Alfresco configuration for SSO: are my alfresco files correct?

cancel
Showing results for 
Search instead for 
Did you mean: 
Romanesco
Customer

Alfresco configuration for SSO: are my alfresco files correct?

Hi,

GOAL OF MY QUESTION:
I want to setup an SSO mechanism with my Alfresco configuration.
I'm using the LDAP protocol for synchronization and authentication.
The thing is that I don't have the right, for the moment, to modify the server's configuration, so I can only modify alfresco's files.
I want to know if my alfresco-global.properties and share-config-custom.xml files are correct regarding the configuration of an SSO with LDAP.

INFOS ABOUT MY SETUP:
Aside from the following errors that indicates that I don't have a certain .p12 file in Alfresco:

2021-11-17 10:41:51,665 WARN [extensions.config.RemoteConfigElement] [http-nio-8080-exec-1] No SSL Truststore was configured.
2021-11-17 10:41:51,665 WARN [extensions.config.RemoteConfigElement] [http-nio-8080-exec-1] Custom SSL socket factory was not configured, as there was no Keystore or Truststore.
2021-11-17 10:41:04,254 ERROR [extensions.config.RemoteConfigElement] [localhost-startStop-1] java.io.FileNotFoundException: alfresco/web-extension/alfresco-system.p12 (No such file or directory)

The strategy of connection is the first scenario (as described in this doc).
That is the direct approach for wiring Alfresco Share. The synchronisation and authentication the LDAP subsystem alone works correctly.
But when I use the external subsystem I can't have an automatic login for user already authenticated on its Windows session let's say.

Programs's version:

  • RedHat version: Red Hat Enterprise Linux Server release 7.9 (Maipo)
  • Alfresco Share v6.2.1 (Aikau 1.0.101.19, Spring Surf 6.2.1, Spring WebScripts 7.14, Freemarker 2.3.28, Rhino 1.7.11, Yui 2.9.0-alfresco-20141223)
  • Alfresco Enterprise v6.2.1 schema 13001
  • CAS version: seems to be 5.1 (I don't have direct access to the CAS server so I don't know it's exact version)
  • Tomcat version: Apache Tomcat/8.5.43

WHAT I TRIED:
- Delete all traces of kerberos in the share-config-custom.xml file but no progress.
- In the <config evaluator="string-compare" condition="Remote"> section, comment parts of the share-config-custom.xml file
where the Alfresco Cookie connector is mentioned and all other endpoints except the alfresco endpoint but no progress made here.
- Change the LDAP sync to false and see what happens.
- In share-config-custom.xml file tried to delete the <ssl-config> part but SSO still doesn't work.
- In share-config-custom.xml file tried to add the endpoint alfresco-noauth but still doesn't work.
- In server.xml file on the /opt/tomcat/conf folder, I tried to add in 

<Connector port="8009" protocol="AJP/1.3" connectionTimeout="10000" keepAliveTimeout="10000"/>

the tomcatAuthentication="false" option but SSO still doesn't work.

- I tried things in that site
- I am aware of this post.
But I want to know if everything concerning Alfresco is OK before modifying the CAS server and the apache server.

RESOURCES:

I trimmed a lot of comments in those files to be in the 20 000 characters limit.
Here is my alfresco-global.properties file:

#############################################################
################ Alfresco 6.2 Properties ####################
#############################################################

# location of the alf_data folder (it's the relational database of Alfresco)
dir.root=/GAT
# keystore location
dir.keystore=/opt/alfresco/alf_data/keystore

#-------------------------------#
# Database connection properties#
#-------------------------------#
db.name=XXXXXXXX
db.username=XXXXXX
db.password=XXXXXX
db.host=XXXXXXXXX
db.port=XXXXXXXXX


#------------------#
# ORACLE connection#
#------------------#
db.driver=oracle.jdbc.OracleDriver
db.url=XXXXXXX

#-------------------------------------------------------------#
# URL Generation Parameters                                   # 
#-------------------------------------------------------------#
# The ${localname} token is replaced by the local server name
alfresco.context=alfresco
alfresco.host=XXXXXXX
alfresco.port=XXXXXXX
alfresco.protocol=https


#-----------------#
# Share Parameters#
#-----------------#
share.context=share
share.host=XXXXX
share.port=XXXX
share.protocol=https

system.serverMode=TEST

#----------------#
# Solr Parameters#
#----------------#
index.subsystem.name=solr6
solr.secureComms=none
solr.port=XXXXXX

alfresco-pdf-renderer.root=/opt/alfresco/alfresco-pdf-renderer
alfresco-pdf-renderer.exe=${alfresco-pdf-renderer.root}/alfresco-pdf-renderer

#-----------------------#
# Cluster Configuration #
#-----------------------#
alfresco.cluster.enabled=true
#port dédié à hazelcast test
alfresco.hazelcast.port=XXXXXXXXXX
alfresco.hazelcast.password=XXXXXXXXXX
# force l'interface réseau à utiliser pour contacter les autres membres du cluster
alfresco.cluster.interface=XXXXXXXXXX
#alfresco.hazelcast.max.no.heartbeat.seconds=30

