WARNING: this kind of setup is not officially supported by Alfresco
The objective of this document is to provide instructions on how to enable the Alfresco Share Application to work with Shibboleth as the authentication subsystem. These instructions have been tested on Alfresco Community versions 3.4.d and 4.0.b.
General Environment Setup Relevant to User Authentication
We have Apache server on the front managing incoming web requests and forwarding them on to Tomcat. A web client connects through HTTPS to https://yourdomainname/, the mod_proxy forwards the request on using AJP protocol to the internal tomcat application server (on which Alfresco Share application is located) sitting on port 8009 residing on localhost.
We start with virtual host running on port 80 on Apache and will work our way up to using SSL later. The below Apache configuration (httpd.conf) entails that Apache serving as the guy on reception intercepting web requests and forwarding them on to Tomcat using ProxyPass and ProxyPassReverse directives.
<VirtualHost *:80> DocumentRoot '/home/alfresco/apps/httpd-2.2.17/htdocs' ServerName <yourdomainname.com> UseCanonicalName On ErrorLog '/home/alfresco/apps/httpd-2.2.17/logs/error_log' TransferLog '/home/alfresco/apps/httpd-2.2.17/logs/access_log' ProxyRequests Off RewriteEngine On # Alfresco Explorer ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
openssl genrsa –des3 –out server.key 2048 (generate private key) openssl req –new –key server.key –out server.csr (create the certificate signing request-CSR) openssl x509 –req –days 365 –in server.csr –signkey server.key (sign your CSR) cp server.key server.key.secure openssl rsa –in server.key.secure –out server.key (remove passphrase from your private key to prevent Apache’s prompt for password when Apache service is restarted)
Edit Apache configuration (httpd.conf) to include relevant information pertaining to your SSL certificate. SSLCertificateChainFile and SSLCACertificateFile attributes may be needed with certificates obtained from an authorized certificate vendor such as DigiCert.
<VirtualHost _default_:443> DocumentRoot '/your_apache_path/htdocs' ServerName <yourdomainname.com> UseCanonicalName On ErrorLog '/your_apache_path/logs/error_log' TransferLog '/your_apache_path/logs/access_log' SSLEngine on SSLCipherSuite HIGH SSLCertificateFile '/your_apache_path/conf/yourdomainname.crt' SSLCertificateKeyFile '/your_apache_path//conf/yourdomainname.key' ProxyRequests Off RewriteEngine On
# Alfresco Explorer ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
<!-- The example requires a session for documents in /secure on the containing host with http and https on the default ports. --> <!-- Note that the name and port in the <Host> elements MUST match Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element below. -->
Here comes the trickiest part in getting Share application to work with Shibboleth. Since it is a separate web application from the main Alfresco Explorer/repository WAR file and has no knowledge of the authenticated user to Alfresco Explorer, we need to enable SSO authentication via share-config-custom.xml. Share makes web service calls via HTTP(S) to obtain information about the authenticated user from the configured Alfresco repository.
Start Apache, Shibboleth, and Alfresco and hope for the best. You might also need to reboot.
Once Shibboleth is working properly, there are two ways to view Shibboleth attributes.
1) Download snoop.jsp (provide link to file to be downloaded) and place it in tomcat/alfresco/ and HTMLfilter.class (provide link to file to be downloaded) and put it under tomcat/webapps/alfresco/WEB-INF/classes/util/. Once you have done this, you can access Shibboleth attributes via: