Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to make SSO work?

janmussche
Champ on-the-rise
Champ on-the-rise

‎10-09-2017 12:25 PM

Hi all,

 

I've been working in setting up Alfresco for the last 3 weeks and although the program itself works fine, I can not get SSO to work. The situation is like this:

We have a Windows AD where everyone in our company is situated.

I have installed the Community Edition onto a Ubuntu 16.04 server in a virtual machine, using this installation file: alfresco-community-installer-201707-linux-x64.bin.

I can login as administrator on the webpage and do all necessary things. Login with my own credentials, located in the AD work. In other words the credentials stored in the AD are used. There are no local users in Alfresco.

 

What we want is an SSO where everyone logged in to his computer with the AD credentials automatically will be logged in to the webpage without having to type his name and password again. We don't want to see the Alfresco login page.

 

As I wrote I have been working on this for several weeks already, reading a 1001 webpages, both the Alfresco documentation pages as well as foreign pages where people write they managed to do this. Everywhere the info is different and whatever I try, it doesn't work.

 

Can somebody here please explain in a step-by-step way what I need to do after having installed Alfresco to make SSO work? Don't point me to webpages for info please, I have seen too many of those already, just tell me here:

step 1:   this

step 2:    that

and so on.

I know I am asking alot but after working all these weeks and still not having success I need help.

 

What do I need to do, both in Alfresco and in the AD to make it work? Please help.

 

Thank you for your understanding and help.

 

Jan.

Labels:
13 REPLIES 13

angelborroy
Community Manager Community Manager
Community Manager
In response to janmussche

‎10-12-2017 03:10 PM

To configure SSO (which is the way of avoiding the login screen) you need to use Kerberos. This is the right approach.

Configuring Kerberos is well documented and available as part of the Alfresco official documentation: Configuring Kerberos | Alfresco Documentation  

Hyland Developer Evangelist
0 Kudos

janmussche
Champ on-the-rise
Champ on-the-rise
In response to angelborroy

‎10-12-2017 04:23 PM

Now I am lost:

Martin writes:

You say you can login with the AD credentials - so SSO is working. You also want  "auto login" on share?

You write:

To configure SSO (which is the way of avoiding the login screen)

What does SSO mean? When it is configured in the right way do I still get the login screen or not? That is what I want, or better it is what the users want.

0 Kudos

mehe
Elite Collaborator
Elite Collaborator
In response to janmussche

‎10-14-2017 09:35 AM

SSO means, you have to login at a single point and having, in the best case, only one source for your credentials. The source is your AD.

Now you imported all your users to alfresco with the ldap sync - your users are known to alfresco now. 

In your authentication chain you have configured alfrescoNTLM, which allows you to login with local alfresco users like admin or guest and

ldap-ad which hands over the authentication for all users that are no alfresco internal users to your AD.

That's why you are able to login with your AD users (looks like you are using ldap authentication now).

But like Angel said, you don't have a mechanism that allows to automatically login or enables Alfresco to know that you are already authorized. You need either "NTLM" which enables your Browser to "login" (sends ntlm credentials) to share or Kerberos, that is handling authorization via tickets.

Using NTLM you would have to use (I think) also passthru1Smiley Tongueassthru in the authentication chain and ntlm.authentication.sso.enable=true and tell Alfresco which server to use for passthru: passthru.authentication.servers=YOUR_AD_SERVER

Also tell your client OS that it is ok use NTLMv1. in Windows:

[HKLM\SYSTEM\CurrentControlSet\Control\Lsa] "LmCompatibilityLevel"=dword:00000001

If using Firefox as browser you also have to use about:config and set
network.automatic-ntlm-auth.trusted-uris=YOUR_ALFRESCO_SERVER_HTTP

for NTLM and 

network.negotiate-auth.trusted-uris=YOUR_ALFRESCO_SERVER_HTTP

for Kerberos.

For Kerberos, you have to prepare your AD and Alfresco using the vast Informations under the link Angel provided (Configuring Kerberos | Alfresco Documentation ) which shows the needed steps:

Enabling Kerberos authentication

Use this information to enable and configure Kerberos authentication in Alfresco Community Edition 5.2.

You don't have kerberos in your authentication chain - seems that you haven't used the docs...

AND: you'd have to configure share-config-custom.xml (see the comments in this file, search for kerberos)

If you configure your Alfresco SSO with NTLM or Kerberos (which is recommended) and your clients, you won't have to login manually to share - you will be authorized automatically.

Veriago
Champ in-the-making
Champ in-the-making
In response to janmussche

‎08-22-2020 04:30 AM

In addition I can say that when using such technology Active Directory and SSO you can additionally secure the authorization system through adfs sso which in turn makes it possible to set an additional password which is generated using one time security tokens.With this method, adfs authentication acts as a guarantor of 2FA protection.

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2025 Khoros, LLC