Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco integration with azure AD for user/group sync

Go to answer
Not applicable

‎01-15-2019 04:03 PM

Hello everyone,

We have need to integrate Alfresco with Azure AD for users/groups synchronization and authentication.  Just wondering if anyone had similar requirement and it was possible to do so.  Basically I am trying to find answer for:

1) If it is possible to sync users and groups from Azure AD to Alfresco similar to what is possible with on-premise AD.

2) If it is possible to configure Azure AD authentication with Alfresco.

There is not much I can find from internet about this. I could come across following URL:

https://azuremarketplace.microsoft.com/en-in/marketplace/apps/aad.alfresco?tab=Overview

"GET IT NOW" button takes me to page:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on 

As Alfresco supports SAML it may be possible to configure SAML based SSO with Azure AD but I am not able to find out any documentations specific to Alfresco.

Best regards,

Rajesh

Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
afaust
Legendary Innovator
Legendary Innovator

‎01-16-2019 04:03 AM

You can use Azure AD just like an on-prem AD. The only thing you'd need to do is enable LDAPS access to your Azure AD, which is not enabled by default. Check the appropriate Azure docs for enabling LDAPS.

With Alfresco Enterprise you can setup SAML authentication with Azure AD easily. I have this running at a local customer who uses Azure AD to handle external users. Note that even without SAML as SSO, you can already authenticate against Azure once you have configured the LDAP-AD integration.

View answer in original post

10 REPLIES 10

Go to answer
afaust
Legendary Innovator
Legendary Innovator

‎01-16-2019 04:03 AM

You can use Azure AD just like an on-prem AD. The only thing you'd need to do is enable LDAPS access to your Azure AD, which is not enabled by default. Check the appropriate Azure docs for enabling LDAPS.

With Alfresco Enterprise you can setup SAML authentication with Azure AD easily. I have this running at a local customer who uses Azure AD to handle external users. Note that even without SAML as SSO, you can already authenticate against Azure once you have configured the LDAP-AD integration.

Go to answer
Not applicable
In response to afaust

‎01-17-2019 03:22 AM

Thanks a lot Axel.  Now when we have confirmation that it is possible we will figure out next steps.

0 Kudos

Go to answer
Not applicable
In response to afaust

‎03-04-2019 09:26 AM

Hello Axel,

We are finally able to configure user and group sync from Azure AD.  We are also able to setup SAML authentication against Azure AD enterprise application.  

But we are having slight trouble when user tries to logout.  We have configure IdP service URLs like following in Alfresco Admin console page:

  • IdP Authentication Request Service URL (SingleSignOnService Location from Azure AD metadata file)
  • IdP Single Logout Request Service URL (SingleLogoutService Location from Azure AD metadata file)
  • IdP Single Logout Response Service URL (SingleLogoutService Location from Azure AD metadata file)

We have identical URL for all three fields in metadata file.  After logout it redirects user to

And after click of "Back to My Dashboard" button it takes user to user dashboard page without any login.

I am not sure if we are missing some configuration here but it seems logout is not really happening and also can we someone avoid share error page.

 

Best regards,

Rajesh

0 Kudos

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to

‎03-04-2019 04:58 PM

I remember hitting a similar error when we set this up at a customer, and it turned out we just had a configuration error in Azure config + Alfresco SAML config. Unfortunately I can't remember specifically what our mistake was, but you should check again if all the SAML login / logout URLs have been configured correctly both in Azure and Alfresco.

0 Kudos

Go to answer
Not applicable
In response to afaust

‎03-14-2019 05:55 PM

Thanks a lot Axel.  After checking carefully we found followings in share.log:

2019-03-05 13:59:00,062 ERROR [org.alfresco.web.site] [http-apr-8080-exec-3] javax.servlet.ServletException: SAML LogoutResponse must be submitted using POST

It is rather obvious exception that after successful logout Azure AD sends logout response to Share Logout URL, but it should have been done using POST binding.  Unfortunately I am not able to figure anyway in Azure AD to specify POST binding.    Just hoping if this gives some hint for you to remember how you overcame this issue 🙂

Go to answer
sunnyoswal
Champ on-the-rise
Champ on-the-rise
In response to

‎09-05-2019 05:30 AM

Rajesh Jha‌ we are blocked with the same issue you summarized. Were you able to fix the issue ?

0 Kudos

Go to answer
Not applicable
In response to sunnyoswal

‎09-06-2019 01:33 AM

Unfortunately not.  We still have issue with logout.  

Go to answer
sunnyoswal
Champ on-the-rise
Champ on-the-rise
In response to

‎09-06-2019 03:17 AM

Oh. If you don't mind answering, could you tell me if you still went with Azure AD SSO flow implementation and any workarounds you have in place for this logout issue ?

0 Kudos

Go to answer
afjaber
Champ on-the-rise
Champ on-the-rise
In response to sunnyoswal

‎03-29-2023 01:50 PM

Hi, we are looking into this method now for SAML SSO with Azure AD and MFA.  Wondering if any of the previous commenters from 2019 ever solved the problem with the logout issue.  Thank you!

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC