Search code examples

Alfresco can't connect to repository with CAS SSO

I am using mod_auth_cas to SSO into Alfresco Community 5.2 through Keycloak 4.0, with with the keycloak-cas-protocol plugin.

Alfresco sits behind a first Apache reverse proxy while Keycloak runs behind another one, on a different machine. SSL certificates are handled by a front Apache server.

My issue is the following : as I login, I get redirected to the Alfresco URL with way too many CAS tickets :


It looks like mod_auth_cas keeps redirecting me to Keycloak, stacking the ticket tokens on each other ; this leads to Alfresco returning a 401 Unauthorized error.

Removing all the tickets but one from the URL works and redirects to the Alfresco explorer with the authenticated user.

I am unsure if this is related, but I also get the following error in the logs as soon as the server starts :

WARN  [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] 
WQS unable to connect to repository: Unauthorized

Which is caused by the following : - - [18/May/2018:17:24:38 +0200] "GET /alfresco/service/api/login?u=admin&pw=admin HTTP/1.1" 403 425 - - [18/May/2018:17:24:38 +0200] "GET /alfresco/cmisatom HTTP/1.1" 401 5

Here are the relevant config snippets : :


### Initial admin password ###

share-config-custom.xml :

<config evaluator="string-compare" condition="Remote">



        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using cookie-based authentication</description>

        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using header and cookie-based authentication</description>

        <name>Alfresco - user access</name>
        <description>Access to Alfresco Repository WebScripts that require user authentication</description>

        <name>Alfresco Feed</name>
        <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> 

        <name>Alfresco Public API - user access</name>
        <description>Access to Alfresco Repository Public API that require user authentication.
                     This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>

Apache config :

ProxyPass               /alfresco 
ProxyPassReverse        /alfresco 
ProxyPassReverseCookiePath /alfresco /alfresco

ProxyPass               /share 
ProxyPassReverse        /share 
ProxyPassReverseCookiePath /share /share

ServerName my-apache-server-url

RequestHeader set Host "my-apache-server-url"
RequestHeader set X-Real-IP "my-apache-server-url"
RequestHeader set X-Forwarded-Server "my-apache-server-url"
RequestHeader set X-Forwarded-Host "my-apache-server-url"
RequestHeader set X-Forwarded-For ", my-apache-server-url"

mod_auth_cas config :

CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/login
CASValidateURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/serviceValidate
CASProxyValidateURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/proxyValidate
CASDebug On

    <Location /share>
        Authtype CAS
        AuthName "CAS"
        require valid-user
        CASAuthNHeader X-Alfresco-Remote-User
        CASScope /share

    <Location /alfresco>
        Authtype CAS
        AuthName "CAS"
        require valid-user
        CASAuthNHeader X-Alfresco-Remote-User
        CASScope /alfresco

Below is the HTTPD debug log :

[Tue May 22 18:12:37.738754 2018] [:debug] [pid 63283] mod_auth_cas.c(2058): [client XXX.XX.XXX.XXX:XXXXX] Entering cas_authenticate()
[Tue May 22 18:12:37.738817 2018] [:debug] [pid 63283] mod_auth_cas.c(580): [client XXX.XX.XXX.XXX:XXXXX] CAS Service 'http%3a%2f%2fXXX.XX.XXX.XX%2fshare%3fticket%3dST-eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..RR2EyToZ7ciuGy3XPKUVcg.oZBjcuS7OrZxk_OqU-cQDdXSzkzCq5bsKmlX3Ixt9XLAvjyPV2zoeoBjxol3zmL0hF1COsWt9QzkaF0_rWABvWPUEC9hT3QqtwMrmZMtivcdo9EDkV_3J8xSCtAjP45wPEDc0cYM50L7X6dcF76PCsgxIjEt5KUQVzDoNHwzocvdjk4_KpZEplx1l2WVJdD3UzsSoYN1YbXnPQU4kyGL33d8F1eW0VOfshrV9fz9WaKGzFG3K1ADdvADGfjSGoT3.zv7i2QPMu3AiwfXZOj3Dvw'
[Tue May 22 18:12:37.738846 2018] [:debug] [pid 63283] mod_auth_cas.c(528): [client XXX.XX.XXX.XXX:XXXXX] entering getCASLoginURL()
[Tue May 22 18:12:37.738859 2018] [:debug] [pid 63283] mod_auth_cas.c(505): [client XXX.XX.XXX.XXX:XXXXX] entering getCASGateway()
[Tue May 22 18:12:37.738865 2018] [:debug] [pid 63283] mod_auth_cas.c(595): [client XXX.XX.XXX.XXX:XXXXX] entering redirectRequest()

Why is mod_auth_cas redirecting to the SSO server while Keycloak has already returned a ticket ?


  • I found the issue after some time.

    mod_auth_cas seems to use a CAS version above 5.2.2 which prevents tickets from having underscores.

    This is a problem because the Keycloak CAS add-on generates tickets with underscores.

    I worked around the issue by modifying the validCASTicketFormat function in mod_auth_cas.c and recompiling the Apache module, thus allowing tokens to contain underscores.

    In the latest mod_auth_cas version, only dots, dashes and alphanumeric characters are allowed.