Configure trusted header authentication (SSO)

How do I configure trusted header authentication (SSO, single sign on) for a CQ5 instance?


Configure trusted header authentication on both the CRX side and the CQ5 side.

Configuration on CRX (up to CRX 2.2)

Configure trusted header authentication on CRX side in the repository.xml in Security - LoginModule section.


<param name="trust_credentials_attribute" value="TrustedInfo"/>
<param name="anonymous_principal" value="anonymous"/>
Remark: The trust_credentials_attribute in CRXLoginModule is deprecated starting CQ5.5,
see JCR-3293. 
This step is not mandatory anymore, and generates Warnings in the logs if used.

Configuration on CQ5

Configure trusted header authentication on CQ5 side using the Apache Felix Web Management Console Configuration (http://<host>:<port>/system/console/configMgr). See the documentation at - chapter: SSO Authentication Handler

Select SSO Authentication Handler ( and set the corresponding values in SSO Authentication Handler:

  • Path: Path this authentication handler should be used for. For exmaple:
  • Header Names: The name of the headers containing the user ID
  • Cookie Names: The name of the cookie containing the user ID
  • Parameter Names: The name of the Request Parameter containing the user ID
  • ID Format: The format the user ID is encoded with. Use "Basic" for the Basic format, "AsIs" if the value should be used as is or any regular expression.
  • Trusted Credential Attribute: The name of the attribute which is set with the user information in the trusted credentials. Note: Make sure that it's equal to the trust_credentials_attribute configured in the repository.xml (see above).

Note: After a restart of CRX, the trusted header authentication is active and you can use SSO.