Alfresco Cloud

Download as pdf or txt
Download as pdf or txt
You are on page 1of 25

Configuring Alfresco Cloud with ADFS 3.

Prerequisites:
You have a working domain on your Windows Server 2012 and successfully installed ADFS.

For these instructions, I created:


alfresco.me as a domain
adfs.alfresco.me as a Federation Service Name

Before you proceed, make sure that ADFS installation and post configuration were successful
by accessing the following URLs:

ADFS metadata (there should be no errors):


https://<federation service name>/federationmetadata/2007-06/federationmetadata.xml

And the ADFS SSO page:


https://<federation service name>/ adfs/ls/idpinitiatedsignon

For example, for my configuration I can access them on:


https://adfs.alfresco.me/federationmetadata/2007-06/federationmetadata.xml

https://adfs.alfresco.me/adfs/ls/idpinitiatedsignon

1
Step 1 – Configuring Alfresco Cloud
1.1 Login as a Network Admin, navigate to Account Settings and enable SAML.

1.2 For the Idp AuthenticationRequest Service URL, type in the location of the
SingleSignOnService element within the ADFS metadata (https://<federation service
name>/federationmetadata/2007-06/federationmetadata.xml).

Notice: As we only support HTTP-POST binding, you only need to copy the location of the
HTTP-POST services. E.g.

<SingleSignOnService Location="https://adfs.alfresco.me/adfs/ls/"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

1.3 For the IdP SingleLogoutRequest Service URL and IdP SingleLogoutResponse
Service URL, type in the location of the SingleLogoutService element within the ADFS
metadata. E.g.

<SingleLogoutService Location="https://adfs.alfresco.me/adfs/ls/"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

1.4 To upload the IdP certificate, first export the ADFS certificate by following the steps below:

1. Go to AD FS Management (Server Manager -> Tools)  Service  Certificates.


2. Under the Token-signing section, right click on the certificate and select View
Certificate…
3. On the Details tab, click on Copy to file… then, Next.
4. Make sure DER encoded binary X.509 is selected (.CER).

2
5. On the next screen, select where you want to save the file and give it a name. Then
Save  Next  Finish.

6. Now upload the exported certificate into Alfresco.

1.5 Now save the settings. Also, while you are in the SAML settings page, download the
alfresco SAML metadata (SP metadata) and the alfresco SAML certificate (SP public
certificate). These will be used during ADFS configuration.

3
Step 2 - Adding a Relying Party Trust (RPT)
Select the Relying Party Trusts folder from AD FS Management (Server Manager  Tools 
AD FS Management  expand Trust Relationships), right click on Relying Party Trusts and
select Add Relying Party Trust… This starts the configuration wizard for a new trust (Click on
Start).

4
2.1 In the Select Data Source screen, select the last option Enter data about the relying
party manually.

5
2.2 On the next screen, enter a Display name that you'll recognize in the future, and any notes
you may want to make.

6
2.3 On the next screen, select the AD FS profile radio button.

7
2.4 On the next screen, leave the default certificate settings.

8
2.5 On the next screen, check the box labelled Enable support for the SAML 2.0 WebSSO
protocol and type in the Assertion consumer service URL which you need to get from the
Alfresco Cloud metadata (in the metadata look for AssertionConsumerService element
and copy the Location value). E.g.

<md:AssertionConsumerService isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:8443/share/alfresco.me/saml/authnresponse"
index="0"/>

9
2.6 On the next screen, add a Relying party trust identifier. This must match the Entity
Identification (Issuer) value in the Alfresco Cloud Settings page.

10
2.7 On the next screen, select I do not want to configure multi-factor authentication
settings for this relying party trust at this time.

11
2.8 On the next screen, select the Permit all users to access this relying party.

12
2.9 Just click Next, as there is nothing to do in the Ready to Add Trust screen.

13
2.10 On the final screen, make sure the checkbox is checked and click Close to exit, which
opens the Edit Claim Rules editor.

