Link Liferay and Alfresco with sso (OpenAM) authenticated user - liferay

We need to show document from alfresco in Liferay portlets. We would use the CMIS connector with the document library. But we are required that the users be authenticated with OpenAM (a sso).
All the research I've done seam to indicate that ootb it doesn't work. But I can't find anyone that made it works.
So is it possible to use the CMIS connector with an SSO authenticated user?
If yes, what step should we do, or is there some doc already available?
If no, Is there any work around or other solution to connect Liferay with alfresco with an SSO authenticated user?

So to summarize the situation, no, by default there is no way to use Liferay document librairy/cmis connector with any SSO.
But, it is possible to use it by modifying the Liferay feature (With hook) and using a specific strategies (This go from proxy sso to some java script hack that I wont go to deep into as we decides not to do it) to get the required info to send to alfresco.
Other solution (that we chooses) is to implement a custom authentication on alfresco and to use a password that is not the user one as password, but there is some security concern that need to be taken into account with this solution because the simple way to do it create a "master password" that could be used by anyone.
So basically there is really no one size fit all solutions on this subject.

Related

What CDSSO implementation best resolves Disparate User database

What Cross-Domain Single Sign-On implementation best solves my problem?
I have two domains (xy.com & yz.com) which already have their own database of users and are already implementing their user authentications separately. Recently there has been the need to implement CDSSO so that users dont have to log in each time they try to access resources from both domains.
Ideally the CDSSO implementation I hope to use should allow custom implementation of authentication, as I hope to call API's provided by both domains during authentication to confirm a user exists in at least one of the domains user database.
I've been looking at Sun's OpenSSO which seems to provide a means to extend its AMLoginModule class yet this seems to be a long thing and more annoyingly they seem to stick to GlassFish.
I've also considered developing a custom CDSSO to solve our needs. Is this advisable?
Is this achievable using Suns OpenSSO considering the disparate user database as I there will be no need to make use of the User db that OpenSSO requires?
Are there any simpler means of achieving what I intend to achieve?
In addition both applications which exist on the two domains were developed using PHP. How does this have an effect considering Suns OpenSSO is based on Java EE?
Are there any clearly specified steps on implementing OpenSSO and or any other SSO implementations from start to finish?
I suggest you to use simpleSAMLphp in order to deploy an Identity Provider and 2 Service Provider (for each app).
SimpleSAMLphp allows you to select multiple authentication source and is not hard to build your own authsource that consults the 2 databases.
My experience in SAML says that the fact of not consolidating the Identity of the user in 1 unique authsource is a bad idea due several reasons:
* identity conflicts: what happen if you have the same user registered with different mail (if that is the field yoy use to identify the user) and you try to access? You could be logged in different account each time.
* what happen if you add a 3rd service, do you gonna add a 3rd database
* what happen if user change its data in one app, the other gonna be no synched?
* what happen if user uses different passwords?
I recommend you to execute a migration process before adding the SAML support and build a unique database for all your identities and unify the registration/edit profile/password recovery process of both sites in one.
SimpleSAMLphp has good documentation, but I can provide to you any documentation related to the process that I suggested.

Use Application Server based User management or Custom User management?

I'm following the Java EE 6 tutorial and I'm reading the part related to security.
In the examples, the user management is done using the features provided with the Glassfish server. Is this the usual method used to manage users in Java EE?
Is it possible to use mechanisms such as e-mail based user account creation (password sent via email) etc. by using this method? If not, what alternative mechanism/library do you recommend for user account management?
I found the answer to my problem here.

Liferay - Authentication without populating liferay db

Again, Do we have any possible solution that avoid populating liferay db with user information for authentication using extending methods/custom implementation/hooks/plugins/extensions?
Regards
Vishal G
There's no way to avoid creating a user in the Liferay database. You can though create a dummy user that all users use or a dummy user for every user depending on your needs
It is generally not desirable to share accounts as you cannot benefit from all functionality regarding groups, personalization, ... This is basically why one would install a portal.
To create users you can use Liferay's services.
If authorization is not your concern, it is possible to override the authenitaction mechanism with a variety of methods. THe authentication pipeline might be a good starting point.
http://www.liferay.com/documentation/liferay-portal/6.1/user-guide/-/ai/authentication-pipeline
Good luck!
You can create a Liferay Hook to Authenticate using your custimization.
override the following jsp page.
/html/portlet/login/login.jsp
Or you can create your own login portlet. No need to populate all users in db.
Just findUserById().
Dont forget to mention this change in portal-ext.properties file. You will need to specify custom Login portlet id.

What´s the easiest way for a user authentication in SharePoint 2010

does anybody have a manuel that describes the steps to create an anonymous
user authentication in SharePoint 2010 (Website for the internet with no authentication).
For editing an admin has to log in
with forms authentication. Can I hold the admin somewhere in the web.config with
membership provider ? Or do I need to install SQL Server somewhere for that task ?
Thanx a lot.
Stephan
Ah - you need SQL Server installed somewhee ANYWAY - SharePoint makes heavy use of SQL Server.
I would think that any valid ASP.NET membership provider should work with SharePoint, so in theory you should be able to write your own XML-based or text-based provider and store the admin username and password there.
But it's too much work and a bit risky. And in all honesty I would personally avoid trying anything like that since SharePoint is a complex enough behemoth by itself.
Since you only want an admin to be able to modify the website, it's probably a lot easier to just use the Active Directory provider and create a user in AD for the admin if one doesn't already exist.
HTH

Where can I find information on how to customize the user registration process of Liferay + Sun Web Space Portal

I need to quickly customize the user registration form of the liferay/web space portal? Have not found any direct information on this so would appreciate any tips.
There are several possibilities:
The source is available, so you might want to patch the existing process
The API is available (e.g. see this thread in the liferay forum), so you can batch-create users or implement your own registration portlet and just use the API. AFAIK you can even register users via a webservice interface.
You can batch-insert users into the database
If your existing user data is stored in LDAP, you can connect Liferay to the database.

Resources