2016-10-15 19:57:04 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:applications:alfresco< / title >
< meta name = "generator" content = "DokuWiki" / >
2018-07-14 22:23:25 +02:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:04 +02:00
< meta name = "keywords" content = "documentation,2.0,applications,alfresco" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "../lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "alfresco.html" / >
< link rel = "contents" href = "alfresco.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "../lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s : a l f r e s c o " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 : a p p l i c a t i o n s " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "../lib/exe/js.php.t.bootstrap3.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2017-02-07 17:35:26 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
2018-01-26 10:35:45 +01:00
< li class = "level1" > < div class = "li" > < a href = "#http_headers" > HTTP headers< / a > < / div >
2016-10-15 19:57:04 +02:00
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#alfresco1" > Alfresco< / a > < / div > < / li >
2018-01-26 10:35:45 +01:00
< li class = "level2" > < div class = "li" > < a href = "#llng" > LL::NG< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#headers" > Headers< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#rules" > Rules< / a > < / div > < / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#saml2" > SAML2< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#alfresco2" > Alfresco< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#llng1" > LL::NG< / a > < / div > < / li >
2016-10-15 19:57:04 +02:00
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#other_resources" > Other resources< / a > < / div > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "alfresco" > Alfresco< / h1 >
< div class = "level1" >
< p >
< img src = "alfresco_logo.png" class = "mediacenter" alt = "" / >
< / p >
< / div >
<!-- EDIT1 SECTION "Alfresco" [1 - 71] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
< a href = "https://www.alfresco.com/" class = "urlextern" title = "https://www.alfresco.com/" rel = "nofollow" > Alfresco< / a > is an ECM/BPM software.
< / p >
< p >
Since 4.0 release, it offers an easy way to configure < abbr title = "Single Sign On" > SSO< / abbr > thanks to authentication subsystems.
< / p >
2018-01-26 10:35:45 +01:00
< p >
Authentication against < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > can be done trough:
< / p >
< ul >
< li class = "level1" > < div class = "li" > HTTP headers (< abbr title = "LemonLDAP::NG" > LL::NG< / abbr > Handler)< / div >
< / li >
< li class = "level1" > < div class = "li" > < abbr title = "Security Assertion Markup Language" > SAML< / abbr > 2 (< abbr title = "LemonLDAP::NG" > LL::NG< / abbr > as SAML2 IDP)< / div >
< / li >
< / ul >
< div class = "notetip" > Alfresco now recommends SAML2 method
2016-10-15 19:57:04 +02:00
< / div >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT2 SECTION "Presentation" [72 - 430] -->
< h2 class = "sectionedit3" id = "http_headers" > HTTP headers< / h2 >
2016-10-15 19:57:04 +02:00
< div class = "level2" >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT3 SECTION "HTTP headers" [431 - 456] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit4" id = "alfresco1" > Alfresco< / h3 >
< div class = "level3" >
< div class = "notetip" > The official documentation can be found here: < a href = "http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" class = "urlextern" title = "http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" rel = "nofollow" > http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html< / a >
< / div >
< p >
You need to find the following files in your Alfresco installation:
< / p >
< ul >
< li class = "level1" > < div class = "li" > < code > alfresco-global.properties< / code > (ex: < code > tomcat/shared/classes/alfresco-global.properties< / code > )< / div >
< / li >
< li class = "level1" > < div class = "li" > < code > share-config-custom.xml< / code > (ex: < code > tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml< / code > )< / div >
< / li >
< / ul >
< p >
2018-04-17 10:33:26 +02:00
The first will allow one to configure < abbr title = "Single Sign On" > SSO< / abbr > for the alfresco webapp, and the other for the share webapp.
