573 lines
46 KiB
HTML
573 lines
46 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:applications:alfresco</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,applications,alfresco"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="alfresco.html"/>
|
|
<link rel="contents" href="alfresco.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:alfresco","namespace":"documentation:2.0:applications"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#http_headers">HTTP headers</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#alfresco1">Alfresco</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#llng">LL::NG</a></div>
|
|
<ul class="toc">
|
|
<li class="level3"><div class="li"><a href="#headers">Headers</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#rules">Rules</a></div></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#saml2">SAML2</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#alfresco2">Alfresco</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#llng1">LL::NG</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#other_resources">Other resources</a></div></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="alfresco">Alfresco</h1>
|
|
<div class="level1">
|
|
|
|
<p>
|
|
<img src="alfresco_logo.png" class="mediacenter" alt="" />
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "Alfresco" [1-71] -->
|
|
<h2 class="sectionedit2" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
<a href="https://www.alfresco.com/" class="urlextern" title="https://www.alfresco.com/" rel="nofollow">Alfresco</a> is an ECM/BPM software.
|
|
</p>
|
|
|
|
<p>
|
|
Since 4.0 release, it offers an easy way to configure <abbr title="Single Sign On">SSO</abbr> thanks to authentication subsystems.
|
|
</p>
|
|
|
|
<p>
|
|
Authentication against <abbr title="LemonLDAP::NG">LL::NG</abbr> can be done trough:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> HTTP headers (<abbr title="LemonLDAP::NG">LL::NG</abbr> Handler)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr> 2 (<abbr title="LemonLDAP::NG">LL::NG</abbr> as SAML2 IDP)</div>
|
|
</li>
|
|
</ul>
|
|
<div class="notetip">Alfresco now recommends SAML2 method
|
|
</div>
|
|
</div>
|
|
<!-- EDIT2 SECTION "Presentation" [72-430] -->
|
|
<h2 class="sectionedit3" id="http_headers">HTTP headers</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "HTTP headers" [431-456] -->
|
|
<h3 class="sectionedit4" id="alfresco1">Alfresco</h3>
|
|
<div class="level3">
|
|
<div class="notetip">The official documentation can be found here: <a href="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" class="urlextern" title="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" rel="nofollow">http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html</a>
|
|
</div>
|
|
<p>
|
|
You need to find the following files in your Alfresco installation:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <code>alfresco-global.properties</code> (ex: <code>tomcat/shared/classes/alfresco-global.properties</code>)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <code>share-config-custom.xml</code> (ex: <code>tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml</code>)</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
The first will allow to configure <abbr title="Single Sign On">SSO</abbr> for the alfresco webapp, and the other for the share webapp.
|
|
</p>
|
|
|
|
<p>
|
|
Edit first <code>alfresco-global.properties</code> and add the following:
|
|
</p>
|
|
<pre class="code file java">### SSO ###
|
|
authentication.<span class="me1">chain</span><span class="sy0">=</span>external1<span class="sy0">:</span>external
|
|
external.<span class="me1">authentication</span>.<span class="me1">enabled</span><span class="sy0">=</span><span class="kw2">true</span>
|
|
external.<span class="me1">authentication</span>.<span class="me1">defaultAdministratorUserNames</span><span class="sy0">=</span>
|
|
external.<span class="me1">authentication</span>.<span class="me1">proxyUserName</span><span class="sy0">=</span>
|
|
external.<span class="me1">authentication</span>.<span class="me1">proxyHeader</span><span class="sy0">=</span>Auth<span class="sy0">-</span>User
|
|
external.<span class="me1">authentication</span>.<span class="me1">userIdPattern</span><span class="sy0">=</span></pre>
|
|
|
|
<p>
|
|
Edit then <code>share-config-custom.xml</code> and uncomment the last part. In the <code><endpoint></code>, change <code><connector-id></code> value to <code>alfrescoHeader</code> and change the <code><userHeader></code> value to <code>Auth-User</code>:
|
|
</p>
|
|
<pre class="code file xml"> <span class="sc3"><span class="re1"><config</span> <span class="re0">evaluator</span>=<span class="st0">"string-compare"</span> <span class="re0">condition</span>=<span class="st0">"Remote"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><remote<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><keystore<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>alfresco/web-extension/alfresco-system.p12<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><type<span class="re2">></span></span></span>pkcs12<span class="sc3"><span class="re1"></type<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><password<span class="re2">></span></span></span>alfresco-system<span class="sc3"><span class="re1"></password<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></keystore<span class="re2">></span></span></span>
|
|
|
|
