Alfresco is an ECM/BPM software.
Since 4.0 release, it offers an easy way to configure SSO thanks to authentication subsystems.
You need to find the following files in your Alfresco installation:
alfresco-global.properties
(ex: tomcat/shared/classes/alfresco-global.properties
)share-config-custom.xml
(ex: tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml
)The first will allow to configure SSO for the alfresco webapp, and the other for the share webapp.
Edit first alfresco-global.properties
and add the following:
### SSO ### authentication.chain=external1:external external.authentication.enabled=true external.authentication.defaultAdministratorUserNames= external.authentication.proxyUserName= external.authentication.proxyHeader=Auth-User external.authentication.userIdPattern=
Edit then share-config-custom.xml
and uncomment the last part. In the <endpoint>
, change <connector-id>
value to alfrescoHeader
and change the <userHeader>
value to Auth-User
:
<config evaluator="string-compare" condition="Remote"> <remote> <keystore> <path>alfresco/web-extension/alfresco-system.p12</path> <type>pkcs12</type> <password>alfresco-system</password> </keystore> <connector> <id>alfrescoCookie</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using cookie-based authentication</description> <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class> </connector> <connector> <id>alfrescoHeader</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using header and cookie-based authentication</description> <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class> <userHeader>Auth-User</userHeader> </connector> <endpoint> <id>alfresco</id> <name>Alfresco - user access</name> <description>Access to Alfresco Repository WebScripts that require user authentication</description> <connector-id>alfrescoHeader</connector-id> <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> </remote> </config>
You need to restart Tomcat to apply changes.
Just set the Auth-User
header with the attribute that carries the user login, for example $uid
.
You can intercept the logout with this rule: ^/share/page/dologout ⇒ logout_app_sso