alfresco.html 46 KB
Newer Older
Clément OUDOT's avatar
Clément OUDOT committed
1 2 3 4 5 6
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:applications:alfresco</title>
<meta name="generator" content="DokuWiki"/>
Xavier Guimard's avatar
Xavier Guimard committed
7
<meta name="robots" content="index,follow"/>
Clément OUDOT's avatar
Clément OUDOT committed
8 9 10 11 12
<meta name="keywords" content="documentation,2.0,applications,alfresco"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="alfresco.html"/>
<link rel="contents" href="alfresco.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
Xavier Guimard's avatar
Xavier Guimard committed
13 14 15 16 17 18 19 20 21
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
22 23 24
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:alfresco","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
25 26 27 28 29 30 31 32 33 34 35 36 37 38
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
Xavier Guimard's avatar
Xavier Guimard committed
39
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
40
//else -->
Xavier Guimard's avatar
Xavier Guimard committed
41
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
42
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
43 44 45 46 47 48 49 50 51 52
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
Clément OUDOT's avatar
Clément OUDOT committed
53
<li class="level1"><div class="li"><a href="#http_headers">HTTP headers</a></div>
Clément OUDOT's avatar
Clément OUDOT committed
54 55
<ul class="toc">
<li class="level2"><div class="li"><a href="#alfresco1">Alfresco</a></div></li>
Clément OUDOT's avatar
Clément OUDOT committed
56 57 58 59 60 61 62 63 64 65 66 67
<li class="level2"><div class="li"><a href="#llng">LL::NG</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#headers">Headers</a></div></li>
<li class="level3"><div class="li"><a href="#rules">Rules</a></div></li>
</ul>
</li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#saml2">SAML2</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#alfresco2">Alfresco</a></div></li>
<li class="level2"><div class="li"><a href="#llng1">LL::NG</a></div></li>
Clément OUDOT's avatar
Clément OUDOT committed
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
</ul>
</li>
<li class="level1"><div class="li"><a href="#other_resources">Other resources</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="alfresco">Alfresco</h1>
<div class="level1">

<p>
<img src="alfresco_logo.png" class="mediacenter" alt="" />
</p>

</div>
<!-- EDIT1 SECTION "Alfresco" [1-71] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
<a href="https://www.alfresco.com/" class="urlextern" title="https://www.alfresco.com/"  rel="nofollow">Alfresco</a> is an ECM/BPM software.
</p>

<p>
Since 4.0 release, it offers an easy way to configure <abbr title="Single Sign On">SSO</abbr> thanks to authentication subsystems.
</p>
Clément OUDOT's avatar
Clément OUDOT committed
95 96 97 98 99 100 101 102 103 104 105

<p>
Authentication against <abbr title="LemonLDAP::NG">LL::NG</abbr> can be done trough:
</p>
<ul>
<li class="level1"><div class="li"> HTTP headers (<abbr title="LemonLDAP::NG">LL::NG</abbr> Handler)</div>
</li>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr> 2 (<abbr title="LemonLDAP::NG">LL::NG</abbr> as SAML2 IDP)</div>
</li>
</ul>
<div class="notetip">Alfresco now recommends SAML2 method
Clément OUDOT's avatar
Clément OUDOT committed
106 107
</div>
</div>
Clément OUDOT's avatar
Clément OUDOT committed
108 109
<!-- EDIT2 SECTION "Presentation" [72-430] -->
<h2 class="sectionedit3" id="http_headers">HTTP headers</h2>
Clément OUDOT's avatar
Clément OUDOT committed
110 111 112
<div class="level2">

</div>
Clément OUDOT's avatar
Clément OUDOT committed
113
<!-- EDIT3 SECTION "HTTP headers" [431-456] -->
Clément OUDOT's avatar
Clément OUDOT committed
114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
<h3 class="sectionedit4" id="alfresco1">Alfresco</h3>
<div class="level3">
<div class="notetip">The official documentation can be found here: <a href="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" class="urlextern" title="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html"  rel="nofollow">http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html</a>
</div>
<p>
You need to find the following files in your Alfresco installation:
</p>
<ul>
<li class="level1"><div class="li"> <code>alfresco-global.properties</code> (ex: <code>tomcat/shared/classes/alfresco-global.properties</code>)</div>
</li>
<li class="level1"><div class="li"> <code>share-config-custom.xml</code> (ex: <code>tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml</code>)</div>
</li>
</ul>

<p>
Clément OUDOT's avatar
Clément OUDOT committed
129
The first will allow to configure <abbr title="Single Sign On">SSO</abbr> for the alfresco webapp, and the other for the share webapp. 
Clément OUDOT's avatar
Clément OUDOT committed
130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186
</p>

<p>
Edit first <code>alfresco-global.properties</code> and add the following:
</p>
<pre class="code file java">### SSO ###
authentication.<span class="me1">chain</span><span class="sy0">=</span>external1<span class="sy0">:</span>external
external.<span class="me1">authentication</span>.<span class="me1">enabled</span><span class="sy0">=</span><span class="kw2">true</span>
external.<span class="me1">authentication</span>.<span class="me1">defaultAdministratorUserNames</span><span class="sy0">=</span>
external.<span class="me1">authentication</span>.<span class="me1">proxyUserName</span><span class="sy0">=</span>
external.<span class="me1">authentication</span>.<span class="me1">proxyHeader</span><span class="sy0">=</span>Auth<span class="sy0">-</span>User
external.<span class="me1">authentication</span>.<span class="me1">userIdPattern</span><span class="sy0">=</span></pre>

<p>
Edit then <code>share-config-custom.xml</code> and uncomment the last part. In the <code>&lt;endpoint&gt;</code>, change <code>&lt;connector-id&gt;</code> value to <code>alfrescoHeader</code> and change the <code>&lt;userHeader&gt;</code> value to <code>Auth-User</code>:
</p>
<pre class="code file xml">   <span class="sc3"><span class="re1">&lt;config</span> <span class="re0">evaluator</span>=<span class="st0">&quot;string-compare&quot;</span> <span class="re0">condition</span>=<span class="st0">&quot;Remote&quot;</span><span class="re2">&gt;</span></span>
      <span class="sc3"><span class="re1">&lt;remote<span class="re2">&gt;</span></span></span>
          <span class="sc3"><span class="re1">&lt;keystore<span class="re2">&gt;</span></span></span>
             <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>alfresco/web-extension/alfresco-system.p12<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
             <span class="sc3"><span class="re1">&lt;type<span class="re2">&gt;</span></span></span>pkcs12<span class="sc3"><span class="re1">&lt;/type<span class="re2">&gt;</span></span></span>
             <span class="sc3"><span class="re1">&lt;password<span class="re2">&gt;</span></span></span>alfresco-system<span class="sc3"><span class="re1">&lt;/password<span class="re2">&gt;</span></span></span>
         <span class="sc3"><span class="re1">&lt;/keystore<span class="re2">&gt;</span></span></span>
&nbsp;
         <span class="sc3"><span class="re1">&lt;connector<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;id<span class="re2">&gt;</span></span></span>alfrescoCookie<span class="sc3"><span class="re1">&lt;/id<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco Connector<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Connects to an Alfresco instance using cookie-based authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;class<span class="re2">&gt;</span></span></span>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector<span class="sc3"><span class="re1">&lt;/class<span class="re2">&gt;</span></span></span>
         <span class="sc3"><span class="re1">&lt;/connector<span class="re2">&gt;</span></span></span>
&nbsp;
         <span class="sc3"><span class="re1">&lt;connector<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/id<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco Connector<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Connects to an Alfresco instance using header and cookie-based authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;class<span class="re2">&gt;</span></span></span>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector<span class="sc3"><span class="re1">&lt;/class<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;userHeader<span class="re2">&gt;</span></span></span>Auth-User<span class="sc3"><span class="re1">&lt;/userHeader<span class="re2">&gt;</span></span></span>
         <span class="sc3"><span class="re1">&lt;/connector<span class="re2">&gt;</span></span></span>
&nbsp;
         <span class="sc3"><span class="re1">&lt;endpoint<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;id<span class="re2">&gt;</span></span></span>alfresco<span class="sc3"><span class="re1">&lt;/id<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco - user access<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Access to Alfresco Repository WebScripts that require user authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;connector-id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/connector-id<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/wcs<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;identity<span class="re2">&gt;</span></span></span>user<span class="sc3"><span class="re1">&lt;/identity<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;external-auth<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/external-auth<span class="re2">&gt;</span></span></span>
         <span class="sc3"><span class="re1">&lt;/endpoint<span class="re2">&gt;</span></span></span>
      <span class="sc3"><span class="re1">&lt;/remote<span class="re2">&gt;</span></span></span>
   <span class="sc3"><span class="re1">&lt;/config<span class="re2">&gt;</span></span></span></pre>

<p>
You need to restart Tomcat to apply changes.
</p>
<div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
Clément OUDOT's avatar
Clément OUDOT committed
187
<!-- EDIT4 SECTION "Alfresco" [457-3153] -->
Clément OUDOT's avatar
Clément OUDOT committed
188 189 190
<h3 class="sectionedit5" id="llng">LL::NG</h3>
<div class="level3">

Clément OUDOT's avatar
Clément OUDOT committed
191 192 193 194 195
</div>

<h4 id="headers">Headers</h4>
<div class="level4">

Clément OUDOT's avatar
Clément OUDOT committed
196 197 198 199
<p>
Just set the <code>Auth-User</code> header with the attribute that carries the user login, for example <code>$uid</code>.
</p>

Clément OUDOT's avatar
Clément OUDOT committed
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500
</div>

<h4 id="rules">Rules</h4>
<div class="level4">

<p>
Set the default rule to what you need.
</p>

<p>
Other rules:
</p>
<ul>
<li class="level1"><div class="li"> Unprotect access to some resources: <code>^/share/res ⇒ unprotect</code></div>
</li>
<li class="level1"><div class="li"> Catch logout: <code>^/share/page/dologout ⇒ logout_app_sso</code></div>
</li>
</ul>

</div>
<!-- EDIT5 SECTION "LL::NG" [3154-3493] -->
<h2 class="sectionedit6" id="saml2">SAML2</h2>
<div class="level2">

</div>
<!-- EDIT6 SECTION "SAML2" [3494-3513] -->
<h3 class="sectionedit7" id="alfresco2">Alfresco</h3>
<div class="level3">

<p>
Install <abbr title="Security Assertion Markup Language">SAML</abbr> Alfresco module package:
</p>
<pre class="code">cp alfresco-saml-repo-1.0.1.amp &lt;ALFRESCO_HOME&gt;/amps
cp alfresco-saml-share-1.0.1.amp &lt;ALFRESCO_HOME&gt;/amps_share
./bin/apply_amp.sh</pre>

<p>
Generate <abbr title="Security Assertion Markup Language">SAML</abbr> certificate:
</p>
<pre class="code">keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS</pre>

<p>
Export the keystore:
</p>
<pre class="code">mv my-saml.keystore alf_data/keystore
cat &lt;&lt;EOT &gt; alf_data/keystore/my-saml.keystore-metadata.properties
aliases=my-saml-key
keystore.password=change-me
my-saml-key.password=change-me
EOT
cat &lt;&lt;EOT &gt;&gt; tomcat/shared/classes/alfresco-global.properties

saml.keystore.location=\${dir.keystore}/my-saml.keystore
saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties
EOT</pre>

