I've been working in setting up Alfresco for the last 3 weeks and although the program itself works fine, I can not get SSO to work. The situation is like this:
We have a Windows AD where everyone in our company is situated.
I have installed the Community Edition onto a Ubuntu 16.04 server in a virtual machine, using this installation file: alfresco-community-installer-201707-linux-x64.bin.
I can login as administrator on the webpage and do all necessary things. Login with my own credentials, located in the AD work. In other words the credentials stored in the AD are used. There are no local users in Alfresco.
What we want is an SSO where everyone logged in to his computer with the AD credentials automatically will be logged in to the webpage without having to type his name and password again. We don't want to see the Alfresco login page.
As I wrote I have been working on this for several weeks already, reading a 1001 webpages, both the Alfresco documentation pages as well as foreign pages where people write they managed to do this. Everywhere the info is different and whatever I try, it doesn't work.
Can somebody here please explain in a step-by-step way what I need to do after having installed Alfresco to make SSO work? Don't point me to webpages for info please, I have seen too many of those already, just tell me here:
step 1: this
step 2: that
and so on.
I know I am asking alot but after working all these weeks and still not having success I need help.
What do I need to do, both in Alfresco and in the AD to make it work? Please help.
Thank you for your understanding and help.
I've followed several times in the past the official guide and it works properly: Configuring Kerberos | Alfresco Documentation
I don't know what additional information is required for Kerberos SSO configuration...
Thank you for your answer but as I wrote it is not the answer I was hoping for. I did read all the Alfreso documentation, followed it to the letter and still it doesn't work so I was hoping somebody could tell me step-by-step what he did to make it work. I must be missing something and until I know what that is it will never work.
IMO there is no other documentation that would help you. Probably you have to test every component to verify if it is working properly: Active Directory authentication, Kerberos configuration in AD, Kerberos client in Alfresco server, client configuration for SSO...
Thanks again for your answer. I literally read a 1001 pages in the documentation and still I can not get SSO to work.
Could you please explain what it is you did to make it work, the settings you made (without private info of course), the extras you installed. Did you make all the settings in the alfresco-global.properties file or did you also use other properties files (saw in some documentation it is also possible to use others for special purposes).
I sure can use all the help there is cause, as I wrote in the first post, I am busy for 3 weeks already and still it doesn't work.
I can log-in using the LDAP credentials, so the connections to the AD server exist, but the idea is to make it automatically without the need to log-in again when opening the website.
I can attach a sample configuration in Docker.
The only thing missed is AD configuration and also you have to re-generate keytabs and so with your server names and domain names.
could we have a little more context for your question? You say you can login with the AD credentials - so SSO is working. You also want "auto login" on share?
What technology should be used? Kerberos, NTLM or some kind of CAS (I would use Kerberos, like Angel proposed above, NTLMv1 will be dropped by Windows). LDAP alone is not sufficient to get auto-login working with standard-AD.
Can you provide what you have configured? You need to modify at least alfresco-global.properties and share-config-custom.xml.
Do you use the alfresco CIFS server?
Kerberos is bound to the same/shared "time"-source to avoid deviations - Is your Unix server using the AD as timeserver or the same one as the AD?
I use alfresco community 201707 on ubuntu 16.04 LTS in a few installations with AD but they are still using NTLMv1... have to change that...
Wow, you ask alot of questions. But that's a good thing.
I have to explain something first: I was under the impression that SSO means logging in without a login screen, automatically using your Windows credentials with which you logged in to the active directory. Turns out I am wrong and it means logging in by typing name and password which are then authenticated by the ones stored in AD.
What I want is this:
user opens the webpage and instead of seeing the login page he(she) sees his(her) dashboard. Login happened in the background by using the users credentials he (she) used when logging in to the AD already. It means you only login once to your computer, actually to the domain, and that's it. No more having to type name and password.
I have this in the alfresco-gloal.properties file:
### Ntlm ###
### LDAP ###
I did not change the share-config-custom.xml file and I don't have separate files and folders for each type of authentication.
Logging in by typing my domain name and password works, so there is no need for an internal database with users and passwords. I just like to see it a bit more automated (without having to type the credentials).
Is that possible? And if so, how do I do that?
Thank you for all your help.
You are not including Kerberos (SSO) configuration... Did you read the tutorials and the Docker I gave you?
I absolutely know nothing about Docker. Looked at your files but they mean nothing to me.
I have the Alfresco authentication part working so I was not going to change that, although I have been looking at the kerberos way of doing things. Found it complicated to say the least.
I was hoping to find a way to get rid of the login screen but when that does not work then the users just have to login manually. Will get some comment but that's okay.
Thanks for your help.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.