How to configure Apache/IIS to integrate with CQ5 SSO
In order to enable SSO authentication with CQ5, typically a 3rd party authority is required which pre-authenticates a user before a request is passed through to CQ5. How can this be achieved with IIS or Apache 2.x?
As a prerequisite, SSO needs to be enabled on both CQ5 and CRX as well. Please refer to this kb-article how to set this up.
This article will describe how to integrate Windows NTLM authentication through Apache and IIS with CQ5 to enable SSO access to a CQ5 authoring instance. It is assumes that a working setup of the Dispatcher connected to CQ5 instance is in place.
Microsoft IIS already provides built-in support for NTLM authentication which can be enabled through configuration:
- activate Integrated Windows authentication in the Directory Security tab of IIS for the CQ instance served by this IIS server
server-variablesto be passed along with the request as headers
- make sure your web site is listed in the Intranet zone in IE's security settings
To enable server variables, edit the
disp_iis.ini file and set
1. This link provides a list of variables available in IIS.
Typical headers are
LOGON_USER. Please make sure that the value for the user-ID matches the IDs of users in CQ.
Apache requires an additional module to enable NTLM authentication called mod_auth_sspi. The ID of the current Windows user can then be extracted from Apache"s
REMOTE_USER environment variable which is sent as request header.
Example configuration of
LoadModule sspi_auth_module modules/mod_auth_sspi.so <VirtualHost *:80> ServerAdmin email@example.com DocumentRoot "C:/Apache2.2/htdocs" ServerName localhost ErrorLog "logs/error.log" KeepAlive On <Location /> SetHandler dispatcher-handler AuthName "A Protected Place" AuthType SSPI SSPIAuth On SSPIUsernameCase lower require valid-user </Location> </VirtualHost>
Note : the mod_auth_sspi Apache module only works with the Windows version of Apache 2.x.