11-23-2021 04:16 AM
Hi,
GOAL OF MY QUESTION:
I want to setup an SSO mechanism with my Alfresco configuration.
I'm using the LDAP protocol for synchronization and authentication.
The thing is that I don't have the right, for the moment, to modify the server's configuration, so I can only modify alfresco's files.
I want to know if my alfresco-global.properties and share-config-custom.xml files are correct regarding the configuration of an SSO with LDAP.
INFOS ABOUT MY SETUP:
Aside from the following errors that indicates that I don't have a certain .p12 file in Alfresco:
2021-11-17 10:41:51,665 WARN [extensions.config.RemoteConfigElement] [http-nio-8080-exec-1] No SSL Truststore was configured. 2021-11-17 10:41:51,665 WARN [extensions.config.RemoteConfigElement] [http-nio-8080-exec-1] Custom SSL socket factory was not configured, as there was no Keystore or Truststore. 2021-11-17 10:41:04,254 ERROR [extensions.config.RemoteConfigElement] [localhost-startStop-1] java.io.FileNotFoundException: alfresco/web-extension/alfresco-system.p12 (No such file or directory)
The strategy of connection is the first scenario (as described in this doc).
That is the direct approach for wiring Alfresco Share. The synchronisation and authentication the LDAP subsystem alone works correctly.
But when I use the external subsystem I can't have an automatic login for user already authenticated on its Windows session let's say.
Programs's version:
WHAT I TRIED:
- Delete all traces of kerberos in the share-config-custom.xml file but no progress.
- In the <config evaluator="string-compare" condition="Remote"> section, comment parts of the share-config-custom.xml file
where the Alfresco Cookie connector is mentioned and all other endpoints except the alfresco endpoint but no progress made here.
- Change the LDAP sync to false and see what happens.
- In share-config-custom.xml file tried to delete the <ssl-config> part but SSO still doesn't work.
- In share-config-custom.xml file tried to add the endpoint alfresco-noauth but still doesn't work.
- In server.xml file on the /opt/tomcat/conf folder, I tried to add in
<Connector port="8009" protocol="AJP/1.3" connectionTimeout="10000" keepAliveTimeout="10000"/>
the tomcatAuthentication="false" option but SSO still doesn't work.
- I tried things in that site.
- I am aware of this post.
But I want to know if everything concerning Alfresco is OK before modifying the CAS server and the apache server.
RESOURCES:
I trimmed a lot of comments in those files to be in the 20 000 characters limit.
Here is my alfresco-global.properties file:
############################################################# ################ Alfresco 6.2 Properties #################### ############################################################# # location of the alf_data folder (it's the relational database of Alfresco) dir.root=/GAT # keystore location dir.keystore=/opt/alfresco/alf_data/keystore #-------------------------------# # Database connection properties# #-------------------------------# db.name=XXXXXXXX db.username=XXXXXX db.password=XXXXXX db.host=XXXXXXXXX db.port=XXXXXXXXX #------------------# # ORACLE connection# #------------------# db.driver=oracle.jdbc.OracleDriver db.url=XXXXXXX #-------------------------------------------------------------# # URL Generation Parameters # #-------------------------------------------------------------# # The ${localname} token is replaced by the local server name alfresco.context=alfresco alfresco.host=XXXXXXX alfresco.port=XXXXXXX alfresco.protocol=https #-----------------# # Share Parameters# #-----------------# share.context=share share.host=XXXXX share.port=XXXX share.protocol=https system.serverMode=TEST #----------------# # Solr Parameters# #----------------# index.subsystem.name=solr6 solr.secureComms=none solr.port=XXXXXX alfresco-pdf-renderer.root=/opt/alfresco/alfresco-pdf-renderer alfresco-pdf-renderer.exe=${alfresco-pdf-renderer.root}/alfresco-pdf-renderer #-----------------------# # Cluster Configuration # #-----------------------# alfresco.cluster.enabled=true #port dédié à hazelcast test alfresco.hazelcast.port=XXXXXXXXXX alfresco.hazelcast.password=XXXXXXXXXX # force l'interface réseau à utiliser pour contacter les autres membres du cluster alfresco.cluster.interface=XXXXXXXXXX #alfresco.hazelcast.max.no.heartbeat.seconds=30 #------------------------# # Grand Angle Parameters # #------------------------# atolcd.gda.exportXml.version=7.0P1 # Enable auth popup (for CMIS), disable this option when using ADF alfresco.restApi.basicAuthScheme=true heartbeat.enabled=false #--------------# # CSRF filters # #--------------# csrf.filter.enabled=false csrf.filter.referer=XXXXXXXXXXXXX csrf.filter.referer.always=false csrf.filter.origin=XXXXXXXXXXXXXXXXX csrf.filter.origin.always=false #-----------------------# # Authentification Chain# #-----------------------# # Chain of subsystems used in this order: external (the CAS), ldap-ad (LDAP protocol) and alfrescoNtlm (the default) authentication.chain=authCAS:external,protocolLDAP:ldap-ad,alfrescoNtlm1:alfrescoNtlm #--------------------# # External Subsystem # #--------------------# # true to activate external, false to deactivate external.authentication.enabled=true external.authentication.proxyUserName= # Add all admins that must have access to the SSO external.authentication.defaultAdministratorUserNames=admin # Name