Identity Service configuration properties - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external - Alfresco/Alfresco-Content-Services/23.4/Alfresco-Content-Services/Administer/Manage-Security/Authentication-and-sync/How-is-Alfresco-Office-Services-related-to-external-authentication/Configure-Identity-Service/Identity-Service-configuration-properties

Identity Service configuration properties - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external - Alfresco/Alfresco-Content-Services/23.4/Alfresco-Content-Services/Administer/Manage-Security/Authentication-and-sync/How-is-Alfresco-Office-Services-related-to-external-authentication/Configure-Identity-Service/Identity-Service-configuration-properties - 2025-11-03

Alfresco Content Services

Platform

Alfresco

Product

Alfresco Content Services

Release

23.4

License

ft:locale

en-US

Use this information to configure Content Services to authenticate using Identity Service. Content Services uses Spring Security components because the Keycloak Adapters have been deprecated. Key features and behaviors of the Keycloak Adapter, such as the communication with the Identity Service, are preserved. For more information, see the Deprecation of Keycloak adapters article in the Keycloak documentation: https://www.keycloak.org/.

Starting with version 23.2, the ACS Repository has expanded its support to include any Identity Provider that is compliant with the OpenID Connect (OIDC) protocol.

Configure the alfresco-global.properties file using the below properties.

Identity Service authentication options:

Property	Description
identity-service.authentication.enabled	Enable or disable authentication via the Identity Service. The default value is true.
identity-service.authentication.validation.failure.silent	Sets whether token validation failure is silent. The default value is true.
identity-service.authentication.defaultAdministratorUserNames	The default administrator user name. The default value is admin.
identity-service.authentication.allowGuestLogin	Sets whether guest logins are allowed. The default value is true.
identity-service.authentication.enable-username-password-authentication	Enable username and login password authentication. The default value is true.

Specifying the Identity Service (Keycloak) or other OIDC Identity Provider details:

Property	Description
identity-service.realm	Name of the realm configured in the Identity Service or Keycloak. This is a Kecloak-specific property. Note: This property must be empty for other OIDC Identity Providers. The default value is alfresco.
identity-service.auth-server-url	Identity Provider Base URL. The default value is http://localhost:8180/auth.
identity-service.issuer-url	Optional property Validates the issuer URL from the OIDC discovery document matches the user-provided issuer URL. If identity-service.auth-server-url is empty and only the issuer URL is provided, the issuer URL is used to retrieve the discovery document for additional configuration details.
identity-service.audience	Optional property Specifies the intended audience for an access token.
identity-service.resource	The Client ID for the client created within your realm that points to Content Services. The default value is alfresco.
identity-service.credentials.secret	The Client Secret for the client. The default value is an empty string.
identity-service.principal-attribute	Specifies an attribute from an access token and the UserInfo endpoint which is used to retrieve the username. For consistency, that claim should be available in an access token and in the UserInfo endpoint response. If this attribute is missing in the access token, then the repository attempts to retrieve the missing information from the UserInfo endpoint, resulting in an additional API call. The default value is preferred_username.
identity-service.client-id.validation.disabled	If set to false, the azp claim in the token is validated against the Client ID specified in the identity-service.resource property. This ensures that the token was indeed issued for the configured client. The default value is true.
identity-service.admin-console.redirect-path	Specifies the Admin Console path to which the authorization server redirects once authorization is completed. The default value is: /alfresco/s/enterprise/admin/admin-systemsummary (Enterprise Edition)
identity-service.signature-algorithms	Specifies acceptable signature algorithms. The default value is RS256,PS256.

OpenID Connect Identity Provider configuration example:

identity-service.auth-server-url=https://alfresco.auth0.com/
identity-service.audience=http://localhost:3000
identity-service.resource=${AUTH0_CLIENT_ID}
identity-service.credentials.secret=${AUTH0_CLIENT_SECRET}
identity-service.public-client=false
identity-service.principal-attribute=nickname
identity-service.client-id.validation.disabled=false
identity-service.realm=

Note: Identity Providers with offline_access as a supported scope, such as Keycloak, require the admin users to be assigned the offline_access role. Otherwise, the Admin Console SSO will not function properly.

Specifying TLS/mTLS details:

Property	Description
identity-service.allow-any-hostname	If TLS is used, this flag allows you to disable host name verification. This might be useful in a development environment. The default value is false.
identity-service.disable-trust-manager	If TLS is used, this flag allows you to disable the certificate verification. This might be useful in a development environment. The default value is false.
identity-service.truststore	If TLS is used, this flag allows you to specify the path to the truststore.
identity-service.truststore-password	Password for the truststore.
identity-service.client-keystore	Location for the keystore containing a client certificate in case of the mTLS setup.
identity-service.client-keystore-password	Password for the keystore.
identity-service.client-key-password	Password for the client key.

Specifying underlying HTTP client details:

Property	Description
identity-service.connection-pool-size	Allows you to specify how many HTTP connections will be used to communicate with the Identity Service. The default value is 20.
identity-service.client-connection-timeout	Timeout in milliseconds for connecting to the Identity Service. The default value is 2000.
identity-service.client-socket-timeout	Timeout in milliseconds for reading responses from the Identity Service. The default value is 2000.

Specifying provided JWKS Public Key:

Property	Description
identity-service.realm-public-key	Allows you to specify the Realm public key. The default value is empty which means the Repository will obtain the key directly from the Identity Service.

Configuring TTL for the cached JWKS Public Key obtained from the certs endpoint:

Property	Description
identity-service.public-key-cache-ttl	86400 The time in seconds between refreshing the public keys from the JWKS endpoint.

Respecting Keycloak's or OIDC Identity Provider's public client setting:

Property	Description
identity-service.public-client	The Repository won’t send credentials for the client to the Identity Service or OIDC Identity Provider if this is set to true. The default value is true.