<p>
Edit then <code>share-config-custom.xml</code>:
</p>
<pre class="code file xml">    ...
        <span class="sc3"><span class="re1">&lt;config</span> <span class="re0">evaluator</span>=<span class="st0">&quot;string-compare&quot;</span> <span class="re0">condition</span>=<span class="st0">&quot;CSRFPolicy&quot;</span> <span class="re0">replace</span>=<span class="st0">&quot;true&quot;</span><span class="re2">&gt;</span></span>
&nbsp;
&nbsp;
&nbsp;
        <span class="sc-1">&lt;!--</span>
<span class="sc-1">            If using https make a CSRFPolicy with replace=&quot;true&quot; and override the properties section.</span>
<span class="sc-1">            Note, localhost is there to allow local checks to succeed.</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">            I.e.</span>
<span class="sc-1">            &lt;properties&gt;</span>
<span class="sc-1">                &lt;token&gt;Alfresco-CSRFToken&lt;/token&gt;</span>
<span class="sc-1">                &lt;referer&gt;https://your-domain.com/.*|http://localhost:8080/.*&lt;/referer&gt;</span>
<span class="sc-1">                &lt;origin&gt;https://your-domain.com|http://localhost:8080&lt;/origin&gt;</span>
<span class="sc-1">            &lt;/properties&gt;</span>
<span class="sc-1">        --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
            <span class="sc3"><span class="re1">&lt;filter<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!-- SAML SPECIFIC CONFIG -  START --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!--</span>
<span class="sc-1">                 Since we have added the CSRF filter with filter-mapping of &quot;/*&quot; we will catch all public GET's to avoid them</span>
<span class="sc-1">                 having to pass through the remaining rules.</span>
<span class="sc-1">                 --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>GET<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/res/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!-- Incoming posts from IDPs do not require a token --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!-- SAML SPECIFIC CONFIG -  STOP --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!--</span>
<span class="sc-1">                 Certain webscripts shall not be allowed to be accessed directly form the browser.</span>
<span class="sc-1">                 Make sure to throw an error if they are used.</span>
<span class="sc-1">                 --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/proxy/alfresco/remoteadm/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;throwError&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;message&quot;</span><span class="re2">&gt;</span></span>It is not allowed to access this url from your browser<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!--</span>
<span class="sc-1">                 Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.</span>
<span class="sc-1">                 TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.</span>
<span class="sc-1">                 --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/proxy/alfresco/api/publishing/channels/.+<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!--</span>
<span class="sc-1">                 Certain Surf POST requests from the WebScript console must be allowed to pass without a token since</span>
<span class="sc-1">                 the Surf WebScript console code can't be dependent on a Share specific filter.</span>
<span class="sc-1">                 --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!-- Certain Share POST requests does NOT require a token --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!-- Assert logout is done from a valid domain, if so clear the token when logging out --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/dologout(\?.+)?<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;clearToken&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!-- Make sure the first token is generated --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
                            <span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
                            <span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;{token}&quot;</span><span class="re2">/&gt;</span></span>
                            <span class="sc-1">&lt;!-- empty attribute element indicates null, meaning the token has not yet been set --&gt;</span>
                        <span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;generateToken&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!-- Refresh token on new &quot;page&quot; visit when a user is logged in --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>GET<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
                            <span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
                            <span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;{token}&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;generateToken&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!--</span>
<span class="sc-1">                 Verify multipart requests from logged in users contain the token as a parameter</span>
<span class="sc-1">                 and also correct referer &amp; origin header if available</span>
<span class="sc-1">                 --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;header</span> <span class="re0">name</span>=<span class="st0">&quot;Content-Type&quot;</span><span class="re2">&gt;</span></span>multipart/.+<span class="sc3"><span class="re1">&lt;/header<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
                            <span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertToken&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;parameter&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
                <span class="sc-1">&lt;!--</span>
<span class="sc-1">                 Verify that all remaining state changing requests from logged in users' requests contains a token in the</span>
<span class="sc-1">                 header and correct referer &amp; origin headers if available. We &quot;catch&quot; all content types since just setting it to</span>
<span class="sc-1">                 &quot;application/json.*&quot; since a webscript that doesn't require a json request body otherwise would be</span>
<span class="sc-1">                 successfully executed using i.e.&quot;text/plain&quot;.</span>
<span class="sc-1">                 --&gt;</span>
                <span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST|PUT|DELETE<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
                            <span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertToken&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;header&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
                        <span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
                    <span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
                <span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
            <span class="sc3"><span class="re1">&lt;/filter<span class="re2">&gt;</span></span></span>
        <span class="sc3"><span class="re1">&lt;/config<span class="re2">&gt;</span></span></span>
    ...</pre>

<p>
Configure <abbr title="Security Assertion Markup Language">SAML</abbr> service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml).
</p>

