How to make SSO work?

cancel
Showing results for 
Search instead for 
Did you mean: 
angelborroy
Alfresco Employee

Re: How to make SSO work?

To configure SSO (which is the way of avoiding the login screen) you need to use Kerberos. This is the right approach.

Configuring Kerberos is well documented and available as part of the Alfresco official documentation: Configuring Kerberos | Alfresco Documentation  

Software Engineer in Alfresco Search Team.
janmussche
Active Member

Re: How to make SSO work?

Now I am lost:

Martin writes:

You say you can login with the AD credentials - so SSO is working. You also want  "auto login" on share?

You write:

To configure SSO (which is the way of avoiding the login screen)

What does SSO mean? When it is configured in the right way do I still get the login screen or not? That is what I want, or better it is what the users want.

mehe
Senior Member II

Re: How to make SSO work?

SSO means, you have to login at a single point and having, in the best case, only one source for your credentials. The source is your AD.

Now you imported all your users to alfresco with the ldap sync - your users are known to alfresco now. 

In your authentication chain you have configured alfrescoNTLM, which allows you to login with local alfresco users like admin or guest and

ldap-ad which hands over the authentication for all users that are no alfresco internal users to your AD.

That's why you are able to login with your AD users (looks like you are using ldap authentication now).

But like Angel said, you don't have a mechanism that allows to automatically login or enables Alfresco to know that you are already authorized. You need either "NTLM" which enables your Browser to "login" (sends ntlm credentials) to share or Kerberos, that is handling authorization via tickets.

Using NTLM you would have to use (I think) also passthru1Smiley Tongueassthru in the authentication chain and ntlm.authentication.sso.enable=true and tell Alfresco which server to use for passthru: passthru.authentication.servers=YOUR_AD_SERVER

Also tell your client OS that it is ok use NTLMv1. in Windows:

[HKLM\SYSTEM\CurrentControlSet\Control\Lsa] "LmCompatibilityLevel"=dword:00000001

If using Firefox as browser you also have to use about:config and set
network.automatic-ntlm-auth.trusted-uris=YOUR_ALFRESCO_SERVER_HTTP

for NTLM and 

network.negotiate-auth.trusted-uris=YOUR_ALFRESCO_SERVER_HTTP

for Kerberos.

For Kerberos, you have to prepare your AD and Alfresco using the vast Informations under the link Angel provided (Configuring Kerberos | Alfresco Documentation ) which shows the needed steps:

Enabling Kerberos authentication

Use this information to enable and configure Kerberos authentication in Alfresco Community Edition 5.2.

You don't have kerberos in your authentication chain - seems that you haven't used the docs...

AND: you'd have to configure share-config-custom.xml (see the comments in this file, search for kerberos)

If you configure your Alfresco SSO with NTLM or Kerberos (which is recommended) and your clients, you won't have to login manually to share - you will be authorized automatically.

Veriago
Member II

Re: How to make SSO work?

In addition I can say that when using such technology Active Directory and SSO you can additionally secure the authorization system through adfs sso which in turn makes it possible to set an additional password which is generated using one time security tokens.With this method, adfs authentication acts as a guarantor of 2FA protection.