Question
In order to enable SSO authentication with CQ5, typically a 3rd party authority is required which pre-authenticates a user before a request is passed through to CQ5. How can this be achieved with IIS or Apache 2.x?
Answer, Resolution
As a prerequisite, SSO needs to be enabled on both CQ5 and CRX as well. Please refer to this kb-article how to set this up.
This article will describe how to integrate Windows NTLM authentication through Apache and IIS with CQ5 to enable SSO access to a CQ5 authoring instance. It is assumes that a working setup of the Dispatcher connected to CQ5 instance is in place.
IIS
Microsoft IIS already provides built-in support for NTLM authentication which can be enabled through configuration:
- activate Integrated Windows authentication in the Directory Security tab of IIS for the CQ instance served by this IIS server
- enable
server-variables
to be passed along with the request as headers - make sure your web site is listed in the Intranet zone in IE's security settings
To enable server variables, edit the disp_iis.ini
file and set servervariables
to 1
. This link provides a list of variables available in IIS.
Typical headers are REMOTE_USER
or LOGON_USER
. Please make sure that the value for the user-ID matches the IDs of users in CQ.
Apache
Apache requires an additional module to enable NTLM authentication called mod_auth_sspi. The ID of the current Windows user can then be extracted from Apache"s REMOTE_USER
environment variable which is sent as request header.
Example configuration of httpd.conf
:
LoadModule sspi_auth_module modules/mod_auth_sspi.so
<VirtualHost *:80>
ServerAdmin webmaster@xyz.com
DocumentRoot "C:/Apache2.2/htdocs"
ServerName localhost
ErrorLog "logs/error.log"
KeepAlive On
<Location />
SetHandler dispatcher-handler
AuthName "A Protected Place"
AuthType SSPI
SSPIAuth On
SSPIUsernameCase lower
require valid-user
</Location>
</VirtualHost>
Note : the mod_auth_sspi Apache module only works with the Windows version of Apache 2.x.
For Linux installations, possible solutions are either mod_ntlm , or mod_headers .
Applies to
CQ 5.x