What is single sign-on (SSO)?
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials — for example, a username and password — to access multiple applications. SSO can be used by enterprises, small and midsize organizations, and individuals to ease the management of multiple credentials.
How does single sign-on work?
Single sign-on is a federated identity management arrangement. The use of such a system is sometimes called identity federation. Open Authorization (OAuth) is the framework that enables an end user’s account information to be used by third-party services, such as Facebook, without exposing the user’s password.
OAuth acts as an intermediary on behalf of the end user by providing the service with an access token that authorizes specific account information to be shared. When a user attempts to access an application from the service provider, the service provider sends a request to the identity provider for authentication. The service provider then verifies the authentication and logs the user in.
SSO for Alfresco.
Alfresco is an enterprise content management system and it has more than one application where we can handle contents. Alfresco Share and Alfresco workspace are the two among that.
This is the process for dockized Alfresco where we need to have Maven and Docker installed in your system.
Purpose:
- As part of the SSO (single sign on) process we are improving user’s login experience.
- Users will no longer required to put their credentials while trying to access Alfresco share.
- This documentation helps to understand Authentication process and SAML flow of Authentication.
- Also helps to gain some knowledge on Azure AD and Alfresco’s SAML module.
Steps to Configure SSO with Azure.
Install SAML module.
For that we need to download the module from Hyland’s support portal. Below is the link for that.
The .zip will download.
Local maven repo Install:
mvn install:install-file -Dfile=”<your path to project> /alfresco-saml/alfresco-saml-repo-1.2.3.amp“ -DgroupId=org.alfresco -DartifactId=alfresco-saml-repo -Dversion=1.2.3 -Dpackaging=amp
mvn install:install-file -Dfile=”<your path to project> /alfresco-saml/alfresco-saml-share-1.2.3.amp“ -DgroupId=org.alfresco -DartifactId=alfresco-saml-repo -Dversion=1.2.3 -Dpackaging=amp
and if you are using local nexus then
mvn deploy:deploy-file -Dfile=”<your path to project> /alfresco-saml/alfresco-saml-repo-1.2.3.amp“ -DgroupId=org.alfresco -DartifactId=alfresco-saml-repo -Dversion=1.2.3 -Dpackaging=amp -Durl=http://local.nexus.docker:8081/repository/maven-releases/ -DrepositoryId=releases
mvn deploy:deploy-file -Dfile=”<your path to project> /alfresco-saml/alfresco-saml-share-1.2.3.amp“ -DgroupId=org.alfresco -DartifactId=alfresco-saml-repo -Dversion=1.2.3 -Dpackaging=amp -Durl=http://local.nexus.docker:8081/repository/maven-releases/ -DrepositoryId=releases
Then we need to add this in Altresco’s pom as a dependency.
in alfresco-platform-docker>pom.xml add the below code in <dependencies>
<dependency>
<groupId>org.alfresco</groupId>
<artifactId>alfresco-saml-repo</artifactId>
<version>1.2.3</version>
<type>amp</type>
</dependency>
and in alfresco-share-docker>pom.xml add the below code in <dependencies>
<dependency>
<groupId>org.alfresco</groupId>
<artifactId>alfresco-saml-share</artifactId>
<version>1.2.3</version>
<type>amp</type>
</dependency>
Then build the images for alfresco-platform-docker and alfresco-share-docker and run.
Then we will generate the self-signed certificate. This is required to connect with Azure AD. Run this below given command.
keytool -genkeypair -keyalg RSA -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS
Place the generated my-saml.keystore file into a location of your choice that is accessible to the repository.
To use the latest keystore configuration method, set the following as JVM properties under JAVA_TOOL_OPTIONS
-Dsaml-keystore.aliases=my-saml-key
-Dsaml-keystore.password=password_AES
-Dsaml-keystore.my-saml-key.password=password_AES
-Dsaml-keystore.my-saml-key.algorithm=AES
Generate a SAML keystore metadata file by the name my-saml-keystore-passwords.properties in the same location as the keystore and add the following content.
aliases=my-saml-key
keystore.password=change-me
my-saml-key.password=change-me
Set the following values in the alfresco-global.properties file:
saml.keystore.location=<full pathname>/my-saml.keystore
saml.keystore.keyMetaData.location=<full pathname>/my-saml-keystore-passwords.properties
saml.keystore.type=JCEKS
saml.message.state.duration.in.millis=300000
saml.issueInstantRule.check.clock.skew.in.seconds=60
saml.issueInstantRule.check.expiration.in.seconds=30
saml.sp.isEnabled=true
saml.sp.isEnforced=true
Path to the certificate used to validate the requests and responses from the IdP
saml.sp.idp.certificatePath=<wherever the certificates have been placed>
Configure the Azure AD SAML connector.
Then create SAML connection app to Azure.
In redirect URL’s add the bellow urls.
https://<server dns>/share/page/saml-authnresponse
The Azure team will send you one certificate file that you should save somewhere.
Configure to code level
Then we need to modify our alfresco-platform-docker Dockerfile as below.
COPY extensions/*.keystore $TOMCAT_DIR/shared/classes/alfresco/extension/
COPY extensions/*.properties $TOMCAT_DIR/shared/classes/alfresco/extension/
COPY extensions/*.cer $TOMCAT_DIR/shared/classes/alfresco/extension/
Configuration on Alfresco side.
Then after successfully configuration we need to do configuration on the alfresco side.
Go to https://<your DNS>/alfresco/s/enterprise/admin/admin-systemsummary
on the left hand side under Directories you can see Single Sign-On (SAML)
click there and in that few values we need to give.
Identity Provider (IdP) Description:
Here we need to place our name which will describe the moto.
IdP Authentication Request Service URL:
The address where the authentication request is sent. This redirects you to the IdP login page
Here we need to give url which we got from Azure federation XML.
https://login.microsoftonline.com/<your tenant id form azure>/saml2
IdP Single Logout Request Service URL:
The address where the logout request is sent when logging out of Alfresco. This logs you out of the Alfresco web application and any other applications that use your SSO setup.
This we also given in Azure federation XML.
https://login.microsoftonline.com/<your tenant id form azure>/saml2
IdP Single Logout Response Service URL:
The address where the logout response is sent when the IdP gets a logout request.
This we also given in Azure federation XML.
https://login.microsoftonline.com/<your tenant id from azure>/saml2
Entity Identification (Issuer):
Some IdPs use the issuer to determine which service provider connection to use
Here we need to provide from where we are hitting the Azure url.
same is configured in Azure SAML app.
https://alfresco.<your dns>/share
User ID Mapping:
The SAML attribute that maps to an Alfresco User ID. For PingFederate use ‘PersonImmutableID’ and for AD FS use ‘Subject/NameID’.
Subject/NameID
Then we need to Upload a new IdP certificate in Upload IdP certificate which is given by Azure.
References:
Alfresco Docs – Configure Alfresco products
Alfresco Docs – Install with zip
Tags: