Hyland Connect

smcardle · ‎06-05-2012

Hi All

I am using OpenAM as our authentication server and need to get Alfresco and Share community 4.0.d involved in the same architecture.

However, I am having serious issues here. Usually when OpenAM (previously OpenSSO) is configured to work with web application we do the following :
1. add the OpenAM filter to the web.xml file
2. configure some policies on OpenAM for the protected resources on the Web Application being SSO'ed.
3. Add references to the login page, login error page and logout page.

When a protected resource is then requested in the application, the OpenAM filter will redirect the user to the OpenAM login page, the use logs in and then the application is able to use the HttpServletRequest to get the user principal and check isUserInRole().

However, it seems there is another way to do this with Alfresco and Share but I cannot understand how they would be able to redirect to the OpenAM application when I enter the URL http://<server>:<port>/share into the browser address bar. !!!!

Basically I never want to see the Share or Alfresco login pages. We always want our users ONLY in OpenAM and force Alfresco and Share to trust them as externally Authenticated. Alfresco would then create a user of it's own but the user record will be externally managed i.e. passwords etc are not managed by Alfresco.

From all the SSO options I can see in the Documentation this scenario does not seem to be covered.

There was an old integration for Alfresco with OpenSSO from sourcesence but this is not a good option in our case as it uses the concept of the OpenSSO AM properties file for the agent configuration instead of the remote server agent configuration.

So, the question is….. Can I configure Alfresco and Share so that they redirect to OpenAM and trust all authenticated users using out of the box functionality and configuration OR do I have to create my own SSOAthentication Filter for Alfresco and Share that uses the OpenAM SDK to get them to participate in our SSO configuration?

If I have to do this, what is Share expecting to see in the way of cookies or headers such that it will not present it's own login page?

I can't believe that nobody has already done this with Alfresco. OpenAM (OpenSSO) is a widely used and excellent AAA SSO Solution.

Regards

Steve

jainmcs03 · ‎12-27-2014

Hi ALL,

Im using Alfresco Community 5.0.c and enabling OpenAM-11.0.0 SSO , user getting uthendicated in openAM but redirect to Alfresco login page. Seeing the same error in log file..

2014-12-27 21:17:30,814 DEBUG [site.servlet.SSOAuthenticationFilter] [http-bio-8080-exec-7] Repository session timed out - restarting auth process…

2014-12-27 21:17:57,141 DEBUG [app.servlet.AuthenticationHelper] [http-bio-8080-exec-2] The user is null.
2014-12-27 21:17:57,141 DEBUG [app.servlet.AuthenticationHelper] [http-bio-8080-exec-2] The session is not invalidated.
2014-12-27 21:17:57,141 DEBUG [app.servlet.AuthenticationHelper] [http-bio-8080-exec-2] Searching for Alfresco auth cookie.

21:17:58,077 DEBUG [org.alfresco.web.app.servlet.AuthenticationHelper] [http-bio-8080-exec-2] Settings the external authentication flag on the session to false

Below in my config alfresco-global.properties file.

### Auth chain SSO settings For HTTPHeader ###
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyHeader=SsoUserHeader
external.authentication.enabled=true
alfresco.authentication.allowGuestLogin=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=

Please advise.

Regards,
Jayendran

seemach1 · ‎09-05-2012

Hi Gopal,

Were you able to get this working? We have 4.0d and are looking to implement with our SSO solution.

Thanks,

Chris

bonker2121 · ‎06-15-2013

I got external SSO with OpenAM working using almost entirely these instructions. Here are some of my observations that I hope will save someone else some time:

~Error 403: When an Error 403 is thrown, it means that the URL pattern used for the rules (items 'd' and 'e' in smcardles's instructions above) are not formatted correctly.
~Alfresco Log in: If you see the Alfresco log in screen after successfully authenticating, then there is an error in the share-config-custom.xml or the global properties (most likely share-config-custom.xml.

ahmedemad3 · ‎02-11-2014

I do what you are doing and get the alfresco share login page also can you get me the share-config-custom.xml & global properties and i set these 2 files in tomcat/shared/classes . i wait your response

jimklimov · ‎11-17-2013

Hello,

I found this post and thanks for the detailed manual (I hope to try it someday soon)

One thing remains unclear: did you solve the issue of Alfresco's use of groups (GROUP_myGroup) in conjunction with OpenAM? Did you settle with groups being replicated from OpenAM (or directly from LDAP, like its OpenDJ) into Alfresco, or did you do something else?

Thanks,
//Jim Klimov

cyr · ‎03-28-2014

I have been trying to make a SSO in alfresco with no success. I used OpenAM, and CAS, but it didn't work. can someone help me to integrate SSO in Alfresco.
Thanx

ameny · ‎04-18-2014

Hi,
I use almost entirely these instructions. When I enter the URL http://:/share into the browser address I am redirected to the OpenAM application and I login successfully but steel have this Error 403.
Can anybody help me to resolve this error?

Thanks

paulm · ‎09-25-2014

Thanks alot smcardle, your steps were very helpful! However, I had problems with step 1.l. The uid didn't work for me. I used the <strong>mail</strong> attribute instead since that's what we use as the userid in alfresco.

As for maintaining group memberships, we sync users and groups from ldap into alfresco.

jainmcs03 · ‎12-22-2014

Hi ALL,

I setup all necessary changes and athentication working fine with 'admin' user defined in openAM, but getting below error,redirecting to error page (:8080/share/error500.jsp).And in the error screen saying trhee reason below.Please advise.

    You have attempted to access a page that does not exist - check the URL in the address bar.
    You have attempted to access a page that is not accessible to you, such as a private Site dashboard.
    A valid page has been requested but the server was unable to render it due to an internal error - contact your administrator.

Log:

2014-12-23 09:09:17,700 ERROR [alfresco.web.site] [http-bio-8080-exec-5] org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.extensions.surf.exception.WebFrameworkServiceException: Unable to process response: A JSONObject text must begin with '{' at character 3
org.springframework.extensions.surf.exception.WebFrameworkServiceException: Unable to process response: A JSONObject text must begin with '{' at character 3

Regrads
Jayendran

jainmcs03 · ‎01-07-2015

Hi ALL

I got external SSO with OpenAM, it works fine. Now i need some details about SLO(single log out).

Regards
Jayendran