Clément OUDOT's avatar
Clément OUDOT committed
501
<p>
Clément OUDOT's avatar
Clément OUDOT committed
502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533
Set the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> Enable <abbr title="Security Assertion Markup Language">SAML</abbr> Authentication (<abbr title="Single Sign On">SSO</abbr>): on</div>
</li>
<li class="level1"><div class="li"> Authentication service <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleSignOn" class="urlextern" title="https://auth.example.com/saml/singleSignOn"  rel="nofollow">https://auth.example.com/saml/singleSignOn</a></div>
</li>
<li class="level1"><div class="li"> Single Logout <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleLogout" class="urlextern" title="https://auth.example.com/saml/singleLogout"  rel="nofollow">https://auth.example.com/saml/singleLogout</a></div>
</li>
<li class="level1"><div class="li"> Single logout return <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleLogoutReturn" class="urlextern" title="https://auth.example.com/saml/singleLogoutReturn"  rel="nofollow">https://auth.example.com/saml/singleLogoutReturn</a></div>
</li>
<li class="level1"><div class="li"> Entity identification: <a href="http://alfresco.myecm.org:8080/share" class="urlextern" title="http://alfresco.myecm.org:8080/share"  rel="nofollow">http://alfresco.myecm.org:8080/share</a></div>
</li>
<li class="level1"><div class="li"> User ID mapping: Subject/NameID</div>
</li>
</ul>

<p>
To finish with Alfresco configuration, tick the “Enable <abbr title="Security Assertion Markup Language">SAML</abbr> authentication (<abbr title="Single Sign On">SSO</abbr>)” box.
</p>

</div>
<!-- EDIT7 SECTION "Alfresco" [3514-14172] -->
<h3 class="sectionedit8" id="llng1">LL::NG</h3>
<div class="level3">

<p>
Configure <abbr title="Security Assertion Markup Language">SAML</abbr> service and set a certificate as signature public key in metadata.
</p>

<p>
Export Alfresco <abbr title="Security Assertion Markup Language">SAML</abbr> Metadata from admin console and import them in <abbr title="LemonLDAP::NG">LL::NG</abbr>.
Clément OUDOT's avatar
Clément OUDOT committed
534 535
</p>

Clément OUDOT's avatar
Clément OUDOT committed
536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557
<p>
In the authentication response option, set:
</p>
<ul>
<li class="level1"><div class="li"> Default NameID Format: Unspecified</div>
</li>
<li class="level1"><div class="li"> Force NameID session key: uid</div>
</li>
</ul>

<p>
And you can define these exported attributes:
</p>
<ul>
<li class="level1"><div class="li"> GivenName</div>
</li>
<li class="level1"><div class="li"> Surname</div>
</li>
<li class="level1"><div class="li"> Email</div>
</li>
</ul>

Clément OUDOT's avatar
Clément OUDOT committed
558
</div>
Clément OUDOT's avatar
Clément OUDOT committed
559 560
<!-- EDIT8 SECTION "LL::NG" [14173-14551] -->
<h2 class="sectionedit9" id="other_resources">Other resources</h2>
Clément OUDOT's avatar
Clément OUDOT committed
561 562 563 564
<div class="level2">
<ul>
<li class="level1"><div class="li"> <a href="https://www.youtube.com/watch?v=5tS0XrC_-rw" class="urlextern" title="https://www.youtube.com/watch?v=5tS0XrC_-rw"  rel="nofollow">DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi Belmekki</a></div>
</li>
Clément OUDOT's avatar
Clément OUDOT committed
565 566
<li class="level1"><div class="li"> <a href="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" class="urlextern" title="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng"  rel="nofollow">Setting up Alfresco SAML authentication with LemonLDAP::NG</a></div>
</li>
Clément OUDOT's avatar
Clément OUDOT committed
567 568 569
</ul>

</div>
Clément OUDOT's avatar
Clément OUDOT committed
570
<!-- EDIT9 SECTION "Other resources" [14552-] --></div>
Clément OUDOT's avatar
Clément OUDOT committed
571 572
</body>
</html>