Alfresco
========
|image0|
Presentation
------------
`Alfresco `__ is an ECM/BPM software.
Since 4.0 release, it offers an easy way to configure SSO thanks to
authentication subsystems.
Authentication against LL::NG can be done through:
- HTTP headers (LL::NG Handler)
- SAML 2 (LL::NG as SAML2 IDP)
.. tip::
Alfresco now recommends SAML2 method
HTTP headers
------------
.. _alfresco-1:
Alfresco
~~~~~~~~
.. tip::
The official documentation can be found here:
http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html\
You need to find the following files in your Alfresco installation:
- ``alfresco-global.properties`` (ex:
``tomcat/shared/classes/alfresco-global.properties``)
- ``share-config-custom.xml`` (ex:
``tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml``)
The first will allow one to configure SSO for the alfresco webapp, and
the other for the share webapp.
Edit first ``alfresco-global.properties`` and add the following:
.. code-block:: properties
### SSO ###
authentication.chain=external1:external
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=
external.authentication.proxyUserName=
external.authentication.proxyHeader=Auth-User
external.authentication.userIdPattern=
Edit then ``share-config-custom.xml`` and uncomment the last part. In
the ````, change ```` value to
``alfrescoHeader`` and change the ```` value to
``Auth-User``:
.. code-block:: xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
Auth-User
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://localhost:8080/alfresco/s
user
true
You need to restart Tomcat to apply changes.
.. danger::
Now you can log in with a simple HTTP header. You need to
restrict access to Alfresco to LL::NG.
LL::NG
~~~~~~
Headers
^^^^^^^
Just set the ``Auth-User`` header with the attribute that carries the
user login, for example ``$uid``.
Rules
^^^^^
Set the default rule to what you need.
Other rules:
- Unprotect access to some resources: ``^/share/res => unprotect``
- Catch logout: ``^/share/page/dologout => logout_app_sso``
SAML2
-----
.. _alfresco-2:
Alfresco
~~~~~~~~
Install SAML Alfresco module package:
::
cp alfresco-saml-repo-1.0.1.amp /amps
cp alfresco-saml-share-1.0.1.amp /amps_share
./bin/apply_amp.sh
Generate SAML certificate:
::
keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS
Export the keystore:
::
mv my-saml.keystore alf_data/keystore
cat < alf_data/keystore/my-saml.keystore-metadata.properties
aliases=my-saml-key
keystore.password=change-me
my-saml-key.password=change-me
EOT
cat <> tomcat/shared/classes/alfresco-global.properties
saml.keystore.location=\${dir.keystore}/my-saml.keystore
saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties
EOT
Edit then ``share-config-custom.xml``:
.. code-block:: xml
...
GET
/res/.*
POST
/page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest
/proxy/alfresco/remoteadm/.*
It is not allowed to access this url from your browser
POST
/proxy/alfresco/api/publishing/channels/.+
{referer}
{origin}
POST
/page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console
{referer}
{origin}
POST
/page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow
{referer}
{origin}
POST
/page/dologout(\?.+)?
{referer}
{origin}
{token}
{token}
.+
{token}
{token}
GET
/page/.*
.+
.+
{token}
{token}
POST
.+
{token}
{token}
{referer}
{origin}
POST|PUT|DELETE
.+
{token}
{token}
{referer}
{origin}
...
Configure SAML service provider using the Alfresco admin console
(/alfresco/s/enterprise/admin/admin-saml).
Set the following parameters:
- Enable SAML Authentication (SSO): on
- Authentication service URL:
https://auth.example.com/saml/singleSignOn
- Single Logout URL: https://auth.example.com/saml/singleLogout
- Single logout return URL:
https://auth.example.com/saml/singleLogoutReturn
- Entity identification: http://alfresco.myecm.org:8080/share
- User ID mapping: Subject/NameID
To finish with Alfresco configuration, tick the “Enable SAML
authentication (SSO)” box.
.. _llng-1:
LL::NG
~~~~~~
Configure SAML service and set a certificate as signature public key in
metadata.
Export Alfresco SAML Metadata from admin console and import them in
LL::NG.
In the authentication response option, set:
- Default NameID Format: Unspecified
- Force NameID session key: uid
And you can define these exported attributes:
- GivenName
- Surname
- Email
Other resources
---------------
- `DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi
Belmekki `__
- `Setting up Alfresco SAML authentication with
LemonLDAP::NG `__
.. |image0| image:: /applications/alfresco_logo.png
:class: align-center