Identity Service configuration properties - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

Use this information to configure Content Services to authenticate using Identity Service. Content Services uses Spring Security components because the Keycloak Adapters have been deprecated. Key features and behaviors of the Keycloak Adapter, such as the communication with the Identity Service, are preserved. For more information, see the Keycloak documentation Deprecation of Keycloak adapters.

Starting with version 23.2, the ACS Repository has expanded its support to include any Identity Provider that is compliant with the OpenID Connect (OIDC) protocol.

Configure the alfresco-global.properties file using the below properties.

Identity Service authentication options:

Property Description
identity-service.authentication.enabled

Enable or disable authentication via the Identity Service.

The default value is true.

identity-service.authentication.validation.failure.silent

Sets whether token validation failure is silent.

The default value is true.

identity-service.authentication.defaultAdministratorUserNames

The default administrator user name.

The default value is admin.

identity-service.authentication.allowGuestLogin

Sets whether guest logins are allowed.

The default value is true.

identity-service.authentication.enable-username-password-authentication

Enable username and login password authentication.

The default value is true.

Specifying the Identity Service (Keycloak) or other OIDC Identity Provider details:

Property Description
identity-service.realm

Name of the realm configured in the Identity Service or Keycloak. This is a Kecloak-specific property.

Note: This property must be empty for other OIDC Identity Providers.

The default value is alfresco.

identity-service.auth-server-url

Identity Provider Base URL.

The default value is http://localhost:8180/auth.

identity-service.issuer-url

Optional property

Validates the issuer URL from the OIDC discovery document matches the user-provided issuer URL.

If identity-service.auth-server-url is empty and only the issuer URL is provided, the issuer URL is used to retrieve the discovery document for additional configuration details.

identity-service.audience

Optional property

Specifies the intended audience for an access token.

identity-service.resource

The Client ID for the client created within your realm that points to Content Services.

The default value is alfresco.

identity-service.credentials.secret

The Client Secret for the client.

The default value is an empty string.

identity-service.principal-attribute

Specifies an attribute from an access token and the UserInfo endpoint which is used to retrieve the username.

For consistency, that claim should be available in an access token and in the UserInfo endpoint response. If this attribute is missing in the access token, then the repository attempts to retrieve the missing information from the UserInfo endpoint, resulting in an additional API call.

The default value is preferred_username.

identity-service.client-id.validation.disabled

If set to true, the azp claim in the token is validated against the Client ID specified in the identity-service.resource property.

This ensures that the token was indeed issued for the configured client.

The default value is true.

identity-service.admin-console.redirect-path

Specifies the Admin Console path to which the authorization server redirects once authorization is completed.

The default value is:

  • /alfresco/s/enterprise/admin/admin-systemsummary (Enterprise Edition)

identity-service.signature-algorithms

Specifies acceptable signature algorithms.

The default value is RS256,PS256.

OpenID Connect Identity Provider configuration example:

identity-service.auth-server-url=https://alfresco.auth0.com/
identity-service.audience=http://localhost:3000
identity-service.resource=${AUTH0_CLIENT_ID}
identity-service.credentials.secret=${AUTH0_CLIENT_SECRET}
identity-service.public-client=false
identity-service.principal-attribute=nickname
identity-service.client-id.validation.disabled=false
identity-service.realm=
Note: Identity Providers with offline_access as a supported scope, such as Keycloak, require the admin users to be assigned the offline_access role. Otherwise, the Admin Console SSO will not function properly.

Specifying TLS/mTLS details:

Property Description
identity-service.allow-any-hostname

If TLS is used, this flag allows you to disable host name verification. This might be useful in a development environment.

The default value is false.

identity-service.disable-trust-manager

If TLS is used, this flag allows you to disable the certificate verification. This might be useful in a development environment.

The default value is false.

identity-service.truststore

If TLS is used, this flag allows you to specify the path to the truststore.

identity-service.truststore-password

Password for the truststore.

identity-service.client-keystore

Location for the keystore containing a client certificate in case of the mTLS setup.

identity-service.client-keystore-password

Password for the keystore.

identity-service.client-key-password

Password for the client key.

Specifying underlying HTTP client details:

Property Description
identity-service.connection-pool-size

Allows you to specify how many HTTP connections will be used to communicate with the Identity Service.

The default value is 20.

identity-service.client-connection-timeout

Timeout in milliseconds for connecting to the Identity Service.

The default value is 2000.

identity-service.client-socket-timeout

Timeout in milliseconds for reading responses from the Identity Service.

The default value is 2000.

Specifying provided JWKS Public Key:

Property Description
identity-service.realm-public-key

Allows you to specify the Realm public key.

The default value is empty which means the Repository will obtain the key directly from the Identity Service.

Configuring TTL for the cached JWKS Public Key obtained from the certs endpoint:

Property Description
identity-service.public-key-cache-ttl

86400

The time in seconds between refreshing the public keys from the JWKS endpoint.

Respecting Keycloak's or OIDC Identity Provider's public client setting:

Property Description
identity-service.public-client

The Repository won’t send credentials for the client to the Identity Service or IODC Identity Provider if this is set to true.

The default value is true.