Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Blog
- Alfresco With Shibboleth
resplin
Elite Collaborator
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
06-05-2015
07:40 PM
Obsolete Pages{{Obsolete}}
The official documentation is at: http://docs.alfresco.com
Objective
WARNING: this kind of setup is not officially supported by Alfresco
The objective of this document is to provide instructions on how to enable the Alfresco Share Application to work with Shibboleth as the authentication subsystem. These instructions have been tested on Alfresco Community versions 3.4.d and 4.0.b.
General Environment Setup Relevant to User Authentication
We have Apache server on the front managing incoming web requests and forwarding them on to Tomcat. A web client connects through HTTPS to https://yourdomainname/, the mod_proxy forwards the request on using AJP protocol to the internal tomcat application server (on which Alfresco Share application is located) sitting on port 8009 residing on localhost.
Apache
We start with virtual host running on port 80 on Apache and will work our way up to using SSL later. The below Apache configuration (httpd.conf) entails that Apache serving as the guy on reception intercepting web requests and forwarding them on to Tomcat using ProxyPass and ProxyPassReverse directives.
<VirtualHost *:80>
DocumentRoot '/home/alfresco/apps/httpd-2.2.17/htdocs'
ServerName <yourdomainname.com>
UseCanonicalName On
ErrorLog '/home/alfresco/apps/httpd-2.2.17/logs/error_log'
TransferLog '/home/alfresco/apps/httpd-2.2.17/logs/access_log'
ProxyRequests Off
RewriteEngine On
# Alfresco Explorer
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
# Alfresco Share
ProxyPass /share ajp://127.0.0.1:8009/share
ProxyPassReverse /share ajp://127.0.0.1:8009/share
</VirtualHost>
Edit tomcat/conf/server.xml to enable the AJP connector.
<Connector port=”8009” protocol=”AJP/1.3” redirectPort=”8443” tomcatAuthentication=”false” />
SSL Certificate
Create a self-signed SSL certificate:
openssl genrsa –des3 –out server.key 2048 (generate private key)
openssl req –new –key server.key –out server.csr (create the certificate signing request-CSR)
openssl x509 –req –days 365 –in server.csr –signkey server.key (sign your CSR)
cp server.key server.key.secure
openssl rsa –in server.key.secure –out server.key
(remove passphrase from your private key to prevent Apache’s prompt for password when Apache service is restarted)
Edit Apache configuration (httpd.conf) to include relevant information pertaining to your SSL certificate. SSLCertificateChainFile and SSLCACertificateFile attributes may be needed with certificates obtained from an authorized certificate vendor such as DigiCert.
<VirtualHost _default_:443>
DocumentRoot '/your_apache_path/htdocs'
ServerName <yourdomainname.com>
UseCanonicalName On
ErrorLog '/your_apache_path/logs/error_log'
TransferLog '/your_apache_path/logs/access_log'
SSLEngine on
SSLCipherSuite HIGH
SSLCertificateFile '/your_apache_path/conf/yourdomainname.crt'
SSLCertificateKeyFile '/your_apache_path//conf/yourdomainname.key'
ProxyRequests Off
RewriteEngine On
# Alfresco Explorer
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
# Share
ProxyPass /share ajp://127.0.0.1:8009/share
ProxyPassReverse /share ajp://127.0.0.1:8009/share
</VirtualHost>
Shibboleth Authentication
After you have installed Shibboleth, make a copy of Shibboleth2.xml before you make the following edits in case you need to revert back to a clean copy.
<RequestMapper type='Native'>
<RequestMap applicationId='default'>
<!-- The example requires a session for documents in /secure on the containing host with http and https on the default ports. -->
<!-- Note that the name and port in the <Host> elements MUST match Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element below. -->
<Host name=' yourdomainname.com'>
<Path name='/' authType='shibboleth' requireSession='true' ></Path>
</Host>
</RequestMap>
</RequestMapper>
<ApplicationDefaults id='default' policyId='default'
entityID='https://yourdomainname.com/'
homeURL='https://yourdomainname.com/'
REMOTE_USER='your_persistent_id'
signing='false' encryption='false'
>
In attribute-map.xml, ensure that your_persistent_id attribute is on the list of attributes that is set to be pulled back from Shibboleth upon successful authentication.
Then, we need to hook up Shibboleth to Apache by editing Apache configuration file (httpd.conf).
LoadModule mod_shib /shibb_path/mod_shib_22.so
<VirtualHost _default_:443>
DocumentRoot '/your_apache_path/htdocs'
ServerName <yourdomainname.com>
UseCanonicalName On
ErrorLog '/your_apache_path/logs/error_log'
TransferLog '/your_apache_path/logs/access_log'
SSLEngine on
SSLCipherSuite HIGH
SSLCertificateFile '/your_apache_path/conf/yourdomainname.crt'
SSLCertificateKeyFile '/your_apache_path/conf/yourdomainname.key'
SSLCertificateChainFile '/your_apache_path/conf/DigiCertCA.crt'
SSLCACertificateFile '/your_apache_path/conf/DigiCertCA.crt'
ProxyRequests Off
<Location />
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>
# Alfresco Explorer
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
# Share
ProxyPass /share ajp://127.0.0.1:8009/share
ProxyPassReverse /share ajp://127.0.0.1:8009/share
</VirtualHost>
Alfresco External Authentication
To enable external authentication, include the following in tomcat/shared/classes/alfresco-global.properties.
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyUserName=
Alfresco Share SSO
Here comes the trickiest part in getting Share application to work with Shibboleth. Since it is a separate web application from the main Alfresco Explorer/repository WAR file and has no knowledge of the authenticated user to Alfresco Explorer, we need to enable SSO authentication via share-config-custom.xml. Share makes web service calls via HTTP(S) to obtain information about the authenticated user from the configured Alfresco repository.
As explained in http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/tasks/share-change-port.html, uncomment both sections in tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.
Start Apache, Shibboleth, and Alfresco and hope for the best. You might also need to reboot.
Diagnostic
Once Shibboleth is working properly, there are two ways to view Shibboleth attributes.
1) Download snoop.jsp (provide link to file to be downloaded) and place it in tomcat/alfresco/ and HTMLfilter.class (provide link to file to be downloaded) and put it under tomcat/webapps/alfresco/WEB-INF/classes/util/. Once you have done this, you can access Shibboleth attributes via:
https://yourdomainname/alfresco/snoop.jsp
2) You can also access the Shibboleth status and attributes via the following URLs:
http://yourdomainname/Shibboleth.sso/Status
http://yourdomainname/Shibboleth.sso/Session
References
- http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
- http://www.apachetutor.org/admin/reverseproxies
- http://docs.alfresco.com/3.4/topic/com.alfresco.Enterprise_3_4_0.doc/tasks/auth-alfrescontlm-sso.htm...
- http://shibboleth.internet2.edu/
- http://docs.alfresco.com/4.0/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fshare-change-p...
Labels:
Related Content
- APS - How to override DbSqlSessionFactory properly? in Alfresco Forum
- Start ACS 23.x in mode Services Windows Server 2022 in Alfresco Forum
- How to call Alfresco REST APIs using OAuth instead of Basic Auth? in Alfresco Forum
- Alfresco Customer Newsletter — November 2024 in Alfresco Blog
- Alfresco Customer Newsletter — October 2024 in Alfresco Blog
