Skip to main content

Software Development

SSO for Alfresco Share

Software Development

What is single sign-on (SSO)?

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials — for example, a username and password — to access multiple applications. SSO can be used by enterprises, small and midsize organizations, and individuals to ease the management of multiple credentials.

How does single sign-on work?

Single sign-on is a federated identity management arrangement. The use of such a system is sometimes called identity federation. Open Authorization (OAuth) is the framework that enables an end user’s account information to be used by third-party services, such as Facebook, without exposing the user’s password.

OAuth acts as an intermediary on behalf of the end user by providing the service with an access token that authorizes specific account information to be shared. When a user attempts to access an application from the service provider, the service provider sends a request to the identity provider for authentication. The service provider then verifies the authentication and logs the user in.

 

SSO for Alfresco.

Alfresco is an enterprise content management system and it has more than one application where we can handle contents. Alfresco Share and Alfresco workspace are the two among that.

This is the process for dockized Alfresco where we need to have Maven and Docker installed in your system.

Purpose:

  • As part of the SSO (single sign on) process we are improving user’s login experience.
  • Users will no longer required to put their credentials while trying to access Alfresco share.
  • This documentation helps to understand Authentication process and SAML flow of Authentication.
  • Also helps to gain some knowledge on Azure AD and Alfresco’s SAML module.

Steps to Configure SSO with Azure.

Install SAML module.

For that we need to download the module from Hyland’s support portal. Below is the link for that.

https://community.hyland.com/products/alfresco/release-notes/release-notes/saml-single-sign-on-sso-for-alfresco-content-services/saml-single-signon-sso-for-alfresco-content-services-123

The .zip will download.

Local maven repo Install:

mvn install:install-file -Dfile=”<your path to project> /alfresco-saml/alfresco-saml-repo-1.2.3.amp“ -DgroupId=org.alfresco -DartifactId=alfresco-saml-repo -Dversion=1.2.3 -Dpackaging=amp

mvn install:install-file -Dfile=”<your path to project> /alfresco-saml/alfresco-saml-share-1.2.3.amp“ -DgroupId=org.alfresco -DartifactId=alfresco-saml-repo -Dversion=1.2.3 -Dpackaging=amp

 

and if you are using local nexus then

mvn deploy:deploy-file -Dfile=”<your path to project> /alfresco-saml/alfresco-saml-repo-1.2.3.amp“ -DgroupId=org.alfresco -DartifactId=alfresco-saml-repo -Dversion=1.2.3 -Dpackaging=amp -Durl=http://local.nexus.docker:8081/repository/maven-releases/ -DrepositoryId=releases

mvn deploy:deploy-file -Dfile=”<your path to project> /alfresco-saml/alfresco-saml-share-1.2.3.amp“ -DgroupId=org.alfresco -DartifactId=alfresco-saml-repo -Dversion=1.2.3 -Dpackaging=amp -Durl=http://local.nexus.docker:8081/repository/maven-releases/ -DrepositoryId=releases

 

Then we need to add this in Altresco’s pom as a dependency.

in alfresco-platform-docker>pom.xml add the below code in <dependencies>

<dependency>

<groupId>org.alfresco</groupId>

<artifactId>alfresco-saml-repo</artifactId>

<version>1.2.3</version>

<type>amp</type>

</dependency>

 

and in alfresco-share-docker>pom.xml add the below code in <dependencies>

<dependency>

<groupId>org.alfresco</groupId>

<artifactId>alfresco-saml-share</artifactId>

<version>1.2.3</version>

<type>amp</type>

</dependency>

 

Then build the images for alfresco-platform-docker and alfresco-share-docker and run.

Then we will generate the self-signed certificate. This is required to connect with Azure AD. Run this below given command.

keytool -genkeypair -keyalg RSA -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS

Place the generated my-saml.keystore file into a location of your choice that is accessible to the repository.

