Hi all!

I looking for stable configuration of ECM and I need advise of community aspesialy about authentication.

Targets:

1. Alfresco 6.x version, docker-compose or Kubernates doployment
2. Services: Share, WebDav, MS Office (Share Point protocol), Mobile App
3. MS AD users and groups sync
4. SSL for everyone (intranet and external users).
5. SSO for intranet users for all desktop services.
6. Two factor authentication (2FA) for external access for all desktop services.
7. It's good to have load balansing (in the future).
8. No CIFS, No Google, No IMAP

I made docker-comopse deployment: SSL ngenx revers proxy, kerberos authentication (MS Active Directory sync and auth), onlyoffice integration. Now I'm working on an SSO and have more questions than answers.

I have to chouse:

1. replace ngenx to apache reverse proxy? Ngenx seems to be more perspective to the future kubernates and load balansing. But apache more documented to Afresco. Wich one is better for combining intranet SSO and external 2FA.
2. external or kerberos realm authentication? Kerberos works in intranet, but we need SSO today and 2FA tomorow.  Do I need to immediately switch to external CAS authentication?

I would appreciate any comments or advices.