dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2f81f4b3b5
lemonldap-ng/doc/pages/documentation/current/applications/alfresco.html
Clément OUDOT 2f81f4b3b5 Update documentation
2019-02-12 17:32:02 +01:00

573 lines
46 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:alfresco</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,alfresco"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="alfresco.html"/>
<link rel="contents" href="alfresco.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:alfresco","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#http_headers">HTTP headers</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#alfresco1">Alfresco</a></div></li>
<li class="level2"><div class="li"><a href="#llng">LL::NG</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#headers">Headers</a></div></li>
<li class="level3"><div class="li"><a href="#rules">Rules</a></div></li>
</ul>
</li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#saml2">SAML2</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#alfresco2">Alfresco</a></div></li>
<li class="level2"><div class="li"><a href="#llng1">LL::NG</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#other_resources">Other resources</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="alfresco">Alfresco</h1>
<div class="level1">
<p>
<img src="alfresco_logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "Alfresco" [1-71] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="https://www.alfresco.com/" class="urlextern" title="https://www.alfresco.com/" rel="nofollow">Alfresco</a> is an ECM/BPM software.
</p>
<p>
Since 4.0 release, it offers an easy way to configure <abbr title="Single Sign On">SSO</abbr> thanks to authentication subsystems.
</p>
<p>
Authentication against <abbr title="LemonLDAP::NG">LL::NG</abbr> can be done trough:
</p>
<ul>
<li class="level1"><div class="li"> HTTP headers (<abbr title="LemonLDAP::NG">LL::NG</abbr> Handler)</div>
</li>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr> 2 (<abbr title="LemonLDAP::NG">LL::NG</abbr> as SAML2 IDP)</div>
</li>
</ul>
<div class="notetip">Alfresco now recommends SAML2 method
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [72-430] -->
<h2 class="sectionedit3" id="http_headers">HTTP headers</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "HTTP headers" [431-456] -->
<h3 class="sectionedit4" id="alfresco1">Alfresco</h3>
<div class="level3">
<div class="notetip">The official documentation can be found here: <a href="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" class="urlextern" title="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" rel="nofollow">http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html</a>
</div>
<p>
You need to find the following files in your Alfresco installation:
</p>
<ul>
<li class="level1"><div class="li"> <code>alfresco-global.properties</code> (ex: <code>tomcat/shared/classes/alfresco-global.properties</code>)</div>
</li>
<li class="level1"><div class="li"> <code>share-config-custom.xml</code> (ex: <code>tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml</code>)</div>
</li>
</ul>
<p>
The first will allow one to configure <abbr title="Single Sign On">SSO</abbr> for the alfresco webapp, and the other for the share webapp.
</p>
<p>
Edit first <code>alfresco-global.properties</code> and add the following:
</p>
<pre class="code file java">### SSO ###
authentication.<span class="me1">chain</span><span class="sy0">=</span>external1<span class="sy0">:</span>external
external.<span class="me1">authentication</span>.<span class="me1">enabled</span><span class="sy0">=</span><span class="kw2">true</span>
external.<span class="me1">authentication</span>.<span class="me1">defaultAdministratorUserNames</span><span class="sy0">=</span>
external.<span class="me1">authentication</span>.<span class="me1">proxyUserName</span><span class="sy0">=</span>
external.<span class="me1">authentication</span>.<span class="me1">proxyHeader</span><span class="sy0">=</span>Auth<span class="sy0">-</span>User
external.<span class="me1">authentication</span>.<span class="me1">userIdPattern</span><span class="sy0">=</span></pre>
<p>
Edit then <code>share-config-custom.xml</code> and uncomment the last part. In the <code>&lt;endpoint&gt;</code>, change <code>&lt;connector-id&gt;</code> value to <code>alfrescoHeader</code> and change the <code>&lt;userHeader&gt;</code> value to <code>Auth-User</code>:
</p>
<pre class="code file xml"> <span class="sc3"><span class="re1">&lt;config</span> <span class="re0">evaluator</span>=<span class="st0">&quot;string-compare&quot;</span> <span class="re0">condition</span>=<span class="st0">&quot;Remote&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;remote<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;keystore<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>alfresco/web-extension/alfresco-system.p12<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;type<span class="re2">&gt;</span></span></span>pkcs12<span class="sc3"><span class="re1">&lt;/type<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;password<span class="re2">&gt;</span></span></span>alfresco-system<span class="sc3"><span class="re1">&lt;/password<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/keystore<span class="re2">&gt;</span></span></span>
&nbsp;
<span class="sc3"><span class="re1">&lt;connector<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;id<span class="re2">&gt;</span></span></span>alfrescoCookie<span class="sc3"><span class="re1">&lt;/id<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco Connector<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Connects to an Alfresco instance using cookie-based authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;class<span class="re2">&gt;</span></span></span>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector<span class="sc3"><span class="re1">&lt;/class<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/connector<span class="re2">&gt;</span></span></span>
&nbsp;
<span class="sc3"><span class="re1">&lt;connector<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/id<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco Connector<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Connects to an Alfresco instance using header and cookie-based authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;class<span class="re2">&gt;</span></span></span>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector<span class="sc3"><span class="re1">&lt;/class<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;userHeader<span class="re2">&gt;</span></span></span>Auth-User<span class="sc3"><span class="re1">&lt;/userHeader<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/connector<span class="re2">&gt;</span></span></span>
&nbsp;
<span class="sc3"><span class="re1">&lt;endpoint<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;id<span class="re2">&gt;</span></span></span>alfresco<span class="sc3"><span class="re1">&lt;/id<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco - user access<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Access to Alfresco Repository WebScripts that require user authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;connector-id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/connector-id<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/wcs<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;identity<span class="re2">&gt;</span></span></span>user<span class="sc3"><span class="re1">&lt;/identity<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;external-auth<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/external-auth<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/endpoint<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/remote<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/config<span class="re2">&gt;</span></span></span></pre>
<p>
You need to restart Tomcat to apply changes.