2016-10-15 19:57:04 +02:00
< / p >
< p >
Edit first < code > alfresco-global.properties< / code > and add the following:
< / p >
< pre class = "code file java" > ### SSO ###
authentication.< span class = "me1" > chain< / span > < span class = "sy0" > =< / span > external1< span class = "sy0" > :< / span > external
external.< span class = "me1" > authentication< / span > .< span class = "me1" > enabled< / span > < span class = "sy0" > =< / span > < span class = "kw2" > true< / span >
external.< span class = "me1" > authentication< / span > .< span class = "me1" > defaultAdministratorUserNames< / span > < span class = "sy0" > =< / span >
external.< span class = "me1" > authentication< / span > .< span class = "me1" > proxyUserName< / span > < span class = "sy0" > =< / span >
external.< span class = "me1" > authentication< / span > .< span class = "me1" > proxyHeader< / span > < span class = "sy0" > =< / span > Auth< span class = "sy0" > -< / span > User
external.< span class = "me1" > authentication< / span > .< span class = "me1" > userIdPattern< / span > < span class = "sy0" > =< / span > < / pre >
< p >
Edit then < code > share-config-custom.xml< / code > and uncomment the last part. In the < code > < endpoint> < / code > , change < code > < connector-id> < / code > value to < code > alfrescoHeader< / code > and change the < code > < userHeader> < / code > value to < code > Auth-User< / code > :
< / p >
< pre class = "code file xml" > < span class = "sc3" > < span class = "re1" > < config< / span > < span class = "re0" > evaluator< / span > =< span class = "st0" > " string-compare" < / span > < span class = "re0" > condition< / span > =< span class = "st0" > " Remote" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < remote< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < keystore< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > alfresco/web-extension/alfresco-system.p12< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < type< span class = "re2" > > < / span > < / span > < / span > pkcs12< span class = "sc3" > < span class = "re1" > < /type< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < password< span class = "re2" > > < / span > < / span > < / span > alfresco-system< span class = "sc3" > < span class = "re1" > < /password< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /keystore< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < connector< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < id< span class = "re2" > > < / span > < / span > < / span > alfrescoCookie< span class = "sc3" > < span class = "re1" > < /id< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < name< span class = "re2" > > < / span > < / span > < / span > Alfresco Connector< span class = "sc3" > < span class = "re1" > < /name< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < description< span class = "re2" > > < / span > < / span > < / span > Connects to an Alfresco instance using cookie-based authentication< span class = "sc3" > < span class = "re1" > < /description< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < class< span class = "re2" > > < / span > < / span > < / span > org.alfresco.web.site.servlet.SlingshotAlfrescoConnector< span class = "sc3" > < span class = "re1" > < /class< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /connector< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < connector< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < id< span class = "re2" > > < / span > < / span > < / span > alfrescoHeader< span class = "sc3" > < span class = "re1" > < /id< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < name< span class = "re2" > > < / span > < / span > < / span > Alfresco Connector< span class = "sc3" > < span class = "re1" > < /name< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < description< span class = "re2" > > < / span > < / span > < / span > Connects to an Alfresco instance using header and cookie-based authentication< span class = "sc3" > < span class = "re1" > < /description< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < class< span class = "re2" > > < / span > < / span > < / span > org.alfresco.web.site.servlet.SlingshotAlfrescoConnector< span class = "sc3" > < span class = "re1" > < /class< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < userHeader< span class = "re2" > > < / span > < / span > < / span > Auth-User< span class = "sc3" > < span class = "re1" > < /userHeader< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /connector< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < endpoint< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < id< span class = "re2" > > < / span > < / span > < / span > alfresco< span class = "sc3" > < span class = "re1" > < /id< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < name< span class = "re2" > > < / span > < / span > < / span > Alfresco - user access< span class = "sc3" > < span class = "re1" > < /name< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < description< span class = "re2" > > < / span > < / span > < / span > Access to Alfresco Repository WebScripts that require user authentication< span class = "sc3" > < span class = "re1" > < /description< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < connector-id< span class = "re2" > > < / span > < / span > < / span > alfrescoHeader< span class = "sc3" > < span class = "re1" > < /connector-id< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < endpoint-url< span class = "re2" > > < / span > < / span > < / span > http://localhost:8080/alfresco/wcs< span class = "sc3" > < span class = "re1" > < /endpoint-url< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < identity< span class = "re2" > > < / span > < / span > < / span > user< span class = "sc3" > < span class = "re1" > < /identity< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < external-auth< span class = "re2" > > < / span > < / span > < / span > true< span class = "sc3" > < span class = "re1" > < /external-auth< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /endpoint< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /remote< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /config< span class = "re2" > > < / span > < / span > < / span > < / pre >
< p >
You need to restart Tomcat to apply changes.
< / p >
< div class = "notewarning" > Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > .
< / div >
< / div >
2018-04-17 10:33:26 +02:00
<!-- EDIT4 SECTION "Alfresco" [457 - 3157] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit5" id = "llng" > LL::NG< / h3 >
< div class = "level3" >
2018-01-26 10:35:45 +01:00
< / div >
< h4 id = "headers" > Headers< / h4 >
< div class = "level4" >
2016-10-15 19:57:04 +02:00
< p >
Just set the < code > Auth-User< / code > header with the attribute that carries the user login, for example < code > $uid< / code > .
< / p >
2018-01-26 10:35:45 +01:00
< / div >
< h4 id = "rules" > Rules< / h4 >
< div class = "level4" >
< p >
Set the default rule to what you need.
