Some background

While at work a requirement came up to integrate a third parties Shibbolath server with Alfresco, I’m not normally the first person to start customising alfresco but I was quite lucky that a partner had provided some notes and there was an abundance of people at work who were interested enough to help me out. The wiki is pretty good for this and can be found: Here

Now there’s a few “gotchas” that are worth bringing up and things I learnt…

  1. When modifying share-custom-config.xml ensure not Amps are applying it. I noticed even if I applied the changes form the AMP into share-config-custom.xml both things didn’t work very well but consolidating to one place did.
  2. No one ever told me where to get the share-config-custom.xml so I just made one with my changes in, it was wrong and you may find it in webapps/share/WEB-INF/classes/alfresco/web-extension/share-config-custom.xml
  3. There’s some useful tools out there, I was originally trying to do header based auth, but this is not recommended and with the correct configuration it is not needed, either way I was using firefox and the Modify Headers and Live HTTP Headers plugins
  4. At the bottom of the alfresco Wiki there’s some shibboleth paths which will confirm the details are being sent over

On with the “fun”

Apache

First things first you need to get hold of mod_shib, now I was luckily enough to be granted access to a remote yum repo where the packages had already been built, for you, you’re not so lucky, see this

To add the module to apache you’ll need to add a module to your mods-enabled or where ever you keep your mods

LoadModule mod_shib /usr/lib64/httpd/modules/mod_shib_22.so

Once that is in place you only need to add a couple of lines the apache site to make it work i.e.

<Proxy balancer://Alfproxy>
    BalancerMember ajp://localhost:8009
</Proxy>
  ProxyPass /share balancer://Alfproxy/share stickysession=JSESSIONID|jsessionid
  ProxyPassReverse /share balancer://Alfproxy/share
  ProxyPass /alfresco balancer://Alfproxy/alfresco stickysession=JSESSIONID|jsessionid
  ProxyPassReverse /alfresco balancer://Alfproxy/alfresco
<Location / >
AuthType Shibboleth
ShibRequireSession On
require valid-user
</Location>

Note that the config of the proxy is important but yours does not necessarily need to be a balance member of 1, this was just because we have a template that accepts multiple hosts and this keeps the configuration more consistant, other than that’s it for Apache, now Shibboleth, Good luck.

Shibboleth

I don’t have much to say here, I was luck enough to be provided a shibboleth2.xml and an attributes-map.xml I just had to add my own details in, so adding in the correct IDP, paths to SSL certs and ensuring that the REMOTE_USER is set correctly i.e.

<ApplicationDefaults entityID="https://idp.server.com/shibboleth"
                         REMOTE_USER="persistent-id">

This is picked up by share / alfresco to use and will only work if you’re using AJP to proxy…

Also with shibboleth it’s worth ensuring it is set to come on with a boot (chkconfig –list)
This is all I have to say on shibboleth, I suggest you read other places if you think it’s not working… but getting it to redirect to an IDP was not too bad as long as the file is set up appropriately and there’s a few sites out there including TestSHib and the shibboleth wiki

Tomcat

This is important… on your connector line in /etc/tomcat6/server.xml for port 8009 (or where ever ajp is) you will need to add this:

tomcatAuthentication="false" 

This is it for tomcat, ignore at your peril.

Alfresco global properties

Just use this, Don’t question it. *NB* See comments below, this is a bad idea if you’re /alfresco on the internet, this config is only going to work if you use share only and access to /alfresco is blocked.

authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
# This header can be changed but should match the configuration in 
# share-config-custom.xml
external.authentication.proxyUserName=

You can do all sorts of funky stuff with LDAP and mapping attributes but then you’d have to set up LDAP.

share-config-custom.xml

You can read the alfresco wiki for more information but this will work…

<alfresco-config>

  <!-- example port config used to access remote Alfresco server (default is 8080) -->
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
         <endpoint>
            <id>activiti-admin</id>
            <name>Activiti Admin UI - user access</name>
            <description>Access to Activiti Admin UI, that requires user authentication</description>
            <connector-id>activiti-admin-connector</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>
            <identity>user</identity>
         </endpoint>
      </remote>
   </config>

   <!-- 
        Overriding endpoints to reference an Alfresco server with external SSO enabled
        NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
              sessions" feature of your load balancer must be used.
        NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
              "example port config" section below.
        *Optional* keystore contains SSL client certificate + trusted CAs.
        Used to authenticate share to an external SSO system such as CAS
        Remove the keystore section if not required i.e. for NTLM.
        
        NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
        
        NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set
              the userHeader to the name of the HTTP header that the external SSO
              uses to provide the authenticated user name.
   -->
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
         
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>X-Alfresco-Remote-User</userHeader> <!-- pointless setting it to X-Alfresco-Remote-User as this header is always sent -->
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>
   
</alfresco-config>

By this point, if everything has gone well and httpd, shibboleth and tomcat have all been restarted you should be able to login!

When logins don’t work…

If you aren’t getting re-directed to the IDP to put in credentials then your Shibboleth configuration is probably wrong. Sometimes this may be caused by the IDP not having your SP’s metadata or relavent details, (you go to https://myserver/Shobboleth.sso/Metadata ) it’s worth reading it and making sure the links to your servers are https and that there are SSL certificates embedded in it.

If you get redirected to share login page and no further then your share configuration / apache could be wrong, there’s a few things to do to test this.
1, Take apache out of the equation, Reconfigure share-config-custom to use “alfrescoHeader” as the connector-id of the endpoint, then using modify Headers in Firefox and Live HTTP headers you should be able to simply set “X-Alfresco-Remote-User” to say me.test@example.com and reload the share login. This should work, if it doesn’t then the share configuration may be wrong.
2, Go to /alfresco For me the /alfresco Login worked right away with no special configuration outside of the global properties (note guest login is disabled in my set up…) if this isn’t working Share never will, if this works with apache you know all is well and it’s just share.

You may want to try a few special paths such as https://myserver/Shibboleth.sso/Service and https://myserver/Shibboleth.sso/Status (I had to modify shibboleth2.xml to add a acl to grant this you may need to too…) they can at least tell you if attributes are being seen by Mod_shib i.e. the data’s there and it needs to be made use of.

Hopefully this will prove helpful… I can’t recommend the Wiki enough it’s got everything you need on it except a share-config-custom.xml (like the one above…)

Category:
Linux

Join the conversation! 2 Comments

  1. > Just use this, Don’t question it.
    > external.authentication.proxyUserName=

    Perhaps not the greatest advice, given that this configuration is insecure, and only intended to be used when something else is restricting access to the repository at the network level…

    Reply
    • Hi Graham,

      Thanks for pointing that out, I thought I had put in the post that in this example access is only available to /share and only on port 80 so there’s no re-directs or access to /alfresco at all. On a side note, setting it blank is bad, but setting it to anything else is also bad, it does not validate the cookie in anyway so if you set it to X-Alf_Auth and someone had that cookie generated it would just use it with out question. So really the whole process is bad. However, in this example using that external.authentication.proxyUserName is fine as it is secured by access being blocked to it. There isn’t really any other way to make it secure without running ldap or something on the alfresco node and syncing shibboleth with that.

      Matt

      Reply

Don't be Shy, Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: