Content Server REST API and SSO

Oliver_OBrien · 2021-03-29T18:04:22+00:00

There was an error rendering this rich post.

Hi all,

We are trying to use the Content Server REST API to view and upload documents, but have not been able to do this without enabling anonymous authentication in IIS. Unfortunately, single sign-on stops working when anonymous authentication is enabled.

We followed this link: https://knowledge.opentext.com/knowledge/cs.dll/kcs/kbarticle/view/KB9770935/customer/article.html thinking it would let us use the REST API without enabling anonymous authentication, but that did not work. The following is what we tried.

Call POST http://[OTDS server]:8080/otdsws/rest/authentication/credentials with credentials in the JSON body. Get the OTDS ticket from the response body.
Call GET http://[OTCS server]/otcs/cs.exe/api/v1/auth with OTDSTICKET in the header. Get OTCS ticket from response header
Call GET http://[OTCS server]/otcs/cs.exe/api/v1/note/[nodeid] with OTCSTICKET in the header. The response body has node details.

This whole process works with anonymous authentication enabled, but step 2 fails with a 401 error when anonymous authentication is disabled. Does anyone know of a way we can use the OTCS REST API without breaking our SSO?

Thanks,

Oliver

Find more posts tagged with

Comments

Ferdinand Prantl

Calls to the CS REST API are authenticated by a custom header (OTCSTicket, OTDSTicket, for example). Not by IWA or cookies. Not all REST clients run on Windows or can use the WA. That is why you have to disable anonymous authentication in IIS in the web application for the REST endpoint. You can configure a different web application for REST client than for Classic UI. You would enable IWA for the latter.

There is no automatic SSO for CS REST API. You need to supply an authentication header. That is why it does not matter that SSO based on IWA will bot work on the REST endpoint.

You three steps do not use SSO and will work with the anonymous authentication disabled. If you want to support SSO, you will need to authenticate your custom page server-to-server. For example, you will configure your ASP.NET application to be authenticated by OTDS. That will gain you access to an OTDSTicket. You will be able to call /api/v1/auth with the OTDSTicket and get an OTCSTicket. You can generate it to a script on the AS.NET page, where Smart UI widgets would use it to connect to CS, for example.

Appu Nair

It is well known that the CS REST API will only work with an anonymous method.

So this is what most organizations end up doing.

They will let OT CS do the installation this will create an application for IWA(so that if the organization is IWA let the KERB Auth be passed over) and a secondary site for REST API because all it takes is adding another application in IIS. See Ferda's Reply to mine it is a long post-Ferda is Ferdinand Prantl...

https://forums.opentext.com/forums/developer/discussion/comment/950216#Comment_950216

The problem is really not the OTDSToken to OTCSToken when the POST is to an OTCS resource the one that responds to

HTTP://server/application/applicationcgi/api/v1/<any available resource> that is the part that will not work (or simply let in by IIS)

Ferdinand Prantl

Once more emphasised:

You do not configure SSO for CS REST API.
You configure SSO with OTDS for your web application (pages).
Once your web application gets authenticaqted by OTDS, it wil obtain an OTDS ticket.
The OTDS ticket can be used to obtain other tickets on the server or in the browser.

Oliver_OBrien

Thanks for all the responses. I have learned that using NTLM authentication for steps 2 and 3 makes it work without enabling anonymous authentication.

Again, thank you.