I'm working with a customer who has CQ5 and wants to completely externalize thier security. We've been working hard to figure out how to do this. Here is our current plan:
1. User navigates to dispatcher running in Apache
2. An Apache filter automatically redirects to an internal STS for authentication (this is working)
3. Upon valid login, STS replies back to Apache filter with user claims.
3. User's ID from claims is placed in a cookie and call continues on to the publisher
4. CQ5 Publisher looks for this cookie through the SSO settings (appears to be working)
5. CQ5 invokes external service for user's attribtues, roles, groups etc... (can't figure this out)
Ultimately, when we get to the publisher and see the SSO token, we need to override CQ5 leveraging its repository or even an LDAP connection in favor of simply calling our authorization service.
We're not sure if we create a custom login module, custom principle provider... if we're supposed to use some JAAS feature etc... Everything document we find in regards to SSO explains how to use it with an existing LDAP connection... should we use the existing LDAP architecture but with a custom provider or do we simple provide all the required user claims after the SSO redirection back to Apache?
Hopefully I'm providing enough detail here. Any help anyone can provide at all would be huge at this point.
Thank you all for your time,
for this purpose you will have to implement your own LoginModule. the login module would:
- bind to the external auth service
- map the user to a CQ user
- if no CQ user exists, auto-import it (much like the LDAP Login Module)
- maybe adds the user to default groups (or groups specified from the external auth service)
your Login Module would be configured as part of the login module chain in the JAAS configuration.
Thanks for the answer... That was what I was thinking, but before embarking on that journey, I wanted to make sure.
At this point, I'm trying to figure out exactly how this is all done... like, how do I import into the CQ user repository etc... I've decompiled the LDAP component in an effort to figure that out. I think I can do it, its just that I've never worked in this environment.