of the HTTP header that carries the name of a proxied user. Default is X-Alfresco-Remote-User external.authentication.proxyHeader=X-Alfresco-Remote-User #----------------# # LDAP Subsystem # #----------------# ##### Authentication properties ##### # Activate LDAP for authentication ldap.authentication.active=true ldap.authentication.userNameFormat=XXXXXXXXXXXXXXx ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.authentication.java.naming.provider.url=XXXXXXXXXXXXXXX ldap.authentication.java.naming.security.authentication=simple # Escape commas in the user ID ldap.authentication.escapeCommasInBind=false ldap.authentication.escapeCommasInUid=false # Default administrator user name ldap.authentication.defaultAdministratorUserNames=admin ##### Syncronization properties ##### # True to use synchronization, false for the LDAP protocol to be used only for authentication ldap.synchronization.active=true # LDAP admin user's credentials: # ldap.synchronization.java.naming.security.principal=XXXXXXXXXX ldap.synchronization.java.naming.security.credentials=XXXXXXXXXXX # Last update time of a group or user ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z' # Default home folder for people created using LDAP import. ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider # LDAP Groups properties: # ldap.synchronization.groupQuery=(objectclass\=group) # The Distinguished Name (DN, it could be the name of a user) of the Organizational Unit (OU) below which security groups can be found ldap.synchronization.groupSearchBase=XXXXXXXXXXXXXXXX ldap.synchronization.groupType=group # Attribute in LDAP on group objects that defines the DN for its members ldap.synchronization.groupMemberAttributeName=member # Attribute on LDAP group objects to map to group name ldap.synchronization.groupIdAttributeName=cn ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)) # LDAP Users properties: # # The DN of the OU below which user accounts can be found ldap.synchronization.userSearchBase=XXXXXXXXXXXXXXXXX # Person type in LDAP ldap.synchronization.personType=user # Attributes on LDAP users objects ldap.synchronization.userIdAttributeName=sAMAccountName ldap.synchronization.userFirstNameAttributeName=givenName ldap.synchronization.userLastNameAttributeName=sn ldap.synchronization.userEmailAttributeName=mail # Users queries's options ldap.synchronization.personQuery=XXXXXXXXXXXXXX ldap.synchronization.personDifferentialQuery=XXXXXXXXXXXXXX
Here is my share-config-custom.xml file:
<alfresco-config> <!-- Global config section --> <config replace="true"> <flags> <client-debug>false</client-debug> <client-debug-autologging>false</client-debug-autologging> </flags> </config> <config evaluator="string-compare" condition="WebFramework"> <web-framework> <autowire> <mode>production</mode> </autowire> <module-deployment> <mode>manual</mode> <enable-auto-deploy-modules>true</enable-auto-deploy-modules> </module-deployment> </web-framework> </config> <!-- Disable the CSRF Token Filter --> <config evaluator="string-compare" condition="CSRFPolicy" replace="true"> <filter/> </config> <config evaluator="string-compare" condition="Replication"> <share-urls> </share-urls> </config> <!-- Document Library config section --> <config evaluator="string-compare" condition="DocumentLibrary" replace="true"> <tree> <evaluate-child-folders>false</evaluate-child-folders> <maximum-folder-count>1000</maximum-folder-count> <timeout>7000</timeout> </tree> <aspects> <!-- Aspects that a user can see --> <visible> <aspect name="cm:generalclassifiable" /> <aspect name="cm:complianceable" /> <aspect name="cm:dublincore" /> <aspect name="cm:effectivity" /> <aspect name="cm:summarizable" /> <aspect name="cm:versionable" /> <aspect name="cm:templatable" /> <aspect name="cm:emailed" /> <aspect name="emailserver:aliasable" /> <aspect name="cm:taggable" /> <aspect name="app:inlineeditable" /> <aspect name="cm:geographic" /> <aspect name="exif:exif" /> <aspect name="audio:audio" /> <aspect name="cm:indexControl" /> <aspect name="dp:restrictable" /> <aspect name="smf:customConfigSmartFolder" /> <aspect name="smf:systemConfigSmartFolder" /> </visible> <!-- Aspects that a user can add. Same as "visible" if left empty --> <addable> </addable> <!-- Aspects that a user can remove. Same as "visible" if left empty --> <removeable> </removeable> </aspects> <types> <type name="cm:content"> <subtype name="smf:smartFolderTemplate" /> </type> <type name="cm:folder"> </type> <type name="trx:transferTarget"> <subtype name="trx:fileTransferTarget" /> </type> </types> <repository-url>http://localhost:8080/alfresco</repository-url> <google-docs> <enabled>false</enabled> <creatable-types> <creatable type="doc">application/vnd.openxmlformats-officedocument.wordprocessingml.document</creatable> <creatable type="xls">application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</creatable> <creatable type="ppt">application/vnd.ms-powerpoint</creatable> </creatable-types> </google-docs> <!-- File upload configuration --> <file-upload> <adobe-flash-enabled>true</adobe-flash-enabled> </file-upload> </config> <!-- Custom DocLibActions config section --> <config evaluator="string-compare" condition="DocLibActions"> <actionGroups> <actionGroup id="document-browse"> </actionGroup> </actionGroups> </config> <!-- Global folder picker config section --> <config evaluator="string-compare" condition="GlobalFolder"> <siteTree> <container type="cm:folder"> <!