I understand that Share 6.2 features integration with Identity Service. The documentation seems to be a bit light on this. Has anyone got this to work?
I've been able to get APS to work with Identity Service (using OpenLDAP). This seems to be fairly straightforward.
I believe that I should be able to use the SAML connector to connect to Identity Service. Does anyone have an example of the required configuration (saml.properties, Identity Service config, etc)?
One last thing. Am I right in thinking that even if I get authentication working, I'd still have to create the users within ACS using LDAP sync if users are based in an LDAP directory or using a custom solution if users are based on a non-LDAP based provider (e.g. AWS Cognito)?
AFAIK Alfresco Share does NOT support Alfresco Identity Service in 6.2 - at least not out-of-the-box. Only the Alfresco Repository (ACS) supports Identity Service. That's the reason I have started writing my own support via my alfresco-keycloak addon.
As for still requiring an LDAP directory: I am working on the next version of my Keycloak integration which will be able to map users from authentication requests and sync users / groups directly from Keycloak without requiring an extra setup for LDAP (assuming all users / groups are known to Keycloak in advance).
You can integrate Alfresco with Identity Service / SAML without having LDAP synchronisation. This works just fine and users would be created ad-hoc - the only downside would be that those users would not have any details, e.g. email, first and last names, set as properties.
The info at https://docs.alfresco.com/sso/topics/saml.html seems to suggest that you can authenticate Share users via SAML against an identity provider. As Keycloak/IDS supports SAML, could we not use that as the identity provider?