documentation:1.4:applications:alfresco

Alfresco

Alfresco is an ECM/BPM software.

Since 4.0 release, it offers an easy way to configure SSO thanks to authentication subsystems.

If you use an older version, you need to refer to the following documentation: https://wiki.alfresco.com/wiki/SSO
The official documentation can be found here: http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html

You need to find the following files in your Alfresco installation:

  • alfresco-global.properties (ex: tomcat/shared/classes/alfresco-global.properties)
  • share-config-custom.xml (ex: tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml)

The first will allow to configure SSO for the alfresco webapp, and the other for the share webapp.

Edit first alfresco-global.properties and add the following:

### SSO ###
authentication.chain=external1:external
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=
external.authentication.proxyUserName=
external.authentication.proxyHeader=Auth-User
external.authentication.userIdPattern=

Edit then share-config-custom.xml and uncomment the last part. In the <endpoint>, change <connector-id> value to alfrescoHeader and change the <userHeader> value to Auth-User:

   <config evaluator="string-compare" condition="Remote">
      <remote>
          <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
 
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
 
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>Auth-User</userHeader>
         </connector>
 
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

You need to restart Tomcat to apply changes.

Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to LL::NG.

Just set the Auth-User header with the attribute that carries the user login, for example $uid.

You can intercept the logout with this rule: ^/share/page/dologout ⇒ logout_app_sso