Alfresco With Shibboleth

Document created by resplin Employee on Jun 6, 2015
Version 1Show Document
  • View in full screen mode

Obsolete Pages{{Obsolete}}

The official documentation is at: http://docs.alfresco.com



Objective    

WARNING: this kind of setup is not officially supported by Alfresco



The objective of this document is to provide instructions on how to enable the Alfresco Share Application to work with Shibboleth as the authentication subsystem.  These instructions have been tested on Alfresco Community versions 3.4.d and 4.0.b.

General Environment Setup Relevant to User Authentication

We have Apache server on the front managing incoming web requests and forwarding them on to Tomcat.  A web client connects through HTTPS to https://yourdomainname/, the mod_proxy forwards the request on using AJP protocol to the internal tomcat application server (on which Alfresco Share application is located) sitting on port 8009 residing on localhost.  

Apache

We start with virtual host running on port 80 on Apache and will work our way up to using SSL later.  The below Apache configuration (httpd.conf) entails that Apache serving as the guy on reception intercepting web requests and forwarding them on to Tomcat using ProxyPass and ProxyPassReverse directives.

<VirtualHost *:80>    
DocumentRoot '/home/alfresco/apps/httpd-2.2.17/htdocs'   
ServerName <yourdomainname.com>   
UseCanonicalName On   
ErrorLog '/home/alfresco/apps/httpd-2.2.17/logs/error_log'   
TransferLog '/home/alfresco/apps/httpd-2.2.17/logs/access_log'
     
ProxyRequests Off   
RewriteEngine On     

# Alfresco Explorer   
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco   
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco      

# Alfresco Share   
ProxyPass /share ajp://127.0.0.1:8009/share   
ProxyPassReverse /share ajp://127.0.0.1:8009/share   
</VirtualHost> 

Edit tomcat/conf/server.xml to enable the AJP connector.

<Connector port=”8009” protocol=”AJP/1.3” redirectPort=”8443” tomcatAuthentication=”false” />      

SSL Certificate

Create a self-signed SSL certificate:

openssl genrsa –des3 –out server.key 2048             (generate private key) 
openssl req –new –key server.key –out server.csr      (create the certificate signing request-CSR)
openssl x509 –req –days 365 –in server.csr –signkey server.key (sign your CSR)
cp server.key  server.key.secure
openssl rsa –in server.key.secure –out server.key    
   (remove passphrase from your private key to prevent Apache’s prompt for password when Apache service is restarted)


Edit Apache configuration (httpd.conf) to include relevant information pertaining to your SSL certificate.  SSLCertificateChainFile and SSLCACertificateFile attributes may be needed with certificates obtained from an authorized certificate vendor such as DigiCert.

<VirtualHost _default_:443>    
DocumentRoot '/your_apache_path/htdocs'   
ServerName <yourdomainname.com>   
UseCanonicalName On   
ErrorLog '/your_apache_path/logs/error_log'   
TransferLog '/your_apache_path/logs/access_log'   
SSLEngine on   
SSLCipherSuite HIGH      
SSLCertificateFile '/your_apache_path/conf/yourdomainname.crt'   
SSLCertificateKeyFile '/your_apache_path//conf/yourdomainname.key'
     
ProxyRequests Off  
RewriteEngine On      

# Alfresco Explorer  
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco   
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco

# Share
ProxyPass /share ajp://127.0.0.1:8009/share   
ProxyPassReverse /share ajp://127.0.0.1:8009/share    

</VirtualHost> 

Shibboleth Authentication

After you have installed Shibboleth, make a copy of Shibboleth2.xml before you make the following edits in case you need to revert back to a clean copy.

<RequestMapper type='Native'>          
<RequestMap applicationId='default'>             

<!-- The example requires a session for documents in /secure on the containing host with http and https on the default ports.  -->
<!-- Note that the name and port in the <Host> elements MUST match Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element below. -->

<Host name=' yourdomainname.com'>                 
  <Path name='/' authType='shibboleth' requireSession='true' ></Path>             
</Host>
        
</RequestMap>  
</RequestMapper>

<ApplicationDefaults id='default' policyId='default' 
entityID='https://yourdomainname.com/'         
homeURL='https://yourdomainname.com/'         
REMOTE_USER='your_persistent_id'         
signing='false' encryption='false'         


In attribute-map.xml, ensure that your_persistent_id attribute is on the list of attributes that is set to be pulled back from Shibboleth upon successful authentication.

Then, we need to hook up Shibboleth to Apache by editing Apache configuration file (httpd.conf).

LoadModule mod_shib /shibb_path/mod_shib_22.so 
  
<VirtualHost _default_:443>   
DocumentRoot '/your_apache_path/htdocs'   
ServerName <yourdomainname.com>   
UseCanonicalName On   
ErrorLog '/your_apache_path/logs/error_log'   
TransferLog '/your_apache_path/logs/access_log'   
SSLEngine on   
SSLCipherSuite HIGH      
SSLCertificateFile '/your_apache_path/conf/yourdomainname.crt'   
SSLCertificateKeyFile '/your_apache_path/conf/yourdomainname.key'   
SSLCertificateChainFile '/your_apache_path/conf/DigiCertCA.crt'   
SSLCACertificateFile '/your_apache_path/conf/DigiCertCA.crt'      
ProxyRequests Off  

<Location />
AuthType shibboleth   
ShibRequireSession On   
require valid-user  
</Location>      

# Alfresco Explorer  
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco   
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco      

# Share
ProxyPass /share ajp://127.0.0.1:8009/share   
ProxyPassReverse /share ajp://127.0.0.1:8009/share   

</VirtualHost> 
  

Alfresco External Authentication

To enable external authentication, include the following in tomcat/shared/classes/alfresco-global.properties. 

authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyUserName=


Alfresco Share SSO

Here comes the trickiest part in getting Share application to work with Shibboleth.  Since it is a separate web application from the main Alfresco Explorer/repository WAR file and has no knowledge of the authenticated user to Alfresco Explorer, we need to enable SSO authentication via share-config-custom.xml.  Share makes web service calls via HTTP(S) to obtain information about the authenticated user from the configured Alfresco repository.

As explained in http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/tasks/share-change-port.html, uncomment both sections in tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.

Start Apache, Shibboleth, and Alfresco and hope for the best.  You might also need to reboot. 

Diagnostic

Once Shibboleth is working properly, there are two ways to view Shibboleth attributes.

1)     Download snoop.jsp (provide link to file to be downloaded) and place it in tomcat/alfresco/ and HTMLfilter.class (provide link to file to be downloaded) and put it under tomcat/webapps/alfresco/WEB-INF/classes/util/.  Once you have done this, you can access Shibboleth attributes via:

https://yourdomainname/alfresco/snoop.jsp

2)     You can also access the Shibboleth status and attributes via the following URLs:

http://yourdomainname/Shibboleth.sso/Status
http://yourdomainname/Shibboleth.sso/Session

References


Authentication

Attachments

    Outcomes