topic Re: How to set up Share with Identity Services? in Alfresco Forum

How to set up Share with Identity Services?

ukdavo — Sun, 19 Jan 2020 10:07:43 GMT

I understand that Share 6.2 features integration with Identity Service. The documentation seems to be a bit light on this. Has anyone got this to work?

I've been able to get APS to work with Identity Service (using OpenLDAP). This seems to be fairly straightforward.

I believe that I should be able to use the SAML connector to connect to Identity Service. Does anyone have an example of the required configuration (saml.properties, Identity Service config, etc)?

One last thing. Am I right in thinking that even if I get authentication working, I'd still have to create the users within ACS using LDAP sync if users are based in an LDAP directory or using a custom solution if users are based on a non-LDAP based provider (e.g. AWS Cognito)?

Cheers

Mark

Re: How to set up Share with Identity Services?

afaust — Mon, 20 Jan 2020 09:08:42 GMT

AFAIK Alfresco Share does NOT support Alfresco Identity Service in 6.2 - at least not out-of-the-box. Only the Alfresco Repository (ACS) supports Identity Service. That's the reason I have started writing my own support via my alfresco-keycloak addon.

As for still requiring an LDAP directory: I am working on the next version of my Keycloak integration which will be able to map users from authentication requests and sync users / groups directly from Keycloak without requiring an extra setup for LDAP (assuming all users / groups are known to Keycloak in advance).

You can integrate Alfresco with Identity Service / SAML without having LDAP synchronisation. This works just fine and users would be created ad-hoc - the only downside would be that those users would not have any details, e.g. email, first and last names, set as properties.

Re: How to set up Share with Identity Services?

ukdavo — Mon, 27 Jan 2020 12:08:15 GMT

Thanks Axel.

The info at https://docs.alfresco.com/sso/topics/saml.html seems to suggest that you can authenticate Share users via SAML against an identity provider. As Keycloak/IDS supports SAML, could we not use that as the identity provider?

Many thanks

Mark

Re: How to set up Share with Identity Services?

afaust — Mon, 20 Jul 2020 10:08:10 GMT

Due to issues with the notifications sent out by this platform, I often get reply notices where I cannot access a link to go back to the thread in question. Though it is already half a year later, I still want to reply to this as I see this SAML question pop up regularly. The SAML module for Alfresco is an Enterprise only module, not available for Alfresco Community, and it constitutes quite a quirky (and aggressive) workaround for not having native support for Identity Services in Share. Having worked with the SAML module at one Enterprise customer, I would caution against its use - at least we had to do a couple of fixes / patches to make it work in our scenario which required a combination of SAML and Kerberos for authentication of disparate user groups, which it does not support out-of-the-box.

Re: How to set up Share with Identity Services?

EddieMay — Mon, 20 Jul 2020 11:16:39 GMT

Hi @afaust,

Hopefully this has now been fixed - this reply should be a good test

Re: How to set up Share with Identity Services?

afaust — Mon, 20 Jul 2020 11:24:47 GMT

@EddieMay indeed - compared to a notice I got just last week, this is now workable...

Re: How to set up Share with Identity Services?

unibravo — Tue, 28 May 2024 18:23:52 GMT

alfresco-global.properties

authentication.chain=identity-service-1:identity-service,alfrescoNtlm-1:alfrescoNtlm

identity-service.auth-server-url=http://acs.alf.com/auth

identity-service.enable-basic-auth=true

identity-service.realm=alfresco

identity-service.resource=alfresco

aims.enabled=true

aims.realm=alfresco

aims.resource=alfresco

aims.authServerUrl=http://acs.alf.com/auth

aims.publicClient=true

aims.sslRequired=external

aims.autodetectBearerOnly=

aims.alwaysRefreshToken=

aims.principalAttribute=sub

aims.enableBasicAuth=

aims.secret=

csrf.filter.referer=http://acs.alf.com

csrf.filter.origin=http://acs.alf.com/*

Re: How to set up Share with Identity Services?

unibravo — Tue, 28 May 2024 21:52:07 GMT

share-config-custom.xml

<config evaluator="string-compare" condition="AIMS">
<enabled>true</enabled>
<realm>alfresco</realm>
<resource>alfresco</resource>
<authServerUrl>http://acs.alf.com/auth</authServerUrl>
<sslRequired>none</sslRequired>
<publicClient>true</publicClient>
<autodetectBearerOnly>true</autodetectBearerOnly>
<alwaysRefreshToken>true</alwaysRefreshToken>
<principalAttribute>email</principalAttribute>
<enableBasicAuth>true</enableBasicAuth>
</config>

Re: How to set up Share with Identity Services?

afjaber — Thu, 31 Jul 2025 05:44:32 GMT

We have written a custom user provisioning/deprovisioning script (executing as AWS Lambda function but can run anywhere) to sync Microsoft Entra ID users (cloud AD) to Alfresco Share leveraging APIs on both ends. As LDAP sync via legacy server-based AD was not an option for us with our SAML SSO setup, we eventually solved for the provisioning gap this way. Now, first name, last name, email, company, job title, location, status, and anything else required are synced. When the Entra ID user is disabled, deleted, or removed from the qualifying user group, we can either disable or delete (soft delete) in Alfresco. Works perfect, and only wish we can figured out this solution approach sooner as this user provisioning/deprovisioning gap (for our cloud IdP use case) delayed the project by several months. If anyone is interested to learn more or leverage, just let me know or send me a private message. Thanks