Alfresco Identity Service, based in Open Source Identity and Access Management Keycloak, is available for both Community and Enterprise ACS releases.
When using Alfresco Identity Service, different Alfresco Authentication Mechanims can be configured.
This project provides a sample Docker Compose template for Alfresco Community 7.4 with Alfresco Identity Service 2.0.0 and Keycloak 22.0. Note that deploying the product in production environments would require additional configuration.
Since EOL for Alfresco Identity Service has been announced, this project can be used to understand the transition from Alfresco Identity Service to Keycloak. Alfresco Identity Service 2.0.0 will be the latest release of this product. The recommendation is to switch to Keycloak eventually.
This project includes sample configuration to use Alfresco Identity Service 2.0.0 or Keyclock 22.0 with Alfresco 7.4.1. Both configurations are equivalent, so you can move from AIS 2.0 to Keycloak with minimal impact.
alfresco-community-aims
Alfresco Repository is configured to use Alfresco Identity Service 2.0.0 using the realm alfresco
authentication.chain=identity-service1:identity-service
identity-service.enable-basic-auth=true
identity-service.auth-server-url=http://${HOST_IP}:8999
identity-service.realm=alfresco
identity-service.resource=alfrescoAlfresco Identity Service 2.0.0 is configured with default credentials admin/admin importing a default Alfresco Realm and using plain HTTP.
alfresco-identity-service:
image: alfresco/alfresco-identity-service:2.0.0
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
command: "
start --import-realm --hostname=$HOST_IP --hostname-port=8999 --http-enabled=true --hostname-strict-https=false
"
volumes:
- ./config/alfresco-realm.json:/opt/keycloak/data/import/alfresco-realm.jsonalfresco-community-keycloak
The only difference with the previous compose.yaml is that the Docker Image for the Identity Service is direclty the one provided by Keycloak.
alfresco-identity-service:
image: quay.io/keycloak/keycloak:22.0So, in this case, moving from Alfresco Identity Service to Keycloak is as simple as using a different Docker Image.
Depending on your configuration, additional steps may be required.
Both Docker Compose templates (alfresco-community-aims and alfresco-community-keycloak) include following files:
.
├── .env
├── config
│ ├── alfresco-realm.json
│ └── nginx.conf
└── compose.yamldocker-compose.yml is a regular ACS Docker Compose, including Alfresco Identity Service or Keycloak for Authenticationconfig/alfresco-realm.json includes a sample configuration for Alfresco Identity Service or Keycloak, despite you can create your own configuration using the Keycloak Admin Web Pageconfig/nginx.conf includes configuration for the NGINX Web Proxy.env includes Docker Image tag names and a HOST_IP variable (remember to add your local computer IP to this property before running the project)alfresco-community-keycloak-ui
The difference with the previous compose.yaml is that the UI applications (Share and ACA) are also configured to use Keycloak authentication.
Docker Compose template include following files:
.
├── .env
├── config
│ ├── alfresco-realm.json
│ └── nginx.conf
└── compose.yamldocker-compose.yml is a regular ACS Docker Compose, including Alfresco Identity Service or Keycloak for Authenticationconfig/alfresco-realm.json includes a sample configuration for Alfresco Identity Service or Keycloak, despite you can create your own configuration using the Keycloak Admin Web Pageconfig/nginx.conf includes configuration for the NGINX Web Proxy.env includes Docker Image tag names and a HOST_IP variable (remember to add your local computer IP to this property before running the project)Note that service urls are different from the previous ones, they are described in section "Service URLs for UIs"
In addition, from ACA 4.4.x, Keycloak urls are required to use HTTPs. This is why ACA 4.3.0 is used in the sample.
Note: Add your local computer IP to
.envvariable HOST_IP before running Docker Compose.
$ docker-compose up --build --force-recreateACA
Share
http://localhost:8080/alfresco
Alfresco Repository
Keycloak
Default configuration for Alfresco Identity Service or Keycloak
Users
Roles
Groups
http://localhost:8080/content-app/
ACA
Share
http://localhost:8080/alfresco
Alfresco Repository
Keycloak
Default configuration for Alfresco Identity Service or Keycloak
Users
Roles
Groups
Additional information on Alfresco Identity Service configuration is available in https://docs.alfresco.com/identity-service/latest/
For instance, following properties can be used from alfresco-global.properties
identity-service.authentication.enabled=
identity-service.enable-basic-auth=
identity-service.authentication.defaultAdministratorUserNames=
identity-service.authentication.validation.failure.silent=
identity-service.auth-server-url=
identity-service.realm=
identity-service.resource=
identity-service.public-client=
identity-service.ssl-required=
identity-service.enable-pkce=
identity-service.credentials.secret=
identity-service.credentials.provider=These are the properties available for Share Web App (share-config.properties):
aims.enabled=false
aims.realm=
aims.resource=
aims.authServerUrl=
aims.sslRequired=external
aims.publicClient=true
aims.autodetectBearerOnly=
aims.alwaysRefreshToken=
aims.principalAttribute=sub
aims.enableBasicAuth=
aims.secret=And for the Alfresco Content Application, use following environment variables:
APP_CONFIG_OAUTH2_HOST
APP_CONFIG_OAUTH2_CLIENTID
APP_CONFIG_OAUTH2_IMPLICIT_FLOW
APP_CONFIG_OAUTH2_SILENT_LOGIN
APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI
APP_CONFIG_OAUTH2_REDIRECT_LOGIN
APP_CONFIG_OAUTH2_REDIRECT_LOGOUT Tutorials on how to configure different Authetication Subsystems are available in:
If you want to discover some other features that can be used with Keycloak, check this Community project:
https://github.com/Acosix/alfresco-keycloak
Additional details are provided by @AFaust in TTL #133: https://www.alfresco.com/events/webinars/tech-talk-live-133