In our project, we have successfully implemented SAML (Security Assertion Markup Language) 2.0 with our Alfresco Content Service v5.2.0. We use AD(Active Directory) to sync users and groups into Alfresco System.
We chose to do the configuration by adding a subsystem (SAML) under ../tomcat/shared/classes/alfresco/extension/subsystems/SAML.
There are some reasons, we decided to use properties-files over jmx console.
First of all, its easier to transfer configurations between environments(development-test-production) by using properties-files.
The reason to choose Subsystem instead of alfresco-global.properties is that we have different settings between Share, REST-API and AOS. In REST-API we want saml.sp.isEnforced=false, but in the others saml.sp.isEnforced=true.
Configurationfiles and settings
Generate the certificate or ask your organization to provide the signed jks certificate to validate. Add the below attributes in alfresco-global.properties file:
Update the test-saml.keystore-passwords.properties file to look like
Note: Use keytool to convert pfx certificate to jks certificate if your organization does not provide jks, in our case we did this.
Create a subsystem/SAML directory if it does not exists in extension directory.
subsystem/SAML directory will have the configurations for repository and share application.
The share folder will store the configurationfile for share, saml-custom-share-sp.properties.
The repository folder will have two subfolders, aos and rest-api. The aos folder will store the configurationfile for aos, saml-custom-aos-sp.properties. And the rest-api folder will store the configurationfile for rest-api, saml-custom-rest-api-sp.properties.
Update and provide the SAML configuration for share, repository and aos properties as below.
Update the custom-share-config file to implement SAML on share:
To connect to backend API’s using SAML-based authentication, you do “the SAML-dance”.
We have encountered some problems after the deploy of SAML-based authentication.
One problem is with View In Browser when using Internet Explorer. If you are in Document Library and try to do a View In Browser on a Microsoft Office file, the Office program will show you a login dialog. If you click cancel twice the document will open just fine. This is a known issue.
When integrating with Alfresco, you will notice that if you try to connect to a repo-api through share/proxy you will not get authenticated by SAML. We have lot of users that are creating links to documents from our Intranet, they are taking the download URL from Alfresco share. (URL includes share/proxy). These links will not work any more if the users isn’t already having a session in the browser. We have created a custom share-api that authenticate the user with SAML and redirect to the original URL.
When we introduced the network configuration using Ansible and AWX at a customer, we gradually extended the configuration scope. Over time, more and more configuration got added into the configuration pool and this lead to longer and longer run-times for the playbooks.
While the job-execution got really simple by using AWX instead of the plain CLI method for Ansible, the time to finish drew heavily on that benefit.