< / p >
< p >
Other rules:
< / p >
< ul >
2019-02-12 17:32:02 +01:00
< li class = "level1" > < div class = "li" > Unprotect access to some resources: < code > ^/share/res => unprotect< / code > < / div >
2018-01-26 10:35:45 +01:00
< / li >
2019-02-12 17:32:02 +01:00
< li class = "level1" > < div class = "li" > Catch logout: < code > ^/share/page/dologout => logout_app_sso< / code > < / div >
2018-01-26 10:35:45 +01:00
< / li >
< / ul >
< / div >
2018-04-17 10:33:26 +02:00
<!-- EDIT5 SECTION "LL::NG" [3158 - 3497] -->
2018-01-26 10:35:45 +01:00
< h2 class = "sectionedit6" id = "saml2" > SAML2< / h2 >
< div class = "level2" >
< / div >
2018-04-17 10:33:26 +02:00
<!-- EDIT6 SECTION "SAML2" [3498 - 3517] -->
2018-01-26 10:35:45 +01:00
< h3 class = "sectionedit7" id = "alfresco2" > Alfresco< / h3 >
< div class = "level3" >
< p >
Install < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Alfresco module package:
< / p >
< pre class = "code" > cp alfresco-saml-repo-1.0.1.amp < ALFRESCO_HOME> /amps
cp alfresco-saml-share-1.0.1.amp < ALFRESCO_HOME> /amps_share
./bin/apply_amp.sh< / pre >
< p >
Generate < abbr title = "Security Assertion Markup Language" > SAML< / abbr > certificate:
< / p >
< pre class = "code" > keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS< / pre >
< p >
Export the keystore:
< / p >
< pre class = "code" > mv my-saml.keystore alf_data/keystore
cat < < EOT > alf_data/keystore/my-saml.keystore-metadata.properties
aliases=my-saml-key
keystore.password=change-me
my-saml-key.password=change-me
EOT
cat < < EOT > > tomcat/shared/classes/alfresco-global.properties
saml.keystore.location=\${dir.keystore}/my-saml.keystore
saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties
EOT< / pre >
< p >
Edit then < code > share-config-custom.xml< / code > :
< / p >
< pre class = "code file xml" > ...
< span class = "sc3" > < span class = "re1" > < config< / span > < span class = "re0" > evaluator< / span > =< span class = "st0" > " string-compare" < / span > < span class = "re0" > condition< / span > =< span class = "st0" > " CSRFPolicy" < / span > < span class = "re0" > replace< / span > =< span class = "st0" > " true" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc-1" > < !--< / span >
< span class = "sc-1" > If using https make a CSRFPolicy with replace=" true" and override the properties section.< / span >
< span class = "sc-1" > Note, localhost is there to allow local checks to succeed.< / span >
< span class = "sc-1" > I.e.< / span >
< span class = "sc-1" > < properties> < / span >
< span class = "sc-1" > < token> Alfresco-CSRFToken< /token> < / span >
< span class = "sc-1" > < referer> https://your-domain.com/.*|http://localhost:8080/.*< /referer> < / span >
< span class = "sc-1" > < origin> https://your-domain.com|http://localhost:8080< /origin> < / span >
< span class = "sc-1" > < /properties> < / span >
< span class = "sc-1" > --> < / span >
< span class = "sc3" > < span class = "re1" > < filter< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !-- SAML SPECIFIC CONFIG - START --> < / span >
< span class = "sc-1" > < !--< / span >
2018-06-25 23:17:51 +02:00
< span class = "sc-1" > Since we have added the CSRF filter with filter-mapping of " /*" we will catch all public GET to avoid them< / span >
2018-01-26 10:35:45 +01:00
< span class = "sc-1" > having to pass through the remaining rules.< / span >
< span class = "sc-1" > --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > GET< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > /res/.*< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !-- Incoming posts from IDPs do not require a token --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > POST< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > /page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !-- SAML SPECIFIC CONFIG - STOP --> < / span >
< span class = "sc-1" > < !-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml --> < / span >
< span class = "sc-1" > < !--< / span >
< span class = "sc-1" > Certain webscripts shall not be allowed to be accessed directly form the browser.< / span >
< span class = "sc-1" > Make sure to throw an error if they are used.< / span >
< span class = "sc-1" > --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > /proxy/alfresco/remoteadm/.*< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " throwError" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " message" < / span > < span class = "re2" > > < / span > < / span > It is not allowed to access this url from your browser< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !--< / span >
< span class = "sc-1" > Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.< / span >
< span class = "sc-1" > TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.< / span >
< span class = "sc-1" > --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > POST< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > /proxy/alfresco/api/publishing/channels/.+< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertReferer" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " referer" < / span > < span class = "re2" > > < / span > < / span > {referer}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertOrigin" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " origin" < / span > < span class = "re2" > > < / span > < / span > {origin}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !--< / span >
< span class = "sc-1" > Certain Surf POST requests from the WebScript console must be allowed to pass without a token since< / span >
< span class = "sc-1" > the Surf WebScript console code can't be dependent on a Share specific filter.< / span >
< span class = "sc-1" > --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > POST< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > /page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertReferer" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " referer" < / span > < span class = "re2" > > < / span > < / span > {referer}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertOrigin" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " origin" < / span > < span class = "re2" > > < / span > < / span > {origin}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !-- Certain Share POST requests does NOT require a token --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > POST< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > /page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertReferer" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " referer" < / span > < span class = "re2" > > < / span > < / span > {referer}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertOrigin" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " origin" < / span > < span class = "re2" > > < / span > < / span > {origin}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !-- Assert logout is done from a valid domain, if so clear the token when logging out --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > POST< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > /page/dologout(\?.+)?< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertReferer" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " referer" < / span > < span class = "re2" > > < / span > < / span > {referer}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertOrigin" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " origin" < / span > < span class = "re2" > > < / span > < / span > {origin}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " clearToken" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " session" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " cookie" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !-- Make sure the first token is generated --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < session< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < attribute< / span > < span class = "re0" > name< / span > =< span class = "st0" > " _alf_USER_ID" < / span > < span class = "re2" > > < / span > < / span > .+< span class = "sc3" > < span class = "re1" > < /attribute< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < attribute< / span > < span class = "re0" > name< / span > =< span class = "st0" > " {token}" < / span > < span class = "re2" > /> < / span > < / span >
< span class = "sc-1" > < !-- empty attribute element indicates null, meaning the token has not yet been set --> < / span >
< span class = "sc3" > < span class = "re1" > < /session< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " generateToken" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " session" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " cookie" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !-- Refresh token on new " page" visit when a user is logged in --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > GET< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < path< span class = "re2" > > < / span > < / span > < / span > /page/.*< span class = "sc3" > < span class = "re1" > < /path< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < session< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < attribute< / span > < span class = "re0" > name< / span > =< span class = "st0" > " _alf_USER_ID" < / span > < span class = "re2" > > < / span > < / span > .+< span class = "sc3" > < span class = "re1" > < /attribute< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < attribute< / span > < span class = "re0" > name< / span > =< span class = "st0" > " {token}" < / span > < span class = "re2" > > < / span > < / span > .+< span class = "sc3" > < span class = "re1" > < /attribute< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /session< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " generateToken" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " session" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " cookie" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !--< / span >
< span class = "sc-1" > Verify multipart requests from logged in users contain the token as a parameter< / span >
< span class = "sc-1" > and also correct referer & origin header if available< / span >
< span class = "sc-1" > --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > POST< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < header< / span > < span class = "re0" > name< / span > =< span class = "st0" > " Content-Type" < / span > < span class = "re2" > > < / span > < / span > multipart/.+< span class = "sc3" > < span class = "re1" > < /header< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < session< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < attribute< / span > < span class = "re0" > name< / span > =< span class = "st0" > " _alf_USER_ID" < / span > < span class = "re2" > > < / span > < / span > .+< span class = "sc3" > < span class = "re1" > < /attribute< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /session< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertToken" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " session" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " parameter" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertReferer" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " referer" < / span > < span class = "re2" > > < / span > < / span > {referer}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertOrigin" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " origin" < / span > < span class = "re2" > > < / span > < / span > {origin}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc-1" > < !--< / span >
< span class = "sc-1" > Verify that all remaining state changing requests from logged in users' requests contains a token in the< / span >
< span class = "sc-1" > header and correct referer & origin headers if available. We " catch" all content types since just setting it to< / span >
< span class = "sc-1" > " application/json.*" since a webscript that doesn't require a json request body otherwise would be< / span >
< span class = "sc-1" > successfully executed using i.e." text/plain" .< / span >
< span class = "sc-1" > --> < / span >
< span class = "sc3" > < span class = "re1" > < rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < method< span class = "re2" > > < / span > < / span > < / span > POST|PUT|DELETE< span class = "sc3" > < span class = "re1" > < /method< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < session< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < attribute< / span > < span class = "re0" > name< / span > =< span class = "st0" > " _alf_USER_ID" < / span > < span class = "re2" > > < / span > < / span > .+< span class = "sc3" > < span class = "re1" > < /attribute< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /session< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /request< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertToken" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " session" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " header" < / span > < span class = "re2" > > < / span > < / span > {token}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertReferer" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " referer" < / span > < span class = "re2" > > < / span > < / span > {referer}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < action< / span > < span class = "re0" > name< / span > =< span class = "st0" > " assertOrigin" < / span > < span class = "re2" > > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < param< / span > < span class = "re0" > name< / span > =< span class = "st0" > " origin" < / span > < span class = "re2" > > < / span > < / span > {origin}< span class = "sc3" > < span class = "re1" > < /param< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /action< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /rule< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /filter< span class = "re2" > > < / span > < / span > < / span >
< span class = "sc3" > < span class = "re1" > < /config< span class = "re2" > > < / span > < / span > < / span >
...< / pre >
< p >
Configure < abbr title = "Security Assertion Markup Language" > SAML< / abbr > service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml).
