Alfresco integration with azure AD for user/group sync

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Anonymous
Former Member

Alfresco integration with azure AD for user/group sync

Jump to solution

Hello everyone,

We have need to integrate Alfresco with Azure AD for users/groups synchronization and authentication.  Just wondering if anyone had similar requirement and it was possible to do so.  Basically I am trying to find answer for:

1) If it is possible to sync users and groups from Azure AD to Alfresco similar to what is possible with on-premise AD.

2) If it is possible to configure Azure AD authentication with Alfresco.

There is not much I can find from internet about this. I could come across following URL:

https://azuremarketplace.microsoft.com/en-in/marketplace/apps/aad.alfresco?tab=Overview

"GET IT NOW" button takes me to page:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on 

As Alfresco supports SAML it may be possible to configure SAML based SSO with Azure AD but I am not able to find out any documentations specific to Alfresco.

Best regards,

Rajesh

1 Solution

Accepted Solutions
afaust
Master

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

You can use Azure AD just like an on-prem AD. The only thing you'd need to do is enable LDAPS access to your Azure AD, which is not enabled by default. Check the appropriate Azure docs for enabling LDAPS.

With Alfresco Enterprise you can setup SAML authentication with Azure AD easily. I have this running at a local customer who uses Azure AD to handle external users. Note that even without SAML as SSO, you can already authenticate against Azure once you have configured the LDAP-AD integration.

9 Replies
afaust
Master

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

You can use Azure AD just like an on-prem AD. The only thing you'd need to do is enable LDAPS access to your Azure AD, which is not enabled by default. Check the appropriate Azure docs for enabling LDAPS.

With Alfresco Enterprise you can setup SAML authentication with Azure AD easily. I have this running at a local customer who uses Azure AD to handle external users. Note that even without SAML as SSO, you can already authenticate against Azure once you have configured the LDAP-AD integration.

Anonymous
Former Member

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

Thanks a lot Axel.  Now when we have confirmation that it is possible we will figure out next steps.

Anonymous
Former Member

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

Hello Axel,

We are finally able to configure user and group sync from Azure AD.  We are also able to setup SAML authentication against Azure AD enterprise application.  

But we are having slight trouble when user tries to logout.  We have configure IdP service URLs like following in Alfresco Admin console page:

  • IdP Authentication Request Service URL (SingleSignOnService Location from Azure AD metadata file)
  • IdP Single Logout Request Service URL (SingleLogoutService Location from Azure AD metadata file)
  • IdP Single Logout Response Service URL (SingleLogoutService Location from Azure AD metadata file)

We have identical URL for all three fields in metadata file.  After logout it redirects user to

And after click of "Back to My Dashboard" button it takes user to user dashboard page without any login.

I am not sure if we are missing some configuration here but it seems logout is not really happening and also can we someone avoid share error page.

 

Best regards,

Rajesh

afaust
Master

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

I remember hitting a similar error when we set this up at a customer, and it turned out we just had a configuration error in Azure config + Alfresco SAML config. Unfortunately I can't remember specifically what our mistake was, but you should check again if all the SAML login / logout URLs have been configured correctly both in Azure and Alfresco.

Anonymous
Former Member

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

Thanks a lot Axel.  After checking carefully we found followings in share.log:

2019-03-05 13:59:00,062 ERROR [org.alfresco.web.site] [http-apr-8080-exec-3] javax.servlet.ServletException: SAML LogoutResponse must be submitted using POST

It is rather obvious exception that after successful logout Azure AD sends logout response to Share Logout URL, but it should have been done using POST binding.  Unfortunately I am not able to figure anyway in Azure AD to specify POST binding.    Just hoping if this gives some hint for you to remember how you overcame this issue :-)

sunnyoswal
Active Member

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

Rajesh Jha‌ we are blocked with the same issue you summarized. Were you able to fix the issue ?

sunnyoswal
Active Member

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

Hi Axel. We are also facing the exact issue and are blocked. Is the fix you made anywhere documented by now ?

Anonymous
Former Member

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

Unfortunately not.  We still have issue with logout.  

sunnyoswal
Active Member

Re: Alfresco integration with azure AD for user/group sync

Jump to solution

Oh. If you don't mind answering, could you tell me if you still went with Azure AD SSO flow implementation and any workarounds you have in place for this logout issue ?