Home / Drupal Commons-Alfresco-CAS SSO Integration

Drupal Commons-Alfresco-CAS SSO Integration

For companies that need a quick and feature-rich solution for their internal data Drupal Commons may be a good fit. Simply put, Drupal Commons is a collection of commonly used Drupal modules all bundled together and themed. It provides a good out-of-the-box system with many useful features such as: user-follows, notes, wikis, events etc. For organizations that depend on use cases more traditionally served by Enterprise Content Management (ECM) capabilities such as robust document management with versioning support, or deep compliance and archiving requirements, integration with Alfresco may be in order.

This can be achieved either by opening up a new window and redirecting the client browser there or for a more unified look, a customized Alfresco Share page can be created which can then be integrated into the main Drupal page in an iframe. In order to view custom Share pages in Alfresco a CAS (central authentication service) server must be used by both Drupal and Alfresco. Some basic integration like that already exists via Drupal's CAS module, however the Drupal (and Alfresco) logins are handled by redirecting the users to the CAS login page. What if we could make this better? Get rid of that CAS login page, use the Drupal page instead and make the authentication more integrated and user friendly. With that being the goal, I will now go over the authentication mechanism between Drupal and Alfresco which facilitates this integration.

As I mentioned above, to get a custom Alfresco Share page to work and play along with Drupal, a CAS server has to be deployed. Once that's done, we have to enable the CAS API and write some custom Drupal code to retrieve authentication tokens. Here are some key code bits that do the trick:
First we grab the url and TGT (ticket-granting ticket) token from the CAS API.

Now we use the TGT to get a Service Ticket which will allow the end user to log in. $share_service variable below denotes the Alfresco Share URL you need to access. $url is the returned string from the above function. This function below will return a Service Ticket which you will use to access your custom Alfresco view.

?
function mymodule_get_share_ticket_url() {
$retstr = null;
$cas = variable_get('mymodule_cas', array());
try {
$cas_user = $cas['user'];
$cas_pass = $cas['password'];
$url = $cas['url'];

$c = curl_init();
curl_setopt($c, CURLOPT_URL, $url);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_POST, 1);
curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, False);
curl_setopt($c, CURLOPT_HEADER, 1);
curl_setopt($c, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded", "Accept: text/plain"))
curl_setopt($c, CURLOPT_POSTFIELDS, "username=$cas_user&password=$cas_pass");

// the URL we have to return is in Location header - parse that out
$output = curl_exec($c);
$header_size = curl_getinfo($c, CURLINFO_HEADER_SIZE);
$headers_str = substr($output, 0, $header_size);
$retstr = mymodule_parse_header($headers_str, "Location");
} catch (Exception $e) {
// remember to log details
throw $e;
}

return $retstr;
}

Now we use the TGT to get a Service Ticket which will allow the end user to log in. $share_service variable below denotes the Alfresco Share URL you need to access. $url is the returned string from the above function. This function below will return a Service Ticket which you will use to access your custom Alfresco view.

function mymodule_get_share_ticket($url, $share_service) {
$ticket = "";
try {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $url);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_POST, 1);
curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, False);
curl_setopt($c, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded", "Accept: text/plain"));
curl_setopt($c, CURLOPT_POSTFIELDS, "service=". urlencode($share_service));
$ticket = curl_exec($c);
} catch (Exception $e) {
// log details
throw $e;
}
return $ticket;
}

Putting the two API calls together you can now retrieve the Service Ticket, cache it in the session or Memcache. Once the Service Ticket is retrieved you construct the URL to your custom Alfresco Share view and append the ticket to it. Show that URL in an iframe or use the above code in end-user Drupal authentication to CAS. The most notable difference there would be that you would be using form-supplied username and password and passing it on to CAS to get the TGT ticket. If you're implementing the iframe, your end result may look something like this custom document preview page from Alfresco shown in Drupal below.

image

Conclusion
Let's take a quick recap of the advantages to this CAS authentication:

• CAS API is easily testable from command line with curl
• we can potentially reuse the Drupal login screen (depending on use case and requirements)
• ability to preview docs with the default Alfresco previewer
• ability to preview docs using a custom Alfresco page/view perhaps hiding or adding some needed functionality

Lastly, remember to consider security. If you're implementing this type of authentication and bypassing the CAS login screen it's better to isolate access to CAS and not make it publically accessible. There is no need to make an additional target for scripted attacks.
That's it for today. Hope you will find this helpful for your projects. For more information about Drupal/Alfresco integration make sure to check out Appnovation's osCaddie Intiative at: http://www.appnovation.com/oscaddie
-See more at: http://www.appnovation.com/drupal_commons_alfresco_cas_sso_integration#s...

Comments

Posted on by kasun (not verified).

I already installed CAS module and phpCAS on drupal . I need to know How I use CAS api on drupal 7.

Thank You.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Filtered HTML

  • Use [acphone_sales], [acphone_sales_text], [acphone_support], [acphone_international], [acphone_devcloud], [acphone_extra1] and [acphone_extra2] as placeholders for Acquia phone numbers. Add class "acquia-phones-link" to wrapper element to make number a link.
  • To post pieces of code, surround them with <code>...</code> tags. For PHP code, you can use <?php ... ?>, which will also colour it based on syntax.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <h4> <h5> <h2> <img>
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.