Configure Alfresco Content Service properties - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

The properties listed that need to be set for Alfresco Content Services (ACS) are only those that are required for setting up SSO. They include the synchronization with an LDAP directory and the location of a SAML keystore. The Alfresco Share configuration file also requires updating to enable SSO.

  1. Use the following configuration parameters either in an alfresco-global.properties file, via the repository config map in Kubernetes or as environment variables in a docker-compose file:
    Property Description
    authentication.chain The authentication chain needs to be set for Keycloak and LDAP synchronization, for example identity-service-1:identity-service,alfrescoNtlm-1:alfrescoNtlm,ldap-1:ldap.
    identity-service.auth-server-url Keycloak’s base URL, for example https://keycloak.example.com/auth.
    identity-service.enable-basic-auth Sets whether basic authentication is also supported by Keycloak, for example true.
    identity-service.realm The realm name configured in Keycloak for the Alfresco applications, for example alfresco.
    identity-service.resource The Client ID set up in Keycloak for Alfresco Content Services. The client needs to exist underneath the realm set for identity-service.realm, for example alfresco.
    ldap.authentication.active Sets whether LDAP authentication is enabled or not. This needs to be set to false to use SAML authentication via Keycloak, for example false.
    ldap.synchronization.active Sets whether LDAP synchronization is enabled or not. This needs to be set to true to sync users with the repository, for example true.
    ldap.synchronization.java.naming. security.authentication The mechanism to use to authenticate with the LDAP server, for example simple.
    ldap.synchronization.java.naming. security.principal The user principal name (UPN) of the account used to retrieve account details for all users and groups, for example alfresco@domain.com.
    ldap.synchronization.java.naming.security.credentials The password for the account set in ldap.synchronization.java.naming.security.principal, for example secret.
    ldap.* There are several optional configuration and synchronization properties.
    csrf.filter.referer The referer value of ACS to prevent Cross Site Request Forgery (CSRF), for example https://repo.example.com.
    csrf.filter.origin The origin value of ACS to prevent Cross Site Request Forgery (CSRF), for example https://repo.example.com/*.
  2. Update the share-config-custom.xml file located by default in $ALFRESCO_HOME/tomcat/shared/classes/alfresco/web-extension/. Set the CSRFPolicy to true as in the following example:
      <configevaluator="string-compare"condition="CSRFPolicy"replace="true">
    
  3. Sign in to the administrator console of ACS as an administrator. The URL of the administrator console is https://repo.example.com:443/alfresco/service/enterprise/admin.
  4. Navigate to Directories > Directory Managementand click Run Synchronize to perform a manual LDAP sync.
  5. Sign into Share as an administrator. The URL for Share is https://share.example.com/share.
  6. Navigate to Admin Tools > Usersto verify that all user accounts have been synchronized correctly.