How to configure Apache/IIS to integrate with CQ5 SSO

Question

In order to enable SSO authentication with CQ5, typically a 3rd party authority is required which pre-authenticates a user before a request is passed through to CQ5. How can this be achieved with IIS or Apache 2.x?

 

Answer, Resolution

As a prerequisite, SSO needs to be enabled on both CQ5 and CRX as well. Please refer to this kb-article how to set this up.

This article will describe how to integrate Windows NTLM authentication through Apache and IIS with CQ5 to enable SSO access to a CQ5 authoring instance. It is assumes that a working setup of the Dispatcher connected to CQ5 instance is in place.

 

IIS

Microsoft IIS already provides built-in support for NTLM authentication which can be enabled through configuration:

  • activate Integrated Windows authentication in the Directory Security tab of IIS for the CQ instance served by this IIS server
  • enable server-variables to be passed along with the request as headers
  • make sure your web site is listed in the Intranet zone in IE's security settings

To enable server variables, edit the disp_iis.ini file and set servervariables to 1. This link provides a list of variables available in IIS.
Typical headers are REMOTE_USER or LOGON_USER. Please make sure that the value for the user-ID matches the IDs of users in CQ.

 

Apache

Apache requires an additional module to enable NTLM authentication called mod_auth_sspi. The ID of the current Windows user can then be extracted from Apache"s REMOTE_USER environment variable which is sent as request header.

Example configuration of httpd.conf:

LoadModule sspi_auth_module modules/mod_auth_sspi.so

<VirtualHost *:80>
  ServerAdmin webmaster@xyz.com
  DocumentRoot "C:/Apache2.2/htdocs"
  ServerName localhost
  ErrorLog "logs/error.log"
  KeepAlive On

    <Location />
      SetHandler dispatcher-handler
      AuthName "A Protected Place"
      AuthType SSPI
      SSPIAuth On
      SSPIUsernameCase lower
      require valid-user
    </Location>

</VirtualHost>

 

Note : the mod_auth_sspi Apache module only works with the Windows version of Apache 2.x.

For Linux installations, possible solutions are either mod_ntlm , or mod_headers .

 

Applies to

CQ 5.x

Adobe

Pomoc dostępna szybciej i łatwiej

Nowy użytkownik?