<span class="sc3"><span class="re1"><connector<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><id<span class="re2">></span></span></span>alfrescoCookie<span class="sc3"><span class="re1"></id<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><name<span class="re2">></span></span></span>Alfresco Connector<span class="sc3"><span class="re1"></name<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><description<span class="re2">></span></span></span>Connects to an Alfresco instance using cookie-based authentication<span class="sc3"><span class="re1"></description<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><class<span class="re2">></span></span></span>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector<span class="sc3"><span class="re1"></class<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></connector<span class="re2">></span></span></span>
|
|
|
|
<span class="sc3"><span class="re1"><connector<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><id<span class="re2">></span></span></span>alfrescoHeader<span class="sc3"><span class="re1"></id<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><name<span class="re2">></span></span></span>Alfresco Connector<span class="sc3"><span class="re1"></name<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><description<span class="re2">></span></span></span>Connects to an Alfresco instance using header and cookie-based authentication<span class="sc3"><span class="re1"></description<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><class<span class="re2">></span></span></span>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector<span class="sc3"><span class="re1"></class<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><userHeader<span class="re2">></span></span></span>Auth-User<span class="sc3"><span class="re1"></userHeader<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></connector<span class="re2">></span></span></span>
|
|
|
|
<span class="sc3"><span class="re1"><endpoint<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><id<span class="re2">></span></span></span>alfresco<span class="sc3"><span class="re1"></id<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><name<span class="re2">></span></span></span>Alfresco - user access<span class="sc3"><span class="re1"></name<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><description<span class="re2">></span></span></span>Access to Alfresco Repository WebScripts that require user authentication<span class="sc3"><span class="re1"></description<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><connector-id<span class="re2">></span></span></span>alfrescoHeader<span class="sc3"><span class="re1"></connector-id<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><endpoint-url<span class="re2">></span></span></span>http://localhost:8080/alfresco/wcs<span class="sc3"><span class="re1"></endpoint-url<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><identity<span class="re2">></span></span></span>user<span class="sc3"><span class="re1"></identity<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><external-auth<span class="re2">></span></span></span>true<span class="sc3"><span class="re1"></external-auth<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></endpoint<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></remote<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></config<span class="re2">></span></span></span></pre>
|
|
|
|
<p>
|
|
You need to restart Tomcat to apply changes.
|
|
</p>
|
|
<div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT4 SECTION "Alfresco" [457-3153] -->
|
|
<h3 class="sectionedit5" id="llng">LL::NG</h3>
|
|
<div class="level3">
|
|
|
|
</div>
|
|
|
|
<h4 id="headers">Headers</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Just set the <code>Auth-User</code> header with the attribute that carries the user login, for example <code>$uid</code>.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="rules">Rules</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Set the default rule to what you need.
|
|
</p>
|
|
|
|
<p>
|
|
Other rules:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Unprotect access to some resources: <code>^/share/res ⇒ unprotect</code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Catch logout: <code>^/share/page/dologout ⇒ logout_app_sso</code></div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT5 SECTION "LL::NG" [3154-3493] -->
|
|
<h2 class="sectionedit6" id="saml2">SAML2</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT6 SECTION "SAML2" [3494-3513] -->
|
|
<h3 class="sectionedit7" id="alfresco2">Alfresco</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Install <abbr title="Security Assertion Markup Language">SAML</abbr> Alfresco module package:
|
|
</p>
|
|
<pre class="code">cp alfresco-saml-repo-1.0.1.amp <ALFRESCO_HOME>/amps
|
|
cp alfresco-saml-share-1.0.1.amp <ALFRESCO_HOME>/amps_share
|
|
./bin/apply_amp.sh</pre>
|
|
|
|
<p>
|
|
Generate <abbr title="Security Assertion Markup Language">SAML</abbr> certificate:
|
|
</p>
|
|
<pre class="code">keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS</pre>
|
|
|
|
<p>
|
|
Export the keystore:
|
|
</p>
|
|
<pre class="code">mv my-saml.keystore alf_data/keystore
|
|
cat <<EOT > alf_data/keystore/my-saml.keystore-metadata.properties
|
|
aliases=my-saml-key
|
|
keystore.password=change-me
|
|
my-saml-key.password=change-me
|
|
EOT
|
|
cat <<EOT >> tomcat/shared/classes/alfresco-global.properties
|
|
|
|
saml.keystore.location=\${dir.keystore}/my-saml.keystore
|
|
saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties
|
|
EOT</pre>
|
|
|
|
<p>
|
|
Edit then <code>share-config-custom.xml</code>:
|
|
</p>
|
|
<pre class="code file xml"> ...