 

To use the latest keystore configuration method, set the following as JVM properties under JAVA_TOOL_OPTIONS

-Dsaml-keystore.aliases=my-saml-key

-Dsaml-keystore.password=password_AES

-Dsaml-keystore.my-saml-key.password=password_AES

-Dsaml-keystore.my-saml-key.algorithm=AES

 

Generate a SAML keystore metadata file by the name my-saml-keystore-passwords.properties in the same location as the keystore and add the following content.

aliases=my-saml-key

keystore.password=change-me

my-saml-key.password=change-me

 

Set the following values in the alfresco-global.properties file:

saml.keystore.location=<full pathname>/my-saml.keystore

saml.keystore.keyMetaData.location=<full pathname>/my-saml-keystore-passwords.properties

saml.keystore.type=JCEKS

saml.message.state.duration.in.millis=300000

saml.issueInstantRule.check.clock.skew.in.seconds=60

saml.issueInstantRule.check.expiration.in.seconds=30

saml.sp.isEnabled=true

saml.sp.isEnforced=true

Path to the certificate used to validate the requests and responses from the IdP

saml.sp.idp.certificatePath=<wherever the certificates have been placed>

 

Configure the Azure AD SAML connector.

Then create SAML connection app to Azure.

In redirect URL’s add the bellow urls.

https://<server dns>/share/page/saml-authnresponse

The Azure team will send you one certificate file that you should save somewhere.

 

Configure to code level

Then we need to modify our alfresco-platform-docker Dockerfile as below.

COPY extensions/*.keystore $TOMCAT_DIR/shared/classes/alfresco/extension/

COPY extensions/*.properties $TOMCAT_DIR/shared/classes/alfresco/extension/

COPY extensions/*.cer $TOMCAT_DIR/shared/classes/alfresco/extension/

 

Configuration on Alfresco side.

Then after successfully configuration we need to do configuration on the alfresco side.

Go to https://<your DNS>/alfresco/s/enterprise/admin/admin-systemsummary

on the left hand side under Directories you can see Single Sign-On (SAML)

click there and in that few values we need to give.

Identity Provider (IdP) Description:

Here we need to place our name which will describe the moto.

IdP Authentication Request Service URL:

The address where the authentication request is sent. This redirects you to the IdP login page

Here we need to give url which we got from Azure federation XML.

https://login.microsoftonline.com/<your tenant id form azure>/saml2

IdP Single Logout Request Service URL:

The address where the logout request is sent when logging out of Alfresco. This logs you out of the Alfresco web application and any other applications that use your SSO setup.

This we also given in Azure federation XML.

https://login.microsoftonline.com/<your tenant id form azure>/saml2

IdP Single Logout Response Service URL:

The address where the logout response is sent when the IdP gets a logout request.

This we also given in Azure federation XML.

https://login.microsoftonline.com/<your tenant id from azure>/saml2

Entity Identification (Issuer):

Some IdPs use the issuer to determine which service provider connection to use

Here we need to provide from where we are hitting the Azure url.

same is configured in Azure SAML app.

https://alfresco.<your dns>/share

User ID Mapping:

The SAML attribute that maps to an Alfresco User ID. For PingFederate use ‘PersonImmutableID’ and for AD FS use ‘Subject/NameID’.

Subject/NameID

Then we need to Upload a new IdP certificate in Upload IdP certificate which is given by Azure.

 

References:

Alfresco Docs – Configure Alfresco products

Alfresco Docs – Install with zip

https://community.hyland.com/products/alfresco/release-notes/release-notes/saml-single-sign-on-sso-for-alfresco-content-services/saml-single-signon-sso-for-alfresco-content-services-123

 

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Atul Talhar

Atul Talhar is a seasoned blogger and a Java expert with over 7 years of experience in the field. His passion for technology and coding has led him to specialize in Core Java and Alfresco Content Services, making him a formidable force in the world of enterprise content management.

More from this Author

Follow Us