</p>
<div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT4 SECTION "Alfresco" [457-3157] -->
<h3 class="sectionedit5" id="llng">LL::NG</h3>
<div class="level3">
</div>
<h4 id="headers">Headers</h4>
<div class="level4">
<p>
Just set the <code>Auth-User</code> header with the attribute that carries the user login, for example <code>$uid</code>.
</p>
</div>
<h4 id="rules">Rules</h4>
<div class="level4">
<p>
Set the default rule to what you need.
</p>
<p>
Other rules:
</p>
<ul>
<li class="level1"><div class="li"> Unprotect access to some resources: <code>^/share/res =&gt; unprotect</code></div>
</li>
<li class="level1"><div class="li"> Catch logout: <code>^/share/page/dologout =&gt; logout_app_sso</code></div>
</li>
</ul>
</div>
<!-- EDIT5 SECTION "LL::NG" [3158-3497] -->
<h2 class="sectionedit6" id="saml2">SAML2</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "SAML2" [3498-3517] -->
<h3 class="sectionedit7" id="alfresco2">Alfresco</h3>
<div class="level3">
<p>
Install <abbr title="Security Assertion Markup Language">SAML</abbr> Alfresco module package:
</p>
<pre class="code">cp alfresco-saml-repo-1.0.1.amp &lt;ALFRESCO_HOME&gt;/amps
cp alfresco-saml-share-1.0.1.amp &lt;ALFRESCO_HOME&gt;/amps_share
./bin/apply_amp.sh</pre>
<p>
Generate <abbr title="Security Assertion Markup Language">SAML</abbr> certificate:
</p>
<pre class="code">keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS</pre>
<p>
Export the keystore:
</p>
<pre class="code">mv my-saml.keystore alf_data/keystore
cat &lt;&lt;EOT &gt; alf_data/keystore/my-saml.keystore-metadata.properties
aliases=my-saml-key
keystore.password=change-me
my-saml-key.password=change-me
EOT
cat &lt;&lt;EOT &gt;&gt; tomcat/shared/classes/alfresco-global.properties
saml.keystore.location=\${dir.keystore}/my-saml.keystore
saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties
EOT</pre>
<p>
Edit then <code>share-config-custom.xml</code>:
</p>
<pre class="code file xml"> ...
<span class="sc3"><span class="re1">&lt;config</span> <span class="re0">evaluator</span>=<span class="st0">&quot;string-compare&quot;</span> <span class="re0">condition</span>=<span class="st0">&quot;CSRFPolicy&quot;</span> <span class="re0">replace</span>=<span class="st0">&quot;true&quot;</span><span class="re2">&gt;</span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> If using https make a CSRFPolicy with replace=&quot;true&quot; and override the properties section.</span>
<span class="sc-1"> Note, localhost is there to allow local checks to succeed.</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1"> I.e.</span>
<span class="sc-1"> &lt;properties&gt;</span>
<span class="sc-1"> &lt;token&gt;Alfresco-CSRFToken&lt;/token&gt;</span>
<span class="sc-1"> &lt;referer&gt;https://your-domain.com/.*|http://localhost:8080/.*&lt;/referer&gt;</span>
<span class="sc-1"> &lt;origin&gt;https://your-domain.com|http://localhost:8080&lt;/origin&gt;</span>
<span class="sc-1"> &lt;/properties&gt;</span>
<span class="sc-1"> --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc3"><span class="re1">&lt;filter<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- SAML SPECIFIC CONFIG - START --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Since we have added the CSRF filter with filter-mapping of &quot;/*&quot; we will catch all public GET to avoid them</span>
<span class="sc-1"> having to pass through the remaining rules.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>GET<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/res/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Incoming posts from IDPs do not require a token --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- SAML SPECIFIC CONFIG - STOP --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Certain webscripts shall not be allowed to be accessed directly form the browser.</span>
<span class="sc-1"> Make sure to throw an error if they are used.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/proxy/alfresco/remoteadm/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;throwError&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;message&quot;</span><span class="re2">&gt;</span></span>It is not allowed to access this url from your browser<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.</span>
<span class="sc-1"> TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/proxy/alfresco/api/publishing/channels/.+<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Certain Surf POST requests from the WebScript console must be allowed to pass without a token since</span>
<span class="sc-1"> the Surf WebScript console code can't be dependent on a Share specific filter.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Certain Share POST requests does NOT require a token --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Assert logout is done from a valid domain, if so clear the token when logging out --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/dologout(\?.+)?<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;clearToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Make sure the first token is generated --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;{token}&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc-1">&lt;!-- empty attribute element indicates null, meaning the token has not yet been set --&gt;</span>
