Alfresco Cloud
Alfresco Cloud
Alfresco Cloud
Prerequisites:
You have a working domain on your Windows Server 2012 and successfully installed ADFS.
Before you proceed, make sure that ADFS installation and post configuration were successful
by accessing the following URLs:
https://adfs.alfresco.me/adfs/ls/idpinitiatedsignon
1
Step 1 – Configuring Alfresco Cloud
1.1 Login as a Network Admin, navigate to Account Settings and enable SAML.
1.2 For the Idp AuthenticationRequest Service URL, type in the location of the
SingleSignOnService element within the ADFS metadata (https://<federation service
name>/federationmetadata/2007-06/federationmetadata.xml).
Notice: As we only support HTTP-POST binding, you only need to copy the location of the
HTTP-POST services. E.g.
<SingleSignOnService Location="https://adfs.alfresco.me/adfs/ls/"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
1.3 For the IdP SingleLogoutRequest Service URL and IdP SingleLogoutResponse
Service URL, type in the location of the SingleLogoutService element within the ADFS
metadata. E.g.
<SingleLogoutService Location="https://adfs.alfresco.me/adfs/ls/"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
1.4 To upload the IdP certificate, first export the ADFS certificate by following the steps below:
2
5. On the next screen, select where you want to save the file and give it a name. Then
Save Next Finish.
1.5 Now save the settings. Also, while you are in the SAML settings page, download the
alfresco SAML metadata (SP metadata) and the alfresco SAML certificate (SP public
certificate). These will be used during ADFS configuration.
3
Step 2 - Adding a Relying Party Trust (RPT)
Select the Relying Party Trusts folder from AD FS Management (Server Manager Tools
AD FS Management expand Trust Relationships), right click on Relying Party Trusts and
select Add Relying Party Trust… This starts the configuration wizard for a new trust (Click on
Start).
4
2.1 In the Select Data Source screen, select the last option Enter data about the relying
party manually.
5
2.2 On the next screen, enter a Display name that you'll recognize in the future, and any notes
you may want to make.
6
2.3 On the next screen, select the AD FS profile radio button.
7
2.4 On the next screen, leave the default certificate settings.
8
2.5 On the next screen, check the box labelled Enable support for the SAML 2.0 WebSSO
protocol and type in the Assertion consumer service URL which you need to get from the
Alfresco Cloud metadata (in the metadata look for AssertionConsumerService element
and copy the Location value). E.g.
<md:AssertionConsumerService isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:8443/share/alfresco.me/saml/authnresponse"
index="0"/>
9
2.6 On the next screen, add a Relying party trust identifier. This must match the Entity
Identification (Issuer) value in the Alfresco Cloud Settings page.
10
2.7 On the next screen, select I do not want to configure multi-factor authentication
settings for this relying party trust at this time.
11
2.8 On the next screen, select the Permit all users to access this relying party.
12
2.9 Just click Next, as there is nothing to do in the Ready to Add Trust screen.
13
2.10 On the final screen, make sure the checkbox is checked and click Close to exit, which
opens the Edit Claim Rules editor.
14
Step 3 - Creating Claim Rules
Once the relying party trust has been created, you can create the claim rules and update the
relying party settings that weren't set by the wizard. By default, the claim rule editor opens once
you have created the trust (if the editor doesn’t open, right click on the relying party name that
you have created in the Step 2 and select Edit Claim Rule...).
15
3.1 To create a new rule, click on Add Rule… then create a Send LDAP Attributes as Claims
rule.
16
3.2 On the next screen, enter a name for the rule (E.g. LDAP Attributes), and do the following:
1. Select Active Directory for the Attribute store
2. From the LDAP Attribute column, select E-Mail Addresses
3. From the Outgoing Claim Type, type Email
Notice: “Email” is the attribute name in which Alfresco Cloud expects to be present in a SAML
response.
Notice: We must add the Name ID in order to make ADFS send the SessionIndex with the
response. Without the Name ID, ADFS does not include the SessionIndex within the response.
You need the SessionIndex in order to use Alfresco Single Logout, as without it, Alfresco only
logs you out locally.
17
3.4 Create another rule by clicking Add Rule…, this time select Transform an Incoming
Claim as the rule template.
18
3.5 On the next screen, enter a name for the rule (E.g. Email Transform), and do the following:
1. Select E-mail Address as the Incoming claim type.
2. For Outgoing claim type, select Name ID.
3. For Outgoing name ID format, select Email
4. Select Pass through all claim values
Finally, click OK to create the claim rule, and then OK again to finish off creating rules.
19
Step 4 - Adjusting the relying party trust settings
You still need to adjust/add a few settings on your relying party trust. To access these settings,
go to AD FS Management (Server Manager -> Tools), under Trust Relationships right click
the relaying trust party which you have created in step 2 and select Properties.
20
4.2 In the Endpoints tab, click on add SAML to add a new endpoint:
E.g.
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:8443/share/alfresco.me/saml/logoutrequest"
ResponseLocation="https://localhost:8443/share/alfresco.me/saml/logout
response"/>
5. Click OK
21
4.3 Select the Signature tab and add the alfresco certificate which you have downloaded from
the Alfresco SAML Settings page in step 1.5.
Notice: If there is warning about the length of the certificate’s key, just click, Yes.
4.4 Confirm your changes by clicking OK on the RPT properties. You should now have a
working RPT for Alfresco Cloud.
22
Step 5 – Testing your settings
5.2 Add an email for the created user (Right click on the created user, select Properties, and
then add an email that matches your Alfresco Cloud Network and Windows server domain).
For example, I created a user with a username of user1 under the alfresco.me domain with an
email of [email protected]
5.4 Select the RPT which you have created in step 2, and Sign in
23
5.5 After successful authentication, you should be redirected to Alfresco Cloud.
24
Step 5 – ADFS Logs
25