cancel
Showing results for 
Search instead for 
Did you mean: 

How to set up Share with Identity Services?

ukdavo
Champ in-the-making
Champ in-the-making

I understand that Share 6.2 features integration with Identity Service. The documentation seems to be a bit light on this. Has anyone got this to work?

I've been able to get APS to work with Identity Service (using OpenLDAP). This seems to be fairly straightforward.

I believe that I should be able to use the SAML connector to connect to Identity Service. Does anyone have an example of the required configuration (saml.properties, Identity Service config, etc)?

One last thing. Am I right in thinking that even if I get authentication working, I'd still have to create the users within ACS using LDAP sync if users are based in an LDAP directory or using a custom solution if users are based on a non-LDAP based provider (e.g. AWS Cognito)?

Cheers

Mark

7 REPLIES 7

afaust
Legendary Innovator
Legendary Innovator

AFAIK Alfresco Share does NOT support Alfresco Identity Service in 6.2 - at least not out-of-the-box. Only the Alfresco Repository (ACS) supports Identity Service. That's the reason I have started writing my own support via my alfresco-keycloak addon.

As for still requiring an LDAP directory: I am working on the next version of my Keycloak integration which will be able to map users from authentication requests and sync users / groups directly from Keycloak without requiring an extra setup for LDAP (assuming all users / groups are known to Keycloak in advance).

You can integrate Alfresco with Identity Service / SAML without having LDAP synchronisation. This works just fine and users would be created ad-hoc - the only downside would be that those users would not have any details, e.g. email, first and last names, set as properties.

ukdavo
Champ in-the-making
Champ in-the-making

Thanks Axel.

The info at https://docs.alfresco.com/sso/topics/saml.html seems to suggest that you can authenticate Share users via SAML against an identity provider. As Keycloak/IDS supports SAML, could we not use that as the identity provider?

Many thanks

Mark

afaust
Legendary Innovator
Legendary Innovator

Due to issues with the notifications sent out by this platform, I often get reply notices where I cannot access a link to go back to the thread in question. Though it is already half a year later, I still want to reply to this as I see this SAML question pop up regularly. The SAML module for Alfresco is an Enterprise only module, not available for Alfresco Community, and it constitutes quite a quirky (and aggressive) workaround for not having native support for Identity Services in Share. Having worked with the SAML module at one Enterprise customer, I would caution against its use - at least we had to do a couple of fixes / patches to make it work in our scenario which required a combination of SAML and Kerberos for authentication of disparate user groups, which it does not support out-of-the-box.

EddieMay
World-Class Innovator
World-Class Innovator

Hi @afaust,

Hopefully this has now been fixed - this reply should be a good test Smiley Happy 

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!

afaust
Legendary Innovator
Legendary Innovator

@EddieMay indeed - compared to a notice I got just last week, this is now workable...

unibravo
Confirmed Champ
Confirmed Champ

alfresco-global.properties

authentication.chain=identity-service-1:identity-service,alfrescoNtlm-1:alfrescoNtlm
identity-service.auth-server-url=http://acs.alf.com/auth
identity-service.enable-basic-auth=true
identity-service.realm=alfresco
identity-service.resource=alfresco

aims.enabled=true
aims.realm=alfresco
aims.resource=alfresco
aims.authServerUrl=http://acs.alf.com/auth
aims.publicClient=true
aims.sslRequired=external
aims.autodetectBearerOnly=
aims.alwaysRefreshToken=
aims.principalAttribute=sub
aims.enableBasicAuth=
aims.secret=
 
csrf.filter.referer=http://acs.alf.com
csrf.filter.origin=http://acs.alf.com/*

share-config-custom.xml

<!-- AIMS -->

<config evaluator="string-compare" condition="AIMS">
<enabled>true</enabled>
<realm>alfresco</realm>
<resource>alfresco</resource>
<authServerUrl>http://acs.alf.com/auth</authServerUrl>
<sslRequired>none</sslRequired>
<publicClient>true</publicClient>
<autodetectBearerOnly>true</autodetectBearerOnly>
<alwaysRefreshToken>true</alwaysRefreshToken>
<principalAttribute>email</principalAttribute>
<enableBasicAuth>true</enableBasicAuth>
</config>