14
Step 3 - Creating Claim Rules
Once the relying party trust has been created, you can create the claim rules and update the
relying party settings that weren't set by the wizard. By default, the claim rule editor opens once
you have created the trust (if the editor doesn’t open, right click on the relying party name that
you have created in the Step 2 and select Edit Claim Rule...).

15
3.1 To create a new rule, click on Add Rule… then create a Send LDAP Attributes as Claims
rule.

16
3.2 On the next screen, enter a name for the rule (E.g. LDAP Attributes), and do the following:
1. Select Active Directory for the Attribute store
2. From the LDAP Attribute column, select E-Mail Addresses
3. From the Outgoing Claim Type, type Email

Notice: “Email” is the attribute name in which Alfresco Cloud expects to be present in a SAML
response.

4. From the LDAP Attribute column, select User-Principal-Name


5. From the Outgoing Claim Type, select Name ID

Notice: We must add the Name ID in order to make ADFS send the SessionIndex with the
response. Without the Name ID, ADFS does not include the SessionIndex within the response.
You need the SessionIndex in order to use Alfresco Single Logout, as without it, Alfresco only
logs you out locally.

3.3 Click on OK to save the new rule.

17
3.4 Create another rule by clicking Add Rule…, this time select Transform an Incoming
Claim as the rule template.

18
3.5 On the next screen, enter a name for the rule (E.g. Email Transform), and do the following:
1. Select E-mail Address as the Incoming claim type.
2. For Outgoing claim type, select Name ID.
3. For Outgoing name ID format, select Email
4. Select Pass through all claim values

Finally, click OK to create the claim rule, and then OK again to finish off creating rules.

19
Step 4 - Adjusting the relying party trust settings
You still need to adjust/add a few settings on your relying party trust. To access these settings,
go to AD FS Management (Server Manager -> Tools), under Trust Relationships right click
the relaying trust party which you have created in step 2 and select Properties.

4.1 In the Advanced tab, switch from SHA-256 to SHA-1

20
4.2 In the Endpoints tab, click on add SAML to add a new endpoint:

1. For the Endpoint type, select SAML Logout.


2. For the Binding, choose POST.
3. For the Trusted URL, enter the Alfresco Cloud logout service location, which you need
to get from the Alfresco Cloud metadata (in the metadata look for SingleLogoutService
element and copy the Location value)
4. For the Response URL, enter the Alfresco Cloud logout response service location (in
the metadata look for SingleLogoutService element and copy the ResponseLocation
value)

E.g.

<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:8443/share/alfresco.me/saml/logoutrequest"
ResponseLocation="https://localhost:8443/share/alfresco.me/saml/logout
response"/>

5. Click OK

21
4.3 Select the Signature tab and add the alfresco certificate which you have downloaded from
the Alfresco SAML Settings page in step 1.5.

Notice: If there is warning about the length of the certificate’s key, just click, Yes.

4.4 Confirm your changes by clicking OK on the RPT properties. You should now have a
working RPT for Alfresco Cloud.

22
Step 5 – Testing your settings

5.1 First, create a user in the Windows Server active directory

5.2 Add an email for the created user (Right click on the created user, select Properties, and
then add an email that matches your Alfresco Cloud Network and Windows server domain).

For example, I created a user with a username of user1 under the alfresco.me domain with an
email of [email protected]

5.3 Go to https://<federation service name>/ adfs/ls/idpinitiatedsignon

5.4 Select the RPT which you have created in step 2, and Sign in

23
5.5 After successful authentication, you should be redirected to Alfresco Cloud.

24
Step 5 – ADFS Logs

To locate the ADFS logs, do the following:


1. Open the Event Viewer snap-in.
- To open Event Viewer, On the Start screen, type Event Viewer.
2. In the console tree, expand Applications and Services Logs, expand AD FS, and then
click Admin.
3. In the Filter Current Log dialog box, for Event level, verify that the following check
boxes are selected for these levels of events: Warning, Information, and Error. Click
OK.

25

You might also like