Status: Open (View Workflow)
Affects Version/s: Alfresco Activiti 1.4.1
Fix Version/s: None
Environment:RHEL, MySQL, SiteMinder, SSO authentication
00621041 Premier, 00769842
Sprint:Docs Sprint 18
When having SSO enabled in Activiti we need to have the SM_USER header on all REST requests to Activiti.
In Activiti-admin when trying to "Edit Activiti REST endpoint" the following request is sent to SiteMinder "http://<host>:<port>/activiti-app/enterprise/app-version"
Since activiti-admin can not provide login details we get a "Forbidden" message from Activiti-app on the request.
How can activiti-admin REST calls provide login details to SiteMinder?
I'm attaching a tcpdump showing the flow, here is a summary
1- Packet 5663 - Activiti admin submits a request to change REST end point
2- Packet 5671 - Activiti-admin makes a REST call "/activiti-app/api/enterprise/app-version" which is directed to SiteMinder
3- Packet 5673 - Request to SiteMinder comes back as a HTTP 302 Found response
4- Packet 5918 - Activiti-app responds with a HTTP 403 Forbidden message since the request has not been authenticated
The "siteminder-tryout-1.0-SNAPSHOT.jar" was a demo example generated by engineering as an example on how activiti-app could/should use security override with Siteminder.
It was only implemented against the activiti-app, the admin-admin app does not have the same extension points.
- customer is using siteminder agent with demo jar, this works fine for just activiti-app
- the issue is in regard to the public REST api calls, the activiti-admin application sending calls to the BPM suite (or public REST api calls in general)
- the activiti-admin app uses REST api to connect to the BPM suite to get data, this uses basic auth
The REST calls to the BPM suite are simple basic auth REST calls, carrying the credentials defined in the endpoint configuration in the activiti-admin application.
- (non-SS) site minder supports basic auth calls, so then this should be configurable in the environment through the siteminder configurations
- But, for SSO configuration there would need to be some additional handling to provide/retain the header (SM_user) for the site minder agent as well as other aspects
Customer would like the ability to configure alternative authentication mechanism, specifically (external one) Siteminder and Siteminder w/ SSO, ootb with the Alfresco Activiti BPM Suite, to include the REST API, activiti-app, activiti-admin implementations.
In their environment they do not allow anything but Siteminder for managing authentication of users and access to the suite and applications.