XWIKI and Single-Sign-On (SSO)

Help / Discuss
#1

Hi Guys,

Currently i have a Xwiki 10.11.8 in Production running. All of our Users Authenticating over LDAP --> and this works fine.

(LDAP Authenticator is configured for anonymous query to our Domain Controllers.)

Many other Applications from us are capable for SSO, and now i would really enjoy to Improve our XWIKI Installation with that.

I found the following Article: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Authentication/

Unfortunatelly i don´t have an Apache Instance on this Server (only a Tomat Instance for Xwiki). Futhermore are the Warning in this Article is nearly 8 Years old.

So my question: Is there another simply way to make SSO for my Users Reality? Or maybe anyone from the Core Member Team know, if there are Efforts to make SSO native possible?

THANK YOU VERY MUCH FOR ANY HELP

With best regards

Knight01

#2

If you run XWiki on Windows, you can use the Waffle library files to perform WIA (Windows integrated authentication); this works nicely for our environment. Basics:

https://forum.xwiki.org/t/how-to-integrate-waffle-in-xwiki-using-tomcat-on-windows/3688/

Basic video guide:

https://forum.xwiki.org/t/how-to-install-xwiki-on-windows/3860/

#3

Thanks for your Answer. But our XWIKI Instance runs on a Linux (Centos 7). Have you for this any ideas?

#4

No ideas other than “run on Windows.” Sorry.

#5

First you will need to give more details on what exactly you mean by “SSO” because this is just a generic term for very different systems. What I can tell you for now is:

#6

Hi tmortagne,

my Goal is to reach a SSO (Single Sign On) with a CentOS based XWIKI Installation (Tomcat) in Connection with our Windows based Domain Controllers.

Unfortunatelly I´m more a System administrator and Architect than a Programmer, so I do not dare to to programm it myself.

I already looked in the Extensions Page, but unfortunatelly, except for the LDAP Authenticator (Which i already use for LDAP Authentication) i didn´t find a Extension for Authentication. And absolutly no Extension for SSO.

When there is a simple SSO Extension i think many of the XWIKI Users would appreciate XWIKI a lot of more (especially the normal XWiki-Users :wink: )

#7

As I said you should not search for “SSO” because it does not actually mean anything. Most of the extensions support some kind of SSO (even the LDAP one even if you are using it in login/pass mode). If your use case is Windows domain (you should have started with that) then Waffle is generally a good start, you don’t need to do anything when you put it in a Windows system but maybe you can configure it some way on Linux (but you will have to look at Waffle documentation because I’m really not a Waflle expert).

When the actual authentication is done at Tomcat level you can then use something like https://extensions.xwiki.org/xwiki/bin/view/Extension/Trusted%20authentication%20framework which “trust” information set in the request by Tomcat and take care of the XWiki specific stuff (creating/updating users on XWiki side, property set the current user, etc.).

#8

My understanding is that the Waffle libraries only work on Windows because they use Windows-specific calls (SSPI, IIRC) that don’t exist on other operating systems.

Many times, what Windows domain admins refer to as SSO is Windows integrated authentication (WIA). My recommendation is that if you want WIA with XWiki, by far the easiest way to achieve this is to install XWiki on Windows, install the LDAP Authenticator extension, update the needed files (as noted in the instructions I posted), and restart the Tomcat service. (I don’t know whether WIA is really possible any other way.)