<span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;generateToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Refresh token on new &quot;page&quot; visit when a user is logged in --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>GET<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;{token}&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;generateToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Verify multipart requests from logged in users contain the token as a parameter</span>
<span class="sc-1"> and also correct referer &amp; origin header if available</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;header</span> <span class="re0">name</span>=<span class="st0">&quot;Content-Type&quot;</span><span class="re2">&gt;</span></span>multipart/.+<span class="sc3"><span class="re1">&lt;/header<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;parameter&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Verify that all remaining state changing requests from logged in users' requests contains a token in the</span>
<span class="sc-1"> header and correct referer &amp; origin headers if available. We &quot;catch&quot; all content types since just setting it to</span>
<span class="sc-1"> &quot;application/json.*&quot; since a webscript that doesn't require a json request body otherwise would be</span>
<span class="sc-1"> successfully executed using i.e.&quot;text/plain&quot;.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST|PUT|DELETE<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;header&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/filter<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/config<span class="re2">&gt;</span></span></span>
...</pre>
<p>
Configure <abbr title="Security Assertion Markup Language">SAML</abbr> service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml).
</p>
<p>
Set the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> Enable <abbr title="Security Assertion Markup Language">SAML</abbr> Authentication (<abbr title="Single Sign On">SSO</abbr>): on</div>
</li>
<li class="level1"><div class="li"> Authentication service <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleSignOn" class="urlextern" title="https://auth.example.com/saml/singleSignOn" rel="nofollow">https://auth.example.com/saml/singleSignOn</a></div>
</li>
<li class="level1"><div class="li"> Single Logout <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleLogout" class="urlextern" title="https://auth.example.com/saml/singleLogout" rel="nofollow">https://auth.example.com/saml/singleLogout</a></div>
</li>
<li class="level1"><div class="li"> Single logout return <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleLogoutReturn" class="urlextern" title="https://auth.example.com/saml/singleLogoutReturn" rel="nofollow">https://auth.example.com/saml/singleLogoutReturn</a></div>
</li>
<li class="level1"><div class="li"> Entity identification: <a href="http://alfresco.myecm.org:8080/share" class="urlextern" title="http://alfresco.myecm.org:8080/share" rel="nofollow">http://alfresco.myecm.org:8080/share</a></div>
</li>
<li class="level1"><div class="li"> User ID mapping: Subject/NameID</div>
</li>
</ul>
<p>
To finish with Alfresco configuration, tick the “Enable <abbr title="Security Assertion Markup Language">SAML</abbr> authentication (<abbr title="Single Sign On">SSO</abbr>)” box.
</p>
</div>
<!-- EDIT7 SECTION "Alfresco" [3518-14174] -->
<h3 class="sectionedit8" id="llng1">LL::NG</h3>
<div class="level3">
<p>
Configure <abbr title="Security Assertion Markup Language">SAML</abbr> service and set a certificate as signature public key in metadata.
</p>
<p>
Export Alfresco <abbr title="Security Assertion Markup Language">SAML</abbr> Metadata from admin console and import them in <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</p>
<p>
In the authentication response option, set:
</p>
<ul>
<li class="level1"><div class="li"> Default NameID Format: Unspecified</div>
</li>
<li class="level1"><div class="li"> Force NameID session key: uid</div>
</li>
</ul>
<p>
And you can define these exported attributes:
</p>
<ul>
<li class="level1"><div class="li"> GivenName</div>
</li>
<li class="level1"><div class="li"> Surname</div>
</li>
<li class="level1"><div class="li"> Email</div>
</li>
</ul>
</div>
<!-- EDIT8 SECTION "LL::NG" [14175-14553] -->
<h2 class="sectionedit9" id="other_resources">Other resources</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <a href="https://www.youtube.com/watch?v=5tS0XrC_-rw" class="urlextern" title="https://www.youtube.com/watch?v=5tS0XrC_-rw" rel="nofollow">DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi Belmekki</a></div>
</li>
<li class="level1"><div class="li"> <a href="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" class="urlextern" title="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" rel="nofollow">Setting up Alfresco SAML authentication with LemonLDAP::NG</a></div>
</li>
</ul>
</div>
<!-- EDIT9 SECTION "Other resources" [14554-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink