alfresco-keycloak icon indicating copy to clipboard operation
alfresco-keycloak copied to clipboard

Published 20 hours ago verified publisher icon Acosix

Repository IdP authentication

Open mnlservices opened this issue 2 years ago • 5 comments

Hi Axel,

I have installed your modules in the Repo and work great. Role mapping, User sync and authentication with a Keycloak User that is authenticated with Keycloak itself. But using the IdP or LDAP password isn't possible.

In our situation I need this for Authenticating against a SAML IdP with MFA.

I thought and hoped this would be possible, but I keep on getting the old login box and are not referred to the IdP. If I get a token through the Share or App I can also successfully login to the Repository but that is not always the case. We would like to setup AOS with Keycloak broker and IdP.

How can I configure this or is this not possible.

I followed the simple configuration documentation and configured the following in the JAVA_OPTS: -Dauthentication.chain=alfrescoNtlm1:alfrescoNtlm,keycloak1:keycloak -Dkeycloak.authentication.enabled=true -Dkeycloak.authentication.sso.enabled=true -Dkeycloak.authentication.handlePublicApi=false -Dkeycloak.authentication.allowTicketLogons=true -Dkeycloak.authentication.allowHttpBasicLogon=false -Dkeycloak.authentication.allowUserNamePasswordLogin=true -Dkeycloak.authentication.mapAuthorities=true -Dkeycloak.authentication.mapPersonPropertiesOnLogin=true -Dkeycloak.enable-basic-auth=true -Dkeycloak.authentication.defaultAdministratorUserNames='admin' -Dkeycloak.authentication.validation.failure.silent=false -Dkeycloak.adapter.realm=alfresco -Dkeycloak.adapter.resource=alfresco -Dkeycloak.adapter.credentials.secret=f580d6c7-d465-403d-8209-6b061fad4d8a -Dkeycloak.adapter.auth-server-url=https://my-alfresco-base-url/auth -Dkeycloak.adapter.verify-token-audience=true -Dkeycloak.synchronization.enabled=true

I hope you can point me in the right direction on this.

Regards,

Dick

mnlservices avatar May 06 '22 06:05 mnlservices

The user federation / brokering with the SAML IdP / LDAP is a feature entirely handled within Keycloak itself. It would require looking at your Keycloak realm config for this feature to be able to - potentially - find something that is off. AOS unfortunately cannot work with Keycloak for automatic sign-on, as Office does not support OpenID Connect, only SAML, and my module does not (yet) support acting as a SAML client for Keycloak just for AOS. AOS would work with Keycloak for the HTTP Basic-based fallback authentication, which my module bridges to Keycloak.

AFaust avatar May 12 '22 16:05 AFaust

Unfortunately, now Microsoft is starting to block basic authentication by default on Microsoft Office...

https://learn.microsoft.com/en-us/deployoffice/security/basic-authentication-prompts-blocked

So think for the time being there's no way to use AOS on community versions without changing Microsoft Office configurations.

iohann95 avatar May 27 '24 13:05 iohann95

Since the time of writing, AOS added support for OpenID Connect with the default Identity Services subsystem. When redirected to Keycloak. I have yet to adapt the alfresco-keycloak module to act "in place of" the default Identity Service subsystem when it is used, as Alfresco has sort-of hard coded the support to Identity Services currently.

AFaust avatar May 27 '24 13:05 AFaust

Oh I see! Thank you very much for your feedback!

If you accept pull requests I will try to see if one of our developers can try to solve this.

iohann95 avatar May 27 '24 15:05 iohann95

I do generally accept pull requests when they comply with the general coding style / implementation approach present in the project, or suggest changes to help contributors get to that point.

Note that for this project, a relatively significant rework is "planned" (hopefully in the 2nd half of summer) to address the following:

  • compatibility with ACS 7.4 (logging config only) and 23.x (here the updated Servlet API and my desire to remain compatible with older ACS versions introduces quite a challenge in supporting both old and new Servlet APIs) - the required work to update the alfresco-utility dependency is already ongoing
  • support AOS in ACS 7.3+ (and check if support for earlier versions is possible by backporting)
  • move from using the deprecated Keycloak Java adapter library JARs to any other library (evaluate possibility of standardising on the Spring JARs Alfresco uses in recent versions and providing optional AMP(s) with those libraries for older Alfresco versions)

That does not preclude accepting any pull requests for the current version of the project.

AFaust avatar May 27 '24 15:05 AFaust