01-19-2020 05:07 AM
I understand that Share 6.2 features integration with Identity Service. The documentation seems to be a bit light on this. Has anyone got this to work?
I've been able to get APS to work with Identity Service (using OpenLDAP). This seems to be fairly straightforward.
I believe that I should be able to use the SAML connector to connect to Identity Service. Does anyone have an example of the required configuration (saml.properties, Identity Service config, etc)?
One last thing. Am I right in thinking that even if I get authentication working, I'd still have to create the users within ACS using LDAP sync if users are based in an LDAP directory or using a custom solution if users are based on a non-LDAP based provider (e.g. AWS Cognito)?
Cheers
Mark
01-20-2020 04:08 AM
AFAIK Alfresco Share does NOT support Alfresco Identity Service in 6.2 - at least not out-of-the-box. Only the Alfresco Repository (ACS) supports Identity Service. That's the reason I have started writing my own support via my alfresco-keycloak addon.
As for still requiring an LDAP directory: I am working on the next version of my Keycloak integration which will be able to map users from authentication requests and sync users / groups directly from Keycloak without requiring an extra setup for LDAP (assuming all users / groups are known to Keycloak in advance).
You can integrate Alfresco with Identity Service / SAML without having LDAP synchronisation. This works just fine and users would be created ad-hoc - the only downside would be that those users would not have any details, e.g. email, first and last names, set as properties.
01-27-2020 07:08 AM
Thanks Axel.
The info at https://docs.alfresco.com/sso/topics/saml.html seems to suggest that you can authenticate Share users via SAML against an identity provider. As Keycloak/IDS supports SAML, could we not use that as the identity provider?
Many thanks
Mark
07-20-2020 06:08 AM
Due to issues with the notifications sent out by this platform, I often get reply notices where I cannot access a link to go back to the thread in question. Though it is already half a year later, I still want to reply to this as I see this SAML question pop up regularly. The SAML module for Alfresco is an Enterprise only module, not available for Alfresco Community, and it constitutes quite a quirky (and aggressive) workaround for not having native support for Identity Services in Share. Having worked with the SAML module at one Enterprise customer, I would caution against its use - at least we had to do a couple of fixes / patches to make it work in our scenario which required a combination of SAML and Kerberos for authentication of disparate user groups, which it does not support out-of-the-box.
07-20-2020 07:16 AM
Hi @afaust,
Hopefully this has now been fixed - this reply should be a good test
07-20-2020 07:24 AM
@EddieMay indeed - compared to a notice I got just last week, this is now workable...
05-28-2024 02:23 PM
alfresco-global.properties
05-28-2024 05:52 PM
share-config-custom.xml
<!-- AIMS -->
<config evaluator="string-compare" condition="AIMS">
<enabled>true</enabled>
<realm>alfresco</realm>
<resource>alfresco</resource>
<authServerUrl>http://acs.alf.com/auth</authServerUrl>
<sslRequired>none</sslRequired>
<publicClient>true</publicClient>
<autodetectBearerOnly>true</autodetectBearerOnly>
<alwaysRefreshToken>true</alwaysRefreshToken>
<principalAttribute>email</principalAttribute>
<enableBasicAuth>true</enableBasicAuth>
</config>
Explore our Alfresco products with the links below. Use labels to filter content by product module.