#------------------------#
# Grand Angle Parameters #
#------------------------#
atolcd.gda.exportXml.version=7.0P1

# Enable auth popup (for CMIS), disable this option when using ADF
alfresco.restApi.basicAuthScheme=true

heartbeat.enabled=false


#--------------#
# CSRF filters #
#--------------#
csrf.filter.enabled=false
csrf.filter.referer=XXXXXXXXXXXXX
csrf.filter.referer.always=false
csrf.filter.origin=XXXXXXXXXXXXXXXXX
csrf.filter.origin.always=false

#-----------------------#
# Authentification Chain#
#-----------------------#

# Chain of subsystems used in this order: external (the CAS), ldap-ad (LDAP protocol) and alfrescoNtlm (the default)
authentication.chain=authCAS:external,protocolLDAP:ldap-ad,alfrescoNtlm1:alfrescoNtlm

#--------------------#
# External Subsystem #
#--------------------#
# true to activate external, false to deactivate 
external.authentication.enabled=true 
external.authentication.proxyUserName=
# Add all admins that must have access to the SSO
external.authentication.defaultAdministratorUserNames=admin
# Name of the HTTP header that carries the name of a proxied user. Default is X-Alfresco-Remote-User
external.authentication.proxyHeader=X-Alfresco-Remote-User

#----------------#
# LDAP Subsystem #
#----------------#

##### Authentication properties #####

# Activate LDAP for authentication
ldap.authentication.active=true
ldap.authentication.userNameFormat=XXXXXXXXXXXXXXx
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=XXXXXXXXXXXXXXX
ldap.authentication.java.naming.security.authentication=simple
# Escape commas in the user ID
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
# Default administrator user name
ldap.authentication.defaultAdministratorUserNames=admin

##### Syncronization properties #####

# True to use synchronization, false for the LDAP protocol to be used only for authentication
ldap.synchronization.active=true

# LDAP admin user's credentials: #
ldap.synchronization.java.naming.security.principal=XXXXXXXXXX
ldap.synchronization.java.naming.security.credentials=XXXXXXXXXXX

# Last update time of a group or user
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
# Default home folder for people created using LDAP import.
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# LDAP Groups properties: #
ldap.synchronization.groupQuery=(objectclass\=group)
# The Distinguished Name (DN, it could be the name of a user)  of the Organizational Unit (OU) below which security groups can be found
ldap.synchronization.groupSearchBase=XXXXXXXXXXXXXXXX
ldap.synchronization.groupType=group
# Attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member
# Attribute on LDAP group objects to map to group name
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group))

# LDAP Users properties: #
# The DN of the OU below which user accounts can be found
ldap.synchronization.userSearchBase=XXXXXXXXXXXXXXXXX
# Person type in LDAP
ldap.synchronization.personType=user
# Attributes on LDAP users objects
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
# Users queries's options
ldap.synchronization.personQuery=XXXXXXXXXXXXXX
ldap.synchronization.personDifferentialQuery=XXXXXXXXXXXXXX

Here is my share-config-custom.xml file:

<alfresco-config>

   <!-- Global config section -->
   <config replace="true">
      <flags>
         <client-debug>false</client-debug>
         <client-debug-autologging>false</client-debug-autologging>
      </flags>
   </config>
   
   <config evaluator="string-compare" condition="WebFramework">
      <web-framework>
         <autowire>
            <mode>production</mode>
         </autowire>
         <module-deployment>
            <mode>manual</mode>
            <enable-auto-deploy-modules>true</enable-auto-deploy-modules>
         </module-deployment>
      </web-framework>
   </config>

   <!-- Disable the CSRF Token Filter -->
   <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
      <filter/>
   </config>

   <config evaluator="string-compare" condition="Replication">
      <share-urls>

      </share-urls>
   </config>

   <!-- Document Library config section -->
   <config evaluator="string-compare" condition="DocumentLibrary" replace="true">

      <tree>
         <evaluate-child-folders>false</evaluate-child-folders>
         <maximum-folder-count>1000</maximum-folder-count>
         <timeout>7000</timeout>
      </tree>

      <aspects>
         <!-- Aspects that a user can see -->
         <visible>
            <aspect name="cm:generalclassifiable" />
            <aspect name="cm:complianceable" />
            <aspect name="cm:dublincore" />
            <aspect name="cm:effectivity" />
            <aspect name="cm:summarizable" />
            <aspect name="cm:versionable" />
            <aspect name="cm:templatable" />
            <aspect name="cm:emailed" />
            <aspect name="emailserver:aliasable" />
            <aspect name="cm:taggable" />
            <aspect name="app:inlineeditable" />
            <aspect name="cm:geographic" />
            <aspect name="exif:exif" />
            <aspect name="audio:audio" />
            <aspect name="cm:indexControl" />
            <aspect name="dp:restrictable" />
            <aspect name="smf:customConfigSmartFolder" />
            <aspect name="smf:systemConfigSmartFolder" />
         </visible>

         <!-- Aspects that a user can add. Same as "visible" if left empty -->
         <addable>
         </addable>

         <!-- Aspects that a user can remove. Same as "visible" if left empty -->
         <removeable>
         </removeable>
      </aspects>

      <types>
         <type name="cm:content">
            <subtype name="smf:smartFolderTemplate" />
         </type>

          <type name="cm:folder">
         </type>

         <type name="trx:transferTarget">
            <subtype name="trx:fileTransferTarget" />
         </type>
      </types>

      <repository-url>http://localhost:8080/alfresco</repository-url>

      <google-docs>
         <enabled>false</enabled>
         <creatable-types>
            <creatable type="doc">application/vnd.openxmlformats-officedocument.wordprocessingml.document</creatable>
            <creatable type="xls">application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</creatable>
            <creatable type="ppt">application/vnd.ms-powerpoint</creatable>
         </creatable-types>
      </google-docs>

      <!--
         File upload configuration
      -->
      <file-upload>

         <adobe-flash-enabled>true</adobe-flash-enabled>
      </file-upload>
   </config>


   <!-- Custom DocLibActions config section -->
   <config evaluator="string-compare" condition="DocLibActions">
      <actionGroups>
         <actionGroup id="document-browse">

        
         </actionGroup>
      </actionGroups>
   </config>

   <!-- Global folder picker config section -->
   <config evaluator="string-compare" condition="GlobalFolder">
      <siteTree>
         <container type="cm:folder">
            <!-- Use a specific label for this container type in the tree -->
            <rootLabel>location.path.documents</rootLabel>
            <!-- Use a specific uri to retreive the child nodes for this container type in the tree -->
            <uri>slingshot/doclib/treenode/site/{site}/{container}{path}?children={evaluateChildFoldersSite}&amp;max={maximumFolderCountSite}</uri>
         </container>
      </siteTree>
   </config>

   <!-- Repository Library config section -->
   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">

      <root-node>alfresco://company/home</root-node>

      <tree>

         <evaluate-child-folders>false</evaluate-child-folders>

         <maximum-folder-count>500</maximum-folder-count>
      </tree>

      <visible>true</visible>
   </config>

   <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
         <endpoint>
            <id>alfresco-api</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Public API - user access</name>
            <description>Access to Alfresco Repository Public API that require user authentication.
                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
            <identity>user</identity>
         </endpoint>
      </remote>
   </config>

   <config evaluator="string-compare" condition="Users" replace="true">
      <users>
         <!-- minimum length for username and password -->
         <username-min-length>2</username-min-length>
         <password-min-length>3</password-min-length>
         <show-authorization-status>true</show-authorization-status>
      </users>
      <!-- This enables/disables the Add External Users Panel on the Add Users page. -->
      <enable-external-users-panel>false</enable-external-users-panel>
   </config>
   
   <!-- CAS and SSO part -->
   <!-- See if we need to use cookie session based endpoint
	location of the file: /opt/alfresco/shared/classes/alfresco/web-extension
   -->
	
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <ssl-config>
            <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
            <keystore-type>pkcs12</keystore-type>
            <keystore-password>alfresco-system</keystore-password>
			<!--
            <truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
            <truststore-type>JCEKS</truststore-type>
            <truststore-password>password</truststore-password>
			-->
            <verify-hostname>true</verify-hostname>
         </ssl-config>
		<!--
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
         -->
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>X-Alfresco-Remote-User</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://XXXXXXXXXXX:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
         <!--
         <endpoint>
            <id>alfresco-feed</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> 
            <connector-id>alfrescoHeader</connector-id> 
            <endpoint-url>http://XXXXXXXXXXXXX:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
         
         <endpoint>
            <id>alfresco-api</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Public API - user access</name>
            <description>Access to Alfresco Repository Public API that require user authentication.
                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://XXXXXXXXXXXX:8080/alfresco/api</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
		 -->
      </remote>
   </config>

</alfresco-config>

Thanks for your help.

1 Reply
Romanesco
Customer

Re: Alfresco configuration for SSO: are my alfresco files correct?

Hi,

I have done some more investigation on implementing SSO with our CAS server in Alfresco.

It seems that the CAS protocol V3 and higher is no more compatible with Alfresco (correct me if I'm wrong). The usage of subsystems like external seems to be obsolete now. I have heard about the Identity Services using OAuth2 or OpenID Connect. Have anyone a tutorial that I could use to implement SSO with my CAS server on Alfresco with those programs (OAuth2, OpenID Connect)? Nothing seems to show up in the docs or at least not enough so that I understand what I'm supposed to do.

Thanks