On behalf of the team, I am pleased to announce that Alfresco Process Services 1.9 has been released and is available now. This release includes new features, improvements as well as important bug fixes. Here are a few notable highlights:
New modern authentication option
Authentication plays an important role in improving user experiences and adhering to your organization’s security standards. Alfresco Process Services (APS) and other parts of Alfresco’s platform, including Alfresco’s Application Development Framework (ADF) and Alfresco Content Services (ACS), have extension points for customizing such authentication needs. Yet, until now, these authentication experiences were unique amongst platform components—including the authentication extensibility model, implementation, and supported authentication standards.
Alfresco now introduces the new Alfresco Identity Service Architecture, an optional solution for customers requiring more advanced authentication services. This architecture features:
- Modern and unified open standards for authentication amongst APS, ADF, and ACS via OpenID Connect authentication.
- Alfresco Identity Service for brokering authentication to your Identity Provider (IdP) and authentication protocols such as SAML or OAuth2.
Conceptually, this new architecture looks like the following:
Practically, this functionality is available on a limited availability basis for APS 1.9 (and other compatible Alfresco releases) as the Alfresco Identity Service is not Generally available at the time of this writing. Customers motivated to the benefits of this new architecture can leverage the technology Keycloak, an open source project freely available under an Apache 2 license, as a stand-in until the Alfresco Identity Service is available as illustrated below:
Note, Alfresco or Partner assistance for configuring Keycloak in your environment is available as a separate service contract. This is only needed until the Alfresco Identity Service is generally available. Customers using existing APS authentication mechanism can continue doing so without change.
This new option:
- Simplifies interactions with your identity provider (IdP) by centralizing configuration across Alfresco components including integration across solutions using ADF, APS, and ACS. This includes all ADF-based applications such as the Content App and Process Workspace.
- Allows you to leverage a wide array of authentication protocols including SAML, OAuth 2.0, OpenID Connect, and Kerberos as well as user federation with common user databases such as LDAP and Active Directory.
- Customers can now configure oAuth2 and leverage the Activiti-Admin console with this new solution by setting up a subset of local users in keycloak for basic authentication. (Previously, the Activiti-Admin could only be used if Activit-App was configured for Basic Authentication, not using OAuth2 or Kerberos. This new architecture removes this restriction whilst adding more authentication protocols.)
A basic example to get going is to ensure the configuration file activiti-identity-service.properties in your classpath, usually in .../tomcat/webapps/activiti-app/WEB-INF/classes/META-INF/.
Make sure the “keycloak.enabled” stanza is true.
Then match name in the properties file with your realm name.
Similarly, your properties file resource matches your client.
And, the valid URL needs to match the your Activiti-App host name.
Lastly, ensure that your users exist in Keycloak (for authentication) and in APS (for authorization). Important: the email must match.
Once you restart Alfresco Process Services, the configuration will now redirect your authentication to the Alfresco Identity Service Architecture as in steps A, B, and C below:
While this is a simple example, additional configuration can be done for the following use cases:
- Configure the Alfresco Process Workspace to use the Alfresco identity Service Architecture. This can also be done for your own ADF application. This is the preferred interface for end-user applications.
- Allow the Alfresco Identity Service Architecture to authenticate with your own IdP for SAML or OAuth2
- Automatically sync users to the Alfresco Identity Service / Keycloak
(note: this is needed for authentication and the traditional user sync of APS is still required for authorization)
- Configure the APS Admin Console (activiti-admin) to operate when the activiti-app is configured for a non-basic auth protocol (a feature not available prior to the Alfresco Identity Service Architecture)
Check Ciju Joseph recent blog post about implementing a strong two-factor hardware-based authentication. He used a smart card that supports Personal Identity Verification (PIV) authentication (FIPS 201, a US government standard).
Process Workspace released independently
The Process Workspace is a new ADF-based user interface for end users to view, act and collaborate on tasks and processes. From Alfresco Process Services 1.9, Process Workspace is no longer shipped with APS but packaged as a separate distribution, giving customers the flexibility to update their environment each time there is a new release. The release cadence will follow ADF releases to keep pace and sync with its innovation cycle. Process Workspace 1.2.0 (based on ADF 2.4.0) was released July 2nd. It includes:
- ADF 2.4 Upgrade
- configurable landing page
- UX Improvements
- source code and .war file
- bug fixes
Please check the following documentation for installation instructions: Installing Alfresco Process Services Workspace | Alfresco Documentation.
Dist folder (distribution) in Process Workspace package (.zip)
Advanced documentation generation
It is now possible to use advanced constructs to generate richer documents including information from multiple data sources such as external databases, REST endpoints, JSON objects, etc. The graphical user interface for the generate document task now includes 2 new properties:
- additional data source names, a comma-separated list of data sources the document will use as the source of the expressions.
- and additional data source expressions, a comma-separated list of expressions to be included in the document.
This makes it possible to collect data from multiple data sources including external sources that will enrich the generated documents. As an example, here is how to collect data from process variables and two custom services. The example is a simple booking app (Github repo link) which allows a user to specify a city to visit and at the end generates a document confirming the booking. The document should contain information about the booking and some extra information such as the weather and recommended places to visit.
Weather and recommendations information are retrieved from custom services WeatherService and RecommendationService.
Multiple data sources can be specified in the additional data source expressions
Additional data source names (weather and recommendations) can then be used to in the document template to display information.
The final generated document will look as follows.
New iOS mobile app version
A new version 1.1 of the Alfresco Process Service iOS app is available on the App Store. It adds offline capabilities and compatibility with iPhone X. Here are the detailed highlights for this update:
- Access your task lists, downloaded files, and forms without network connectivity
- Fill out task form and save progress for later even when you are offline
- iPhone X compatibility
- Date & time form field support
- Attachment thumbnail
- Additional enhancements and fixes
The updated app requires iOS 10 or higher and connects to Alfresco Process Services 1.7 or higher.
Sub-groups in task assignments
In Alfresco Process Services 1.9, if you select a candidate group or if you add a group of involved people for a user task it now includes all the users part of any sub-groups existing under the selected parent group. As an example, if you have the following group hierarchy:
- TopGroup (user1)
- SubGroupA (user2)
- SubGroupA1 (user3)
- SubGroupA (user2)
If you select the group TopGroup as candidate group for the user task A, all 3 users (user1, user2 and user3) will see the task A in their task queue. The same behavior applies for involved groups on user tasks.