search

Acosix / alfresco-keycloak

Alfresco addon to provide Keycloak-related extensions / customisations for Repository and Share
Apache License 2.0
35 stars 19 forks source link

Repository IdP authentication #27

Open mnlservices opened 2 years ago

mnlservices commented 2 years ago

Hi Axel,

I have installed your modules in the Repo and work great. Role mapping, User sync and authentication with a Keycloak User that is authenticated with Keycloak itself. But using the IdP or LDAP password isn't possible.

In our situation I need this for Authenticating against a SAML IdP with MFA.

I thought and hoped this would be possible, but I keep on getting the old login box and are not referred to the IdP. If I get a token through the Share or App I can also successfully login to the Repository but that is not always the case. We would like to setup AOS with Keycloak broker and IdP.

How can I configure this or is this not possible.

I followed the simple configuration documentation and configured the following in the JAVAOPTS: -Dauthentication.chain=alfrescoNtlm1:alfrescoNtlm,keycloak1:keycloak -Dkeycloak.authentication.enabled=true -Dkeycloak.authentication.sso.enabled=true -Dkeycloak.authentication.handlePublicApi=false -Dkeycloak.authentication.allowTicketLogons=true -Dkeycloak.authentication.allowHttpBasicLogon=false -Dkeycloak.authentication.allowUserNamePasswordLogin=true -Dkeycloak.authentication.mapAuthorities=true -Dkeycloak.authentication.mapPersonPropertiesOnLogin=true -Dkeycloak.enable-basic-auth=true -Dkeycloak.authentication.defaultAdministratorUserNames='admin' -Dkeycloak.authentication.validation.failure.silent=false -Dkeycloak.adapter.realm=alfresco -Dkeycloak.adapter.resource=alfresco -Dkeycloak.adapter.credentials.secret=f580d6c7-d465-403d-8209-6b061fad4d8a -Dkeycloak.adapter.auth-server-url=https://my-alfresco-base-url/auth -Dkeycloak.adapter.verify-token-audience=true -Dkeycloak.synchronization.enabled=true_

I hope you can point me in the right direction on this.

Regards,

Dick

AFaust commented 2 years ago

The user federation / brokering with the SAML IdP / LDAP is a feature entirely handled within Keycloak itself. It would require looking at your Keycloak realm config for this feature to be able to - potentially - find something that is off. AOS unfortunately cannot work with Keycloak for automatic sign-on, as Office does not support OpenID Connect, only SAML, and my module does not (yet) support acting as a SAML client for Keycloak just for AOS. AOS would work with Keycloak for the HTTP Basic-based fallback authentication, which my module bridges to Keycloak.

iohann95 commented 1 month ago

Unfortunately, now Microsoft is starting to block basic authentication by default on Microsoft Office...

https://learn.microsoft.com/en-us/deployoffice/security/basic-authentication-prompts-blocked

So think for the time being there's no way to use AOS on community versions without changing Microsoft Office configurations.

AFaust commented 1 month ago

Since the time of writing, AOS added support for OpenID Connect with the default Identity Services subsystem. When redirected to Keycloak. I have yet to adapt the alfresco-keycloak module to act "in place of" the default Identity Service subsystem when it is used, as Alfresco has sort-of hard coded the support to Identity Services currently.

iohann95 commented 1 month ago

Oh I see! Thank you very much for your feedback!

If you accept pull requests I will try to see if one of our developers can try to solve this.

AFaust commented 1 month ago

I do generally accept pull requests when they comply with the general coding style / implementation approach present in the project, or suggest changes to help contributors get to that point.

Note that for this project, a relatively significant rework is "planned" (hopefully in the 2nd half of summer) to address the following:

That does not preclude accepting any pull requests for the current version of the project.