How to configure Apache/IIS to integrate with CQ5 SSO

Buscar
CQ Guía del usuario
Se aplica a: CQ

Question

In order to enable SSO authentication with CQ5, typically a 3rd party authority is required which pre-authenticates a user before a request is passed through to CQ5. How can this be achieved with IIS or Apache 2.x?

 

Answer, Resolution

As a prerequisite, SSO needs to be enabled on both CQ5 and CRX as well. Please refer to this kb-article how to set this up.

This article will describe how to integrate Windows NTLM authentication through Apache and IIS with CQ5 to enable SSO access to a CQ5 authoring instance. It is assumes that a working setup of the Dispatcher connected to CQ5 instance is in place.

 

IIS

Microsoft IIS already provides built-in support for NTLM authentication which can be enabled through configuration:

  • activate Integrated Windows authentication in the Directory Security tab of IIS for the CQ instance served by this IIS server
  • enable server-variables to be passed along with the request as headers
  • make sure your web site is listed in the Intranet zone in IE's security settings

To enable server variables, edit the disp_iis.ini file and set servervariables to 1. This link provides a list of variables available in IIS.
Typical headers are REMOTE_USER or LOGON_USER. Please make sure that the value for the user-ID matches the IDs of users in CQ.

 

Apache

Apache requires an additional module to enable NTLM authentication called mod_auth_sspi. The ID of the current Windows user can then be extracted from Apache"s REMOTE_USER environment variable which is sent as request header.

Example configuration of httpd.conf:

LoadModule sspi_auth_module modules/mod_auth_sspi.so

<VirtualHost *:80>
  ServerAdmin webmaster@xyz.com
  DocumentRoot "C:/Apache2.2/htdocs"
  ServerName localhost
  ErrorLog "logs/error.log"
  KeepAlive On

    <Location />
      SetHandler dispatcher-handler
      AuthName "A Protected Place"
      AuthType SSPI
      SSPIAuth On
      SSPIUsernameCase lower
      require valid-user
    </Location>

</VirtualHost>

 

Note : the mod_auth_sspi Apache module only works with the Windows version of Apache 2.x.

For Linux installations, possible solutions are either mod_ntlm , or mod_headers .

 

Applies to

CQ 5.x

Esta obra está autorizada con arreglo a la licencia de Reconocimiento-NoComercial-CompartirIgual 3.0 Unported de Creative Commons.  Los términos de Creative Commons no cubren las publicaciones en Twitter™ y Facebook.

Avisos legales   |   Política de privacidad en línea

Elija su región

Al seleccionar una región, cambia el idioma o el contenido en Adobe.com.

Americas
Brasil
Canada - English
Canada - Français
Latinoamérica
México
United States
Europe, Middle East and Africa
Africa - English
België
Belgique
Belgium - English
Česká republika
Cyprus - English
Danmark
Deutschland
Eesti
España
France
Greece - English
Ireland
Israel - English
Italia
Latvija
Lietuva
Luxembourg - Deutsch
Luxembourg - English
Luxembourg - Français
Magyarország
Malta - English
Middle East and North Africa - English
Nederland
Norge
Österreich
Polska
Portugal
România
Schweiz
Slovenija
Slovensko
Suisse
Suomi
Sverige
Svizzera
Türkiye
United Kingdom
България
Россия
Україна
الشرق الأوسط وشمال أفريقيا - اللغة العربية
ישראל - עברית
Asia - Pacific
Australia
Hong Kong S.A.R. of China
India - English
New Zealand
Southeast Asia (Includes Indonesia, Malaysia, Philippines, Singapore, Thailand, and Vietnam) - English
中国
中國香港特別行政區
台灣
日本
한국
Commonwealth of Independent States
Includes Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Ukraine, Uzbekistan