Alfresco ======== |image0| Presentation ------------ `Alfresco `__ is an ECM/BPM software. Since 4.0 release, it offers an easy way to configure SSO thanks to authentication subsystems. Authentication against LL::NG can be done through: - HTTP headers (LL::NG Handler) - SAML 2 (LL::NG as SAML2 IDP) .. tip:: Alfresco now recommends SAML2 method HTTP headers ------------ .. _alfresco-1: Alfresco ~~~~~~~~ .. tip:: The official documentation can be found here: http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html\ You need to find the following files in your Alfresco installation: - ``alfresco-global.properties`` (ex: ``tomcat/shared/classes/alfresco-global.properties``) - ``share-config-custom.xml`` (ex: ``tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml``) The first will allow one to configure SSO for the alfresco webapp, and the other for the share webapp. Edit first ``alfresco-global.properties`` and add the following: .. code-block:: properties ### SSO ### authentication.chain=external1:external external.authentication.enabled=true external.authentication.defaultAdministratorUserNames= external.authentication.proxyUserName= external.authentication.proxyHeader=Auth-User external.authentication.userIdPattern= Edit then ``share-config-custom.xml`` and uncomment the last part. In the ````, change ```` value to ``alfrescoHeader`` and change the ```` value to ``Auth-User``: .. code-block:: xml alfresco/web-extension/alfresco-system.p12 pkcs12 alfresco-system alfrescoCookie Alfresco Connector Connects to an Alfresco instance using cookie-based authentication org.alfresco.web.site.servlet.SlingshotAlfrescoConnector alfrescoHeader Alfresco Connector Connects to an Alfresco instance using header and cookie-based authentication org.alfresco.web.site.servlet.SlingshotAlfrescoConnector Auth-User alfresco Alfresco - user access Access to Alfresco Repository WebScripts that require user authentication alfrescoHeader http://localhost:8080/alfresco/s user true You need to restart Tomcat to apply changes. .. danger:: Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to LL::NG. LL::NG ~~~~~~ Headers ^^^^^^^ Just set the ``Auth-User`` header with the attribute that carries the user login, for example ``$uid``. Rules ^^^^^ Set the default rule to what you need. Other rules: - Unprotect access to some resources: ``^/share/res => unprotect`` - Catch logout: ``^/share/page/dologout => logout_app_sso`` SAML2 ----- .. _alfresco-2: Alfresco ~~~~~~~~ Install SAML Alfresco module package: :: cp alfresco-saml-repo-1.0.1.amp /amps cp alfresco-saml-share-1.0.1.amp /amps_share ./bin/apply_amp.sh Generate SAML certificate: :: keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS Export the keystore: :: mv my-saml.keystore alf_data/keystore cat < alf_data/keystore/my-saml.keystore-metadata.properties aliases=my-saml-key keystore.password=change-me my-saml-key.password=change-me EOT cat <> tomcat/shared/classes/alfresco-global.properties saml.keystore.location=\${dir.keystore}/my-saml.keystore saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties EOT Edit then ``share-config-custom.xml``: .. code-block:: xml ... GET /res/.* POST /page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest /proxy/alfresco/remoteadm/.* It is not allowed to access this url from your browser POST /proxy/alfresco/api/publishing/channels/.+ {referer} {origin} POST /page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console {referer} {origin} POST /page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow {referer} {origin} POST /page/dologout(\?.+)? {referer} {origin} {token} {token} .+ {token} {token} GET /page/.* .+ .+ {token} {token} POST
multipart/.+
.+
{token} {token} {referer} {origin}
POST|PUT|DELETE .+ {token} {token} {referer} {origin}
... Configure SAML service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml). Set the following parameters: - Enable SAML Authentication (SSO): on - Authentication service URL: https://auth.example.com/saml/singleSignOn - Single Logout URL: https://auth.example.com/saml/singleLogout - Single logout return URL: https://auth.example.com/saml/singleLogoutReturn - Entity identification: http://alfresco.myecm.org:8080/share - User ID mapping: Subject/NameID To finish with Alfresco configuration, tick the “Enable SAML authentication (SSO)” box. .. _llng-1: LL::NG ~~~~~~ Configure SAML service and set a certificate as signature public key in metadata. Export Alfresco SAML Metadata from admin console and import them in LL::NG. In the authentication response option, set: - Default NameID Format: Unspecified - Force NameID session key: uid And you can define these exported attributes: - GivenName - Surname - Email Other resources --------------- - `DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi Belmekki `__ - `Setting up Alfresco SAML authentication with LemonLDAP::NG `__ .. |image0| image:: /applications/alfresco_logo.png :class: align-center