|
|
<span class="sc3"><span class="re1"><config</span> <span class="re0">evaluator</span>=<span class="st0">"string-compare"</span> <span class="re0">condition</span>=<span class="st0">"CSRFPolicy"</span> <span class="re0">replace</span>=<span class="st0">"true"</span><span class="re2">></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!--</span>
|
|
<span class="sc-1"> If using https make a CSRFPolicy with replace="true" and override the properties section.</span>
|
|
<span class="sc-1"> Note, localhost is there to allow local checks to succeed.</span>
|
|
|
|
|
|
|
|
<span class="sc-1"> I.e.</span>
|
|
<span class="sc-1"> <properties></span>
|
|
<span class="sc-1"> <token>Alfresco-CSRFToken</token></span>
|
|
<span class="sc-1"> <referer>https://your-domain.com/.*|http://localhost:8080/.*</referer></span>
|
|
<span class="sc-1"> <origin>https://your-domain.com|http://localhost:8080</origin></span>
|
|
<span class="sc-1"> </properties></span>
|
|
<span class="sc-1"> --></span>
|
|
|
|
|
|
|
|
<span class="sc3"><span class="re1"><filter<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!-- SAML SPECIFIC CONFIG - START --></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!--</span>
|
|
<span class="sc-1"> Since we have added the CSRF filter with filter-mapping of "/*" we will catch all public GET's to avoid them</span>
|
|
<span class="sc-1"> having to pass through the remaining rules.</span>
|
|
<span class="sc-1"> --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>GET<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>/res/.*<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!-- Incoming posts from IDPs do not require a token --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>POST<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>/page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!-- SAML SPECIFIC CONFIG - STOP --></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml --></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!--</span>
|
|
<span class="sc-1"> Certain webscripts shall not be allowed to be accessed directly form the browser.</span>
|
|
<span class="sc-1"> Make sure to throw an error if they are used.</span>
|
|
<span class="sc-1"> --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>/proxy/alfresco/remoteadm/.*<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"throwError"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"message"</span><span class="re2">></span></span>It is not allowed to access this url from your browser<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!--</span>
|
|
<span class="sc-1"> Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.</span>
|
|
<span class="sc-1"> TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.</span>
|
|
<span class="sc-1"> --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>POST<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>/proxy/alfresco/api/publishing/channels/.+<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertReferer"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"referer"</span><span class="re2">></span></span>{referer}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertOrigin"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"origin"</span><span class="re2">></span></span>{origin}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!--</span>
|
|
<span class="sc-1"> Certain Surf POST requests from the WebScript console must be allowed to pass without a token since</span>
|
|
<span class="sc-1"> the Surf WebScript console code can't be dependent on a Share specific filter.</span>
|
|
<span class="sc-1"> --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>POST<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>/page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertReferer"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"referer"</span><span class="re2">></span></span>{referer}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertOrigin"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"origin"</span><span class="re2">></span></span>{origin}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!-- Certain Share POST requests does NOT require a token --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>POST<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>/page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertReferer"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"referer"</span><span class="re2">></span></span>{referer}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertOrigin"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"origin"</span><span class="re2">></span></span>{origin}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!-- Assert logout is done from a valid domain, if so clear the token when logging out --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>POST<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>/page/dologout(\?.+)?<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertReferer"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"referer"</span><span class="re2">></span></span>{referer}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertOrigin"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"origin"</span><span class="re2">></span></span>{origin}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"clearToken"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"session"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"cookie"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!-- Make sure the first token is generated --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><session<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><attribute</span> <span class="re0">name</span>=<span class="st0">"_alf_USER_ID"</span><span class="re2">></span></span>.+<span class="sc3"><span class="re1"></attribute<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><attribute</span> <span class="re0">name</span>=<span class="st0">"{token}"</span><span class="re2">/></span></span>
|
|
<span class="sc-1"><!-- empty attribute element indicates null, meaning the token has not yet been set --></span>
|
|
<span class="sc3"><span class="re1"></session<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"generateToken"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"session"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"cookie"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!-- Refresh token on new "page" visit when a user is logged in --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>GET<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><path<span class="re2">></span></span></span>/page/.*<span class="sc3"><span class="re1"></path<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><session<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><attribute</span> <span class="re0">name</span>=<span class="st0">"_alf_USER_ID"</span><span class="re2">></span></span>.+<span class="sc3"><span class="re1"></attribute<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><attribute</span> <span class="re0">name</span>=<span class="st0">"{token}"</span><span class="re2">></span></span>.+<span class="sc3"><span class="re1"></attribute<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></session<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"generateToken"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"session"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"cookie"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!--</span>