< / p >
2016-10-15 19:57:04 +02:00
< p >
2018-01-26 10:35:45 +01:00
Set the following parameters:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Enable < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Authentication (< abbr title = "Single Sign On" > SSO< / abbr > ): on< / div >
< / li >
< li class = "level1" > < div class = "li" > Authentication service < abbr title = "Uniform Resource Locator" > URL< / abbr > : < a href = "https://auth.example.com/saml/singleSignOn" class = "urlextern" title = "https://auth.example.com/saml/singleSignOn" rel = "nofollow" > https://auth.example.com/saml/singleSignOn< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > Single Logout < abbr title = "Uniform Resource Locator" > URL< / abbr > : < a href = "https://auth.example.com/saml/singleLogout" class = "urlextern" title = "https://auth.example.com/saml/singleLogout" rel = "nofollow" > https://auth.example.com/saml/singleLogout< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > Single logout return < abbr title = "Uniform Resource Locator" > URL< / abbr > : < a href = "https://auth.example.com/saml/singleLogoutReturn" class = "urlextern" title = "https://auth.example.com/saml/singleLogoutReturn" rel = "nofollow" > https://auth.example.com/saml/singleLogoutReturn< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > Entity identification: < a href = "http://alfresco.myecm.org:8080/share" class = "urlextern" title = "http://alfresco.myecm.org:8080/share" rel = "nofollow" > http://alfresco.myecm.org:8080/share< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > User ID mapping: Subject/NameID< / div >
< / li >
< / ul >
< p >
To finish with Alfresco configuration, tick the “Enable < abbr title = "Security Assertion Markup Language" > SAML< / abbr > authentication (< abbr title = "Single Sign On" > SSO< / abbr > )” box.
< / p >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT7 SECTION "Alfresco" [3518 - 14174] -->
2018-01-26 10:35:45 +01:00
< h3 class = "sectionedit8" id = "llng1" > LL::NG< / h3 >
< div class = "level3" >
< p >
Configure < abbr title = "Security Assertion Markup Language" > SAML< / abbr > service and set a certificate as signature public key in metadata.
< / p >
< p >
Export Alfresco < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Metadata from admin console and import them in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > .
2016-10-15 19:57:04 +02:00
< / p >
2018-01-26 10:35:45 +01:00
< p >
In the authentication response option, set:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Default NameID Format: Unspecified< / div >
< / li >
< li class = "level1" > < div class = "li" > Force NameID session key: uid< / div >
< / li >
< / ul >
< p >
And you can define these exported attributes:
< / p >
< ul >
< li class = "level1" > < div class = "li" > GivenName< / div >
< / li >
< li class = "level1" > < div class = "li" > Surname< / div >
< / li >
< li class = "level1" > < div class = "li" > Email< / div >
< / li >
< / ul >
2016-10-15 19:57:04 +02:00
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT8 SECTION "LL::NG" [14175 - 14553] -->
2018-01-26 10:35:45 +01:00
< h2 class = "sectionedit9" id = "other_resources" > Other resources< / h2 >
2016-10-15 19:57:04 +02:00
< div class = "level2" >
< ul >
< li class = "level1" > < div class = "li" > < a href = "https://www.youtube.com/watch?v=5tS0XrC_-rw" class = "urlextern" title = "https://www.youtube.com/watch?v=5tS0XrC_-rw" rel = "nofollow" > DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi Belmekki< / a > < / div >
< / li >
2018-01-26 10:35:45 +01:00
< li class = "level1" > < div class = "li" > < a href = "https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" class = "urlextern" title = "https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" rel = "nofollow" > Setting up Alfresco SAML authentication with LemonLDAP::NG< / a > < / div >
< / li >
2016-10-15 19:57:04 +02:00
< / ul >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT9 SECTION "Other resources" [14554 - ] --> < / div >
2016-10-15 19:57:04 +02:00
< / body >
< / html >