How to configure Apache/IIS to integrate with CQ5 SSO

Question

In order to enable SSO authentication with CQ5, typically a 3rd party authority is required which pre-authenticates a user before a request is passed through to CQ5. How can this be achieved with IIS or Apache 2.x?

 

Answer, Resolution

As a prerequisite, SSO needs to be enabled on both CQ5 and CRX as well. Please refer to this kb-article how to set this up.

This article will describe how to integrate Windows NTLM authentication through Apache and IIS with CQ5 to enable SSO access to a CQ5 authoring instance. It is assumes that a working setup of the Dispatcher connected to CQ5 instance is in place.

 

IIS

Microsoft IIS already provides built-in support for NTLM authentication which can be enabled through configuration:

  • activate Integrated Windows authentication in the Directory Security tab of IIS for the CQ instance served by this IIS server
  • enable server-variables to be passed along with the request as headers
  • make sure your web site is listed in the Intranet zone in IE's security settings

To enable server variables, edit the disp_iis.ini file and set servervariables to 1. This link provides a list of variables available in IIS.
Typical headers are REMOTE_USER or LOGON_USER. Please make sure that the value for the user-ID matches the IDs of users in CQ.

 

Apache

Apache requires an additional module to enable NTLM authentication called mod_auth_sspi. The ID of the current Windows user can then be extracted from Apache"s REMOTE_USER environment variable which is sent as request header.

Example configuration of httpd.conf:

LoadModule sspi_auth_module modules/mod_auth_sspi.so

<VirtualHost *:80>
  ServerAdmin webmaster@xyz.com
  DocumentRoot "C:/Apache2.2/htdocs"
  ServerName localhost
  ErrorLog "logs/error.log"
  KeepAlive On

    <Location />
      SetHandler dispatcher-handler
      AuthName "A Protected Place"
      AuthType SSPI
      SSPIAuth On
      SSPIUsernameCase lower
      require valid-user
    </Location>

</VirtualHost>

 

Note : the mod_auth_sspi Apache module only works with the Windows version of Apache 2.x.

For Linux installations, possible solutions are either mod_ntlm , or mod_headers .

 

Applies to

CQ 5.x

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online