to use SSO authentication (CAS). It works fine except for URLs for accessing documents directly. For example the URL

https://dokumentum2.chronossoftware.com ... lang=hu-HU

takes me to the OpenKM login page instead of CAS login page however I have filtermapping defined for all URLs:
Code: Select all
  <filter-mapping>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASAuthenticationFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
The direct link works perfectly if I login to OpenKM first using this URL:

https://dokumentum2.chronossoftware.com/OpenKM/

It takes me to the CAS login page and after successful authentication it logs me in to OpenKM. The direct links works fine in this case.

There is an other scenario: if I login using CAS directly or from an other application then the direct URL of the document takes me to the OpenKM login page however I have already logged in.

Do you have idea what can be wrong? Am I missed something?

Re: Doc direct access URL using SSO

 #12195  by pavila
 
Can you share with us the steps to CASify a OpenKM installation? I played with it a few years ago, and I don't remember the process.

Re: Doc direct access URL using SSO

 #12218  by jllort
 
Could be a problem with filtering

Url that you tested are:
Code: Select all
OpenKM/
OpenKM/frontend/index.jsp?docPath=%2Fokm%3Aroot%2FTeszt%2Flogo+1+.png&lang=hu-HU
Could you tell me what happens if you try OpenKM/frontend ? and OpenKM/frontend/index.jsp here OpenKM is making a /OpenKM/login.jsp

And as says paco we'll be pleased if you can share with community CAS configuration example will post in our wiki documentation section to be available to all community.

Re: Doc direct access URL using SSO

 #12240  by zsazsa
 
Once you have the CAS server up and running it is easy to set SSO in OpenKM. I wanted to keep basic authentication for the WebDav part that is why the filter mapping is complicated. I did the following changes in OpenKM:

1. In server/default/deploy/OpenKM.war/WEB-INF/web.xml:
Code: Select all
  <!-- CAS SSO-->
  <!-- Facilitates CAS single sign-out -->
  <listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>
  <!-- Following is needed only if CAS single-sign out is desired -->
  <filter>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>
  <!-- Only 2 CAS filters are required for JAAS support -->
  <context-param>
    <param-name>service</param-name>
    <param-value>https://openkm.chronossoftware.com/OpenKM</param-value>
  </context-param>
  <context-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://openkm.chronossoftware.com/cas/login</param-value>
  </context-param>
  <filter>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
  </filter>
  <filter>
    <filter-name>CASAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  </filter>
  <!-- CAS client filter mappings -->
  <!-- The order of the following filters is vitally important -->
  <filter-mapping>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASAuthenticationFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
    <!-- GWT -->
    <url-pattern>/frontend/*</url-pattern>
    <!-- JSPs -->
    <url-pattern>/admin/*</url-pattern>
    <url-pattern>/mobile/*</url-pattern>
    <url-pattern>/mobile-nt/*</url-pattern>
    <!-- Servlets -->
    <url-pattern>/RepositoryStartup</url-pattern>
    <url-pattern>/TextToSpeech</url-pattern>
    <url-pattern>/Test</url-pattern>
    <url-pattern>/frontend/*</url-pattern>
    <url-pattern>/extension/*</url-pattern>
    <!--url-pattern>/*</url-pattern-->
  </filter-mapping>
  <!-- /CAS SSO -->
2. In server/default/conf/login-config.xml:
Code: Select all
<application-policy name="OpenKMWebDav">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      <module-option name="java.naming.provider.url">ldap://dokumentum2.chronossoftware.com:389</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="baseCtxDN">ou=Users,dc=igyuk,dc=hu</module-option>
      <module-option name="baseFilter">(cn={0})</module-option>
      <module-option name="rolesCtxDN">ou=Groups,dc= igyuk,dc=hu </module-option>
      <module-option name="roleFilter">(uniqueMember={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">False</module-option>
      <module-option name="defaultRole">UserRole</module-option>
    </login-module>
  </authentication>
</application-policy>

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
      <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
      <module-option name="casServerUrlPrefix">https://dokumentum2.chronossoftware.com/cas</module-option>
      <module-option name="service">https://dokumentum2.chronossoftware.com/OpenKM</module-option>
      <module-option name="defaultRoles">UserRole</module-option>
      <module-option name="roleAttributeNames">groupMembership</module-option>
      <module-option name="principalGroupName">CallerPrincipal</module-option>
      <module-option name="roleGroupName">Roles</module-option>
      <module-option name="cacheAssertions">true</module-option>
      <module-option name="tolerance">20000</module-option>
      <module-option name="cacheTimeout">480</module-option>
    </login-module>
  </authentication>
</application-policy>
3. In repository.xml I changed the "OpenKM" to "OpenKMWebDav" at
Code: Select all
<Security appName="OpenKM">
4. I have added the certificate of the CAS server to cacerts using the instructions what I found in the "Adding KPI Certificate" at http://wiki.openkm.com/index.php/JBoss_ ... figuration

5. I have copied these 2 jar files from CAS client destribution to server/default/deploy/OpenKM.war/WEB-INF/lib :

cas-client-core-3.2.0.jar
cas-client-integration-jboss-3.2.0.jar

I checked the behavior of the URL /OpenKM/frontend/index.jsp and it also goes to the /OpenKM/login.jsp page. It seems that it does not apply the filter what is set in web.xml.

Re: Doc direct access URL using SSO

 #12390  by jllort
 
Thanks I'll try it and put the results how doing it on wiki.

Re: Doc direct access URL using SSO

 #12554  by zsazsa
 
Ok, but we still have the issue with direct links (see the first post). Do you have idea for solving it?

Re: Doc direct access URL using SSO

 #13499  by Luiso
 
Hello,

/default/deploy/OpenKM.war in my instalation is a file not a directory.

¿can you help me?
 Reply
 Return to “Configuration”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -