In our project, we have successfully implemented SAML (Security Assertion Markup Language) 2.0 with our Alfresco Content Service v5.2.0. We use AD(Active Directory) to sync users and groups into Alfresco System.
We chose to do the configuration by adding a subsystem (SAML) under ../tomcat/shared/classes/alfresco/extension/subsystems/SAML.
There are some reasons, we decided to use properties-files over jmx console.
First of all, its easier to transfer configurations between environments(development-test-production) by using properties-files.
The reason to choose Subsystem instead of alfresco-global.properties is that we have different settings between Share, REST-API and AOS. In REST-API we want saml.sp.isEnforced=false, but in the others saml.sp.isEnforced=true.
Configurationfiles and settings
Generate the certificate or ask your organization to provide the signed jks certificate to validate. Add the below attributes in alfresco-global.properties file:
Update the test-saml.keystore-passwords.properties file to look like
Note: Use keytool to convert pfx certificate to jks certificate if your organization does not provide jks, in our case we did this.
Create a subsystem/SAML directory if it does not exists in extension directory.
subsystem/SAML directory will have the configurations for repository and share application.
The share folder will store the configurationfile for share, saml-custom-share-sp.properties.
The repository folder will have two subfolders, aos and rest-api. The aos folder will store the configurationfile for aos, saml-custom-aos-sp.properties. And the rest-api folder will store the configurationfile for rest-api, saml-custom-rest-api-sp.properties.
Update and provide the SAML configuration for share, repository and aos properties as below.
Update the custom-share-config file to implement SAML on share:
To connect to backend API’s using SAML-based authentication, you do “the SAML-dance”.
We have encountered some problems after the deploy of SAML-based authentication.
One problem is with View In Browser when using Internet Explorer. If you are in Document Library and try to do a View In Browser on a Microsoft Office file, the Office program will show you a login dialog. If you click cancel twice the document will open just fine. This is a known issue.
When integrating with Alfresco, you will notice that if you try to connect to a repo-api through share/proxy you will not get authenticated by SAML. We have lot of users that are creating links to documents from our Intranet, they are taking the download URL from Alfresco share. (URL includes share/proxy). These links will not work any more if the users isn’t already having a session in the browser. We have created a custom share-api that authenticate the user with SAML and redirect to the original URL.
This year we intend to upgrade all the routers in our network backbone to a brand new platform based on open networking devices from Edge-Core running Cumulus Linux. In this post - replete with pictures - we will take a close look at the new routers and the topology of our new network backbone.