Azure Ad + SSO + MFA(2FA) with Alfresco

cancel
Showing results for 
Search instead for 
Did you mean: 
grathod
Member II

Azure Ad + SSO + MFA(2FA) with Alfresco

Hi Team,

Client looking for solution to provide AzureAd (ActiveDirectory) use with SSO and plus MFA on top of it as solution.

So Azure Ad + SSO + MFA(2FA)

does alfresco support it? 

1) Does all above possible with Latest Alfresco Enterprise 23.x version?

2) Does all can be achived with OOB or new ad-ons need to be purchased?

if available - available with paid add on ? from Hyland 

 

I somewhere found link for similar : https://www.miniorange.com/iam/integrations/alfresco-sso

but seems its 3rd party integration, does hyland have such solution? if yes please provide Reference.

 

Thanks

1 Reply
abhinavmishra14
Advanced

Re: Azure Ad + SSO + MFA(2FA) with Alfresco

Caution SAML module has been deprecated and it is recommended to use Keycloak if possible. 

 

Here are some high level steps for integrating Azure AD with Alfresco Share via SAML module for Single Sign On:

 

1- First thing first, you need to setup/register an enterprise app in azure. Work with your Azure Admin to do this step. 

refer : https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/view-applications-portal

     1.1 - Go to https://portal.azure.com/ and find the "Microsoft Entra ID" resource 

      1.2 - Go to "Enterprise applications" tab and register your app. Provide the details as prompted. Make sure to choose Single Sign On method as "SAML". This tutorial would be helpful (OLD though but still good reference): https://www.youtube.com/watch?v=7SU5S0WtNNk

     1.3- Open the registred app. Under "Users and groups" menu, add all AD groups you want to allow users from. You can also configure MFA policies on selected AD groups as required. This can be done at group level under policies. 

     1.4 - Go to "SAML-based Sign-on" menu and configure alfresco urls. Make sure Identifier (Entity ID) is set to your respective environment endpoint. e.g.: http://<host>:<port>/share

     1.5 - Reply URL (Assertion Consumer Service URL) should be like: http://<host>:<port>/share/page/saml-authnresponse

     1.6 - Provide logout URI as per policy. It can be http://<host>:<port>/share as well.

"Alternatively you can make use of alfrescoSamlSpMetadata.xml, this can be downloaded from here: http://<host>:<port>/alfresco/s/saml/share/sp/metadata?a=true"

     1.7- Download the SP certificate, you would need to upload it. It can be downloaded at this URL: http://<host>:<port>/alfresco/s/saml/share/sp/pubcert?a=true 

      1.8 - Configure all other INPUTS as presented. You can make use of federationmetadata url to get the info about SingleSignOnService urls. This would be needed on Alfresco admin page where you will configure SAML module.

     1.9 - Download the Certificate (Raw), this would be required to be uploaded on Alfreso saml module configuration page under Alfresco admin app 

     1.10 - Note login and Logout url as populated. Alternatively you can get it from step 1.12 as mentioned above.

     1.11 - Save the changes. 

2- Go to : http://<host>:<port>/alfresco/s/enterprise/admin/admin-saml to configure the SAML module. 

  2.1 - Configure for Share. You can do it for other as well if needed.

   2.2 - Enforce the SAML login as needed. If you enforce, users wont see login page and will be redirected to sign on via azure automatically. 

  2.3 - Give your app a name for under this field - "Identity Provider (IdP) Description". This can be same name you gave in Azure while setting up the SAML SSO app. it could be different as well. This is displayed on Share login page if policy is not enforced (step 2.2).

 2.4 - Provide other values such as, <Directory (tenant) ID> can be found under your registred app. Or you can copy the the same url noted as part of setup above: 

           

IdP Authentication Request Service URL:
https://login.microsoftonline.com/<Directory (tenant) ID>/saml2

IdP Single Logout Request Service URL:
https://login.microsoftonline.com/<Directory (tenant) ID>/saml2

IdP Single Logout Response Service URL:
https://login.microsoftonline.com/<Directory (tenant) ID>/saml2

Entity Identification (Issuer):
http://<host>:<port>/share

 2.5 - Save the changes. 

 

3- Go to Azure SAML SSO App, you can test the integration to see if everything is working correctly. Debug any issues as needed. 
 

~Abhinav
(ACSCE, AWS SAA, Azure Admin)