|
|
<span class="sc-1"> Verify multipart requests from logged in users contain the token as a parameter</span>
|
|
<span class="sc-1"> and also correct referer & origin header if available</span>
|
|
<span class="sc-1"> --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>POST<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><header</span> <span class="re0">name</span>=<span class="st0">"Content-Type"</span><span class="re2">></span></span>multipart/.+<span class="sc3"><span class="re1"></header<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><session<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><attribute</span> <span class="re0">name</span>=<span class="st0">"_alf_USER_ID"</span><span class="re2">></span></span>.+<span class="sc3"><span class="re1"></attribute<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></session<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertToken"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"session"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"parameter"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertReferer"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"referer"</span><span class="re2">></span></span>{referer}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertOrigin"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"origin"</span><span class="re2">></span></span>{origin}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
|
|
|
|
|
|
<span class="sc-1"><!--</span>
|
|
<span class="sc-1"> Verify that all remaining state changing requests from logged in users' requests contains a token in the</span>
|
|
<span class="sc-1"> header and correct referer & origin headers if available. We "catch" all content types since just setting it to</span>
|
|
<span class="sc-1"> "application/json.*" since a webscript that doesn't require a json request body otherwise would be</span>
|
|
<span class="sc-1"> successfully executed using i.e."text/plain".</span>
|
|
<span class="sc-1"> --></span>
|
|
<span class="sc3"><span class="re1"><rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><method<span class="re2">></span></span></span>POST|PUT|DELETE<span class="sc3"><span class="re1"></method<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><session<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><attribute</span> <span class="re0">name</span>=<span class="st0">"_alf_USER_ID"</span><span class="re2">></span></span>.+<span class="sc3"><span class="re1"></attribute<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></session<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></request<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertToken"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"session"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"header"</span><span class="re2">></span></span>{token}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertReferer"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"referer"</span><span class="re2">></span></span>{referer}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"><action</span> <span class="re0">name</span>=<span class="st0">"assertOrigin"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><param</span> <span class="re0">name</span>=<span class="st0">"origin"</span><span class="re2">></span></span>{origin}<span class="sc3"><span class="re1"></param<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></action<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></rule<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></filter<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></config<span class="re2">></span></span></span>
|
|
...</pre>
|
|
|
|
<p>
|
|
Configure <abbr title="Security Assertion Markup Language">SAML</abbr> service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml).
|
|
</p>
|
|
|
|
<p>
|
|
Set the following parameters:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Enable <abbr title="Security Assertion Markup Language">SAML</abbr> Authentication (<abbr title="Single Sign On">SSO</abbr>): on</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Authentication service <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleSignOn" class="urlextern" title="https://auth.example.com/saml/singleSignOn" rel="nofollow">https://auth.example.com/saml/singleSignOn</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Single Logout <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleLogout" class="urlextern" title="https://auth.example.com/saml/singleLogout" rel="nofollow">https://auth.example.com/saml/singleLogout</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Single logout return <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleLogoutReturn" class="urlextern" title="https://auth.example.com/saml/singleLogoutReturn" rel="nofollow">https://auth.example.com/saml/singleLogoutReturn</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Entity identification: <a href="http://alfresco.myecm.org:8080/share" class="urlextern" title="http://alfresco.myecm.org:8080/share" rel="nofollow">http://alfresco.myecm.org:8080/share</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> User ID mapping: Subject/NameID</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
To finish with Alfresco configuration, tick the “Enable <abbr title="Security Assertion Markup Language">SAML</abbr> authentication (<abbr title="Single Sign On">SSO</abbr>)” box.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT7 SECTION "Alfresco" [3514-14172] -->
|
|
<h3 class="sectionedit8" id="llng1">LL::NG</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Configure <abbr title="Security Assertion Markup Language">SAML</abbr> service and set a certificate as signature public key in metadata.
|
|
</p>
|
|
|
|
<p>
|
|
Export Alfresco <abbr title="Security Assertion Markup Language">SAML</abbr> Metadata from admin console and import them in <abbr title="LemonLDAP::NG">LL::NG</abbr>.
|
|
</p>
|
|
|
|
<p>
|
|
In the authentication response option, set:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Default NameID Format: Unspecified</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Force NameID session key: uid</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
And you can define these exported attributes:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> GivenName</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Surname</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Email</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT8 SECTION "LL::NG" [14173-14551] -->
|
|
<h2 class="sectionedit9" id="other_resources">Other resources</h2>
|
|
<div class="level2">
|
|
<ul>
|
|
<li class="level1"><div class="li"> <a href="https://www.youtube.com/watch?v=5tS0XrC_-rw" class="urlextern" title="https://www.youtube.com/watch?v=5tS0XrC_-rw" rel="nofollow">DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi Belmekki</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <a href="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" class="urlextern" title="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" rel="nofollow">Setting up Alfresco SAML authentication with LemonLDAP::NG</a></div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT9 SECTION "Other resources" [14552-] --></div>
|
|
</body>
|
|
</html>
|