-- Use a specific label for this container type in the tree --> <rootLabel>location.path.documents</rootLabel> <!-- Use a specific uri to retreive the child nodes for this container type in the tree --> <uri>slingshot/doclib/treenode/site/{site}/{container}{path}?children={evaluateChildFoldersSite}&max={maximumFolderCountSite}</uri> </container> </siteTree> </config> <!-- Repository Library config section --> <config evaluator="string-compare" condition="RepositoryLibrary" replace="true"> <root-node>alfresco://company/home</root-node> <tree> <evaluate-child-folders>false</evaluate-child-folders> <maximum-folder-count>500</maximum-folder-count> </tree> <visible>true</visible> </config> <config evaluator="string-compare" condition="Remote"> <remote> <endpoint> <id>alfresco-noauth</id> <name>Alfresco - unauthenticated access</name> <description>Access to Alfresco Repository WebScripts that do not require authentication</description> <connector-id>alfresco</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <identity>none</identity> </endpoint> <endpoint> <id>alfresco</id> <name>Alfresco - user access</name> <description>Access to Alfresco Repository WebScripts that require user authentication</description> <connector-id>alfresco</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <identity>user</identity> </endpoint> <endpoint> <id>alfresco-feed</id> <name>Alfresco Feed</name> <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> <connector-id>http</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <basic-auth>true</basic-auth> <identity>user</identity> </endpoint> <endpoint> <id>alfresco-api</id> <parent-id>alfresco</parent-id> <name>Alfresco Public API - user access</name> <description>Access to Alfresco Repository Public API that require user authentication. This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description> <connector-id>alfresco</connector-id> <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url> <identity>user</identity> </endpoint> </remote> </config> <config evaluator="string-compare" condition="Users" replace="true"> <users> <!-- minimum length for username and password --> <username-min-length>2</username-min-length> <password-min-length>3</password-min-length> <show-authorization-status>true</show-authorization-status> </users> <!-- This enables/disables the Add External Users Panel on the Add Users page. --> <enable-external-users-panel>false</enable-external-users-panel> </config> <!-- CAS and SSO part --> <!-- See if we need to use cookie session based endpoint location of the file: /opt/alfresco/shared/classes/alfresco/web-extension --> <config evaluator="string-compare" condition="Remote"> <remote> <ssl-config> <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path> <keystore-type>pkcs12</keystore-type> <keystore-password>alfresco-system</keystore-password> <!-- <truststore-path>alfresco/web-extension/ssl-truststore</truststore-path> <truststore-type>JCEKS</truststore-type> <truststore-password>password</truststore-password> --> <verify-hostname>true</verify-hostname> </ssl-config> <!-- <connector> <id>alfrescoCookie</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using cookie-based authentication</description> <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class> </connector> --> <connector> <id>alfrescoHeader</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using header and cookie-based authentication</description> <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class> <userHeader>X-Alfresco-Remote-User</userHeader> </connector> <endpoint> <id>alfresco</id> <name>Alfresco - user access</name> <description>Access to Alfresco Repository WebScripts that require user authentication</description> <connector-id>alfrescoHeader</connector-id> <endpoint-url>http://XXXXXXXXXXX:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> <!-- <endpoint> <id>alfresco-feed</id> <parent-id>alfresco</parent-id> <name>Alfresco Feed</name> <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> <connector-id>alfrescoHeader</connector-id> <endpoint-url>http://XXXXXXXXXXXXX:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> <endpoint> <id>alfresco-api</id> <parent-id>alfresco</parent-id> <name>Alfresco Public API - user access</name> <description>Access to Alfresco Repository Public API that require user authentication. This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description> <connector-id>alfrescoHeader</connector-id> <endpoint-url>http://XXXXXXXXXXXX:8080/alfresco/api</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> --> </remote> </config> </alfresco-config>
Thanks for your help.
11-26-2021 08:59 AM
Hi,
I have done some more investigation on implementing SSO with our CAS server in Alfresco.
It seems that the CAS protocol V3 and higher is no more compatible with Alfresco (correct me if I'm wrong). The usage of subsystems like external seems to be obsolete now. I have heard about the Identity Services using OAuth2 or OpenID Connect. Have anyone a tutorial that I could use to implement SSO with my CAS server on Alfresco with those programs (OAuth2, OpenID Connect)? Nothing seems to show up in the docs or at least not enough so that I understand what I'm supposed to do.
Thanks
Explore our Alfresco products with the links below. Use labels to filter content by product module.