Open mnlservices opened 2 years ago
The user federation / brokering with the SAML IdP / LDAP is a feature entirely handled within Keycloak itself. It would require looking at your Keycloak realm config for this feature to be able to - potentially - find something that is off. AOS unfortunately cannot work with Keycloak for automatic sign-on, as Office does not support OpenID Connect, only SAML, and my module does not (yet) support acting as a SAML client for Keycloak just for AOS. AOS would work with Keycloak for the HTTP Basic-based fallback authentication, which my module bridges to Keycloak.
Unfortunately, now Microsoft is starting to block basic authentication by default on Microsoft Office...
https://learn.microsoft.com/en-us/deployoffice/security/basic-authentication-prompts-blocked
So think for the time being there's no way to use AOS on community versions without changing Microsoft Office configurations.
Since the time of writing, AOS added support for OpenID Connect with the default Identity Services subsystem. When redirected to Keycloak. I have yet to adapt the alfresco-keycloak module to act "in place of" the default Identity Service subsystem when it is used, as Alfresco has sort-of hard coded the support to Identity Services currently.
Oh I see! Thank you very much for your feedback!
If you accept pull requests I will try to see if one of our developers can try to solve this.
I do generally accept pull requests when they comply with the general coding style / implementation approach present in the project, or suggest changes to help contributors get to that point.
Note that for this project, a relatively significant rework is "planned" (hopefully in the 2nd half of summer) to address the following:
That does not preclude accepting any pull requests for the current version of the project.
Hi Axel,
I have installed your modules in the Repo and work great. Role mapping, User sync and authentication with a Keycloak User that is authenticated with Keycloak itself. But using the IdP or LDAP password isn't possible.
In our situation I need this for Authenticating against a SAML IdP with MFA.
I thought and hoped this would be possible, but I keep on getting the old login box and are not referred to the IdP. If I get a token through the Share or App I can also successfully login to the Repository but that is not always the case. We would like to setup AOS with Keycloak broker and IdP.
How can I configure this or is this not possible.
I followed the simple configuration documentation and configured the following in the JAVAOPTS: -Dauthentication.chain=alfrescoNtlm1:alfrescoNtlm,keycloak1:keycloak -Dkeycloak.authentication.enabled=true -Dkeycloak.authentication.sso.enabled=true -Dkeycloak.authentication.handlePublicApi=false -Dkeycloak.authentication.allowTicketLogons=true -Dkeycloak.authentication.allowHttpBasicLogon=false -Dkeycloak.authentication.allowUserNamePasswordLogin=true -Dkeycloak.authentication.mapAuthorities=true -Dkeycloak.authentication.mapPersonPropertiesOnLogin=true -Dkeycloak.enable-basic-auth=true -Dkeycloak.authentication.defaultAdministratorUserNames='admin' -Dkeycloak.authentication.validation.failure.silent=false -Dkeycloak.adapter.realm=alfresco -Dkeycloak.adapter.resource=alfresco -Dkeycloak.adapter.credentials.secret=f580d6c7-d465-403d-8209-6b061fad4d8a -Dkeycloak.adapter.auth-server-url=https://my-alfresco-base-url/auth -Dkeycloak.adapter.verify-token-audience=true -Dkeycloak.synchronization.enabled=true_
I hope you can point me in the right direction on this.
Regards,
Dick