I haven't found any documentation about this so I thought I'd ask a question.
(I have all this working, I'm just trying to understand it all a bit better)
My aim is to have SSO set up and configured - share is relatively straightforward but I'm trying to understand the detail behind the platform/repo endpoints as the documentation doesn't really cover this.
I think the only URL I need to expose is: /alfresco/s/admin/admin-communitysummary (or /alfresco/s/enterprise/admin)
The information for configuring a proxy Configuring SSL for a production environment | Alfresco Documentation is pretty good here but I think the /alfresco mount point exposes rather more than is necessary these days
I think /alfresco would be better as:
JkMount /alfresco/s/admin alfresco-worker
JkMount /alfresco/s/admin/* alfresco-worker
JkMount /alfresco/admin/css/* alfresco-worker
(For enterprise add /service/enterprise/admin/* and /s/enterprise/admin/* ?)
(And if you're using the nice new ootb support tools extension
JkMount /alfresco/s/ootbee/* alfresco-worker
JkMount /alfresco/ootbee-support-tools/* alfresco-worker
The implication here is that these, or at least /alfresco/.../admin, are the endpoints that need to be covered by SSO at the alfresco level (have I missed anything?) + the ones for public API access if you want those
The authentication mappings in alfresco/WEB-INF/web.xml seem to have changed a fair bit recently
(a clue! - there is a CSRF token filter on /service/enterprise/admin/* and /s/enterprise/admin/*)
There appear to be authentication filters around /wcs and /wcservice, as well as /api, /webdav and /cmisatom
The documentation on configuration the SSO endpoint (incidentally the examples don't even all have the same number of endpoints listed...) Configuring Alfresco Share to use an external SSO | Alfresco Documentation (code doesn't match text...), Configuring the Share default port | Alfresco Documentation and Configuring the Share default port | Alfresco Documentation has for a long time said to use the wcs endpoint in share-custom-config.xml when external auth is being used, however now I believe that the s endpoint is recommended (although it's not entirely clear) e.g. [ACE-5661] External authentication Problem with CAS - Alfresco JIRA (and other issues) see the comment from Kevin Roast.
So this is a rather long winded way of asking what is the purpose of the /wcs endpoint and how does it differ from the /s endpoint? (obviously there are authentication filters in front of /wcs)