Table of Contents



Alfresco is an ECM/BPM software.

Since 4.0 release, it offers an easy way to configure SSO thanks to authentication subsystems.

Authentication against LL::NG can be done trough:

Alfresco now recommends SAML2 method

HTTP headers


The official documentation can be found here:

You need to find the following files in your Alfresco installation:

The first will allow one to configure SSO for the alfresco webapp, and the other for the share webapp.

Edit first and add the following:

### SSO ###

Edit then share-config-custom.xml and uncomment the last part. In the <endpoint>, change <connector-id> value to alfrescoHeader and change the <userHeader> value to Auth-User:

   <config evaluator="string-compare" condition="Remote">
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>

You need to restart Tomcat to apply changes.

Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to LL::NG.



Just set the Auth-User header with the attribute that carries the user login, for example $uid.


Set the default rule to what you need.

Other rules:



Install SAML Alfresco module package:

cp alfresco-saml-repo-1.0.1.amp <ALFRESCO_HOME>/amps
cp alfresco-saml-share-1.0.1.amp <ALFRESCO_HOME>/amps_share

Generate SAML certificate:

keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS

Export the keystore:

mv my-saml.keystore alf_data/keystore
cat <<EOT > alf_data/keystore/
cat <<EOT >> tomcat/shared/classes/


Edit then share-config-custom.xml:

        <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
            If using https make a CSRFPolicy with replace="true" and override the properties section.
            Note, localhost is there to allow local checks to succeed.
                <!-- SAML SPECIFIC CONFIG -  START -->
                 Since we have added the CSRF filter with filter-mapping of "/*" we will catch all public GET to avoid them
                 having to pass through the remaining rules.
                <!-- Incoming posts from IDPs do not require a token -->
                <!-- SAML SPECIFIC CONFIG -  STOP -->
                <!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml -->
                 Certain webscripts shall not be allowed to be accessed directly form the browser.
                 Make sure to throw an error if they are used.
                    <action name="throwError">
                        <param name="message">It is not allowed to access this url from your browser</param>
                 Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.
                 TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.
                    <action name="assertReferer">
                        <param name="referer">{referer}</param>
                    <action name="assertOrigin">
                        <param name="origin">{origin}</param>
                 Certain Surf POST requests from the WebScript console must be allowed to pass without a token since
                 the Surf WebScript console code can't be dependent on a Share specific filter.
                    <action name="assertReferer">
                        <param name="referer">{referer}</param>
                    <action name="assertOrigin">
                        <param name="origin">{origin}</param>
                <!-- Certain Share POST requests does NOT require a token -->
                    <action name="assertReferer">
                        <param name="referer">{referer}</param>
                    <action name="assertOrigin">
                        <param name="origin">{origin}</param>
                <!-- Assert logout is done from a valid domain, if so clear the token when logging out -->
                    <action name="assertReferer">
                        <param name="referer">{referer}</param>
                    <action name="assertOrigin">
                        <param name="origin">{origin}</param>
                    <action name="clearToken">
                        <param name="session">{token}</param>
                        <param name="cookie">{token}</param>
                <!-- Make sure the first token is generated -->
                            <attribute name="_alf_USER_ID">.+</attribute>
                            <attribute name="{token}"/>
                            <!-- empty attribute element indicates null, meaning the token has not yet been set -->
                    <action name="generateToken">
                        <param name="session">{token}</param>
                        <param name="cookie">{token}</param>
                <!-- Refresh token on new "page" visit when a user is logged in -->
                            <attribute name="_alf_USER_ID">.+</attribute>
                            <attribute name="{token}">.+</attribute>
                    <action name="generateToken">
                        <param name="session">{token}</param>
                        <param name="cookie">{token}</param>
                 Verify multipart requests from logged in users contain the token as a parameter
                 and also correct referer & origin header if available
                        <header name="Content-Type">multipart/.+</header>
                            <attribute name="_alf_USER_ID">.+</attribute>
                    <action name="assertToken">
                        <param name="session">{token}</param>
                        <param name="parameter">{token}</param>
                    <action name="assertReferer">
                        <param name="referer">{referer}</param>
                    <action name="assertOrigin">
                        <param name="origin">{origin}</param>
                 Verify that all remaining state changing requests from logged in users' requests contains a token in the
                 header and correct referer & origin headers if available. We "catch" all content types since just setting it to
                 "application/json.*" since a webscript that doesn't require a json request body otherwise would be
                 successfully executed using i.e."text/plain".
                            <attribute name="_alf_USER_ID">.+</attribute>
                    <action name="assertToken">
                        <param name="session">{token}</param>
                        <param name="header">{token}</param>
                    <action name="assertReferer">
                        <param name="referer">{referer}</param>
                    <action name="assertOrigin">
                        <param name="origin">{origin}</param>

Configure SAML service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml).

Set the following parameters:

To finish with Alfresco configuration, tick the “Enable SAML authentication (SSO)” box.


Configure SAML service and set a certificate as signature public key in metadata.

Export Alfresco SAML Metadata from admin console and import them in LL::NG.

In the authentication response option, set:

And you can define these exported attributes:

