SSO with Hippo CMS
269 views
Skip to first unread message
RadVed
Dec 27, 2017, 9:55:07 PM12/27/17
to Hippo Community
Hi,
I have integrated SSO with Hippo delivery tier and using Spring Security SAML extension for authentication.User/role mapping is stored in database.
I now need to integrate CMS authoring tier with SSO.
Looking for pointer as to how to customize login process for CMS tier.
Thanks
Ard Schrijvers
Dec 28, 2017, 4:35:08 AM12/28/17
to hippo-c...@googlegroups.com
Hello,
At [1] you can find a SSO integration with the CMS. Not sure how
up2date it is but the concept should still work
HTH,
Regards Ard
[1] https://github.com/woonsanko/hippo-cas-integration-demo/blob/master/README.md
> --
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups
> "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hippo-communi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
states of America.
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
At [1] you can find a SSO integration with the CMS. Not sure how
up2date it is but the concept should still work
HTH,
Regards Ard
[1] https://github.com/woonsanko/hippo-cas-integration-demo/blob/master/README.md
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups
> "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hippo-communi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
states of America.
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
Giacomo Lamonaco
Dec 28, 2017, 4:50:54 AM12/28/17
to hippo-c...@googlegroups.com
Hi, in addition to Ard’s answer, you can also have a look at pac4j client libraries [1]. In case you are going to use the latter, please let us know how it goes.
[1] https://github.com/pac4j/spring-security-pac4j
[1] https://github.com/pac4j/spring-security-pac4j
Ard Schrijvers
Dec 28, 2017, 5:16:45 AM12/28/17
to hippo-c...@googlegroups.com
On Thu, Dec 28, 2017 at 10:50 AM, Giacomo Lamonaco
<giacomo....@bloomreach.com> wrote:
> Hi, in addition to Ard’s answer, you can also have a look at pac4j client libraries [1]. In case you are going to use the latter, please let us know how it goes.
I think he is mainly looking for how a SSO solution can be plugged in
<giacomo....@bloomreach.com> wrote:
> Hi, in addition to Ard’s answer, you can also have a look at pac4j client libraries [1]. In case you are going to use the latter, please let us know how it goes.
into the CMS. For example 'SSOExampleCMSLoginFilter' might be a nice
pointer to get started. My reference to the project was not about the
CAS integration but how to have a different authentication mechanism
in the CMS than the default login screen
Regards Ard
VedGunjan Singh
Dec 28, 2017, 9:47:31 AM12/28/17
to hippo-c...@googlegroups.com
Thanks Ard and Giacomo- Yes i was mainly looking for a way to integrate SSO with CMS and the starting point of that would be to figure out how to control and customize the login process.
I will go over the links provided and will revert in case of queries. If i'm able to get it done i will most surely post the solution here for benefit of community.
Thanks
>>> To post to this group, send email to hippo-community@googlegroups.com
>>> RSS:
>>> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "Hippo Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to hippo-community+unsubscribe@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/hippo-community.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
>> Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
>> states of America.
>>
>> US +1 877 414 4776 (toll free)
>> Europe +31(0)20 522 4466
>> www.onehippo.com
>>
>> --
>> Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
>>
>> To post to this group, send email to hippo-community@googlegroups.com
>> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>> ---
>> You received this message because you are subscribed to the Google Groups "Hippo Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.
>> Visit this group at https://groups.google.com/group/hippo-community.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-community@googlegroups.com
> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.
> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
states of America.
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
To post to this group, send email to hippo-community@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to a topic in the Google Groups "Hippo Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/hippo-community/gr0CNA6k77c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to hippo-community+unsubscribe@googlegroups.com.
VedGunjan Singh
Jan 19, 2018, 9:43:38 PM1/19/18
to hippo-c...@googlegroups.com
Hi,
Looking for some help and guidance here. I tried the SSO filter approach as mentioned here : https://github.com/woonsanko/hippo-cas-integration-demo
The design that I've implemented is as follows. Pardon for long email but i wanted to make things clear
- On the delivery website, there is a link, which allows user to login in to the CMS authoring interface. When user clicks on that link, user is redirect to CMS authoring interface. The redirect url has a jwt token passed as parameter
- The request is intercepted by a java filter in cms.
- Filter looks for the jwt parameter, decodes and verifies it.
- Based on the verification results, it sets the user state in session and adds the user state in to a threadlocal storage
- The flow then goes to DelegatingSecurityProvider, whose "boolean validateAuthentication(SimpleCredentials creds)" is invoked.
- This method returns true by looking in to the user state variable in threadlocal
Here's the link to the class
Flow executes as planned, but the user is not redirected to cms author dashboard interface. Instead the user is present with the login screen.
So my question here is:
- Is there any incorrectness in the design and the code.
- If no, then how do I redirect user to the cms author interface or Is my redirect url correct ?
Thanks in advance for any and all help.
Woonsan Ko
Jan 19, 2018, 10:57:20 PM1/19/18
to hippo-c...@googlegroups.com
If the security provider was invoked and returned true as you mentioned, I guess the flow and your *authentication* implementation is good enough.
However, I suspect that the *authorization* for the authenticated user.
The SSO integration example cares only *authentication*, not *authorization*.
For example, suppose your SSO authenticates a user called "john" successfully as you observed while debugging. But if you don't have a user called 'john' in repository at /hippo:configuration/hippo:users/john (you can check it through CMS Console) or you don't have the username, 'john', in the /hippo:configuration/hippo:groups/authors/@hipposys:members, then the authenticated user turns out to be unauthorized to the authoring tier application at all.
So, I'd like to suggest you do the following for testing:
- Create a test user, which you tested in SSO flow, with the same username in CMS admin UI,
- Add the username in the authors or editors group.
- Start a new fresh browser and test it again.
If this test scenario works, then you need to figure out how to synchronize or create the users somehow (e.g, dynamic creation on authentication time) in the repository for authorization. In the end, CMS' authorization depends on its own users, groups and other security definitions in the repository itself. So, somehow those security data should be 'synchronized'.
Regards,
Woonsan
Woonsan Ko
Reply all
Reply to author
Forward
0 new messages