cancel
Showing results for 
Search instead for 
Did you mean: 

How to synchronize Alfresco users with KeyCloak? (share, not APS)

3kwagner
Champ in-the-making
Champ in-the-making

Hello,

I am using Alfresco 6.1 with share in docker containers and want to manage users in KeyCloak only. I already managed to get the possibility of creating users in KeyCloak in loggin in with These credentials in share. Here is my docker-compose.yml:

version: "3.7"

services:
    alfresco:
        image: alfresco/alfresco-content-repository-community:6.1.2-ga
        environment:
            JAVA_OPTS : "
                -Ddb.driver=org.postgresql.Driver
                -Ddb.username=alfresco
                -Ddb.password=alfresco
                -Ddb.url=jdbcSmiley Tongueostgresql://postgres:5432/alfresco
                -Dsolr.host=solr6
                -Dsolr.port=8983
                -Dsolr.secureComms=none
                -Dsolr.base.url=/solr
                -Dindex.subsystem.name=solr6
                -Dshare.host=localhost
                -Dalfresco.port=8082
                -Daos.baseUrlOverwrite=http://localhost:8082/alfresco/aos
                -Dmessaging.broker.url=\"failoverSmiley Sadnio://activemq:61616)?timeout=3000&jms.useCompression=true\"
                -Ddeployment.method=DOCKER_COMPOSE
                -Dcsrf.filter.enabled=false
                -Xms1g -Xmx1g
                -Dauthentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm
                -Didentity-service.enable-basic-auth=true
                -Didentity-service.authentication.validation.failure.silent=false
                -Didentity-service.auth-server-url=https://mydomainforkeycloak/auth
                -Didentity-service.realm=alfresco
                -Didentity-service.resource=activiti
                -Didentity-service.public-client=true
                -Didentity-service.ssl-required=none
                "
        ports:
            - 8080 #Browser port
        restart: always

    share:
        image: alfresco/alfresco-share:6.1.0
        environment:
            - REPO_HOST=alfresco
            - REPO_PORT=8080
            - "CATALINA_OPTS= -Xms500m -Xmx500m"
        ports:
            - 8080
        restart: always
        links:
           - "alfresco:alfresco"

After Login a new user will be created in Alfresco, but only with ist username. No email or other Information ist beeing synchronized. Furthermore, when I delete a user in KeyCloak it will be still existent in Alfresco.

How can I configure Alfresco to do a full sync with KeyCloak? Thank you!

1 ACCEPTED ANSWER

heiko_robert
Star Collaborator
Star Collaborator

Interesting. There seems to be no documentation about and I'm afraid there isn't anything like that yet and you have to use the ldap sync, wire that up with keycloak. It looks like with Alfresco 7 and up we need 26 containers and 12 admins to cover all the required components and knowledge to maintain that ...

If I remembr right Alfresco isn't sure to keep users/groups/permission in Alfresco.

View answer in original post

2 REPLIES 2

heiko_robert
Star Collaborator
Star Collaborator

Interesting. There seems to be no documentation about and I'm afraid there isn't anything like that yet and you have to use the ldap sync, wire that up with keycloak. It looks like with Alfresco 7 and up we need 26 containers and 12 admins to cover all the required components and knowledge to maintain that ...

If I remembr right Alfresco isn't sure to keep users/groups/permission in Alfresco.

afaust
Legendary Innovator
Legendary Innovator

Heiko is right - there is no sync (yet) with Keycloak, and going forward, Alfresco may add something in their Alfresco Identity Service component to deal with this, albeit in a potentially non-Keycloak-standard kind of way. I have recently set up a 6.0 system with Keycloak to integrate an Azure Domain Services directory, and this included configuring identity-service subsystem for auth, and ldap-ad subsystem for synchronization (Keycloak itself was synching users via LDAP from Azure).

Also, Share currently does not specifically support Keycloak and SSO via OpenID Connect. Alfresco has publicly stated during the last DevCon that they are interested in adding this, and I have also been in contact with a product manager about this, but so far, nothing has materialised apart from some internal mails like "hey, Axel is interested in working with us on this, please keep him informed" (without any actual follow up / synch up).

I am considering using the existing identity-service subsystem implementation to create a minor fork as a "keycloak" subsystem which would include user/group synch using the Keycloak Rest API, since my client is considering future deployment scenarios where we might not actually have an LDAP-enabled central directory.