Configure Alfresco Process Services - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

Alfresco Process Services (APS) has two sets of properties that need to be configured to setup SSO. One set synchronizes APS with an LDAP directory and the other set configures the connection with Keycloak.

  1. Configuration for LDAP synchronization can be achieved manually for WAR file deployments using the activiti-ldap-properties file or reference an external file for Docker and Kubernetes deployments:
    Property Description
    ldap.authentication.enabled Sets whether LDAP authentication is enabled. This needs to be false as LDAP is only being used for user synchronization, for example false.
    ldap.authentication.java.naming.provider.url The URL of the LDAP instance, for example ldaps://ldap.example.com:636.
    ldap.synchronization.java.naming.security.principal The user used to access the LDAP directory to perform the synchronization, for example uid=admin,ou=system.
    ldap.synchronization.java.naming.security.credentials The password for the user set in ldap.synchronization.java.naming.security.principal, for example secret.
    ldap.synchronization.full.enabled Sets whether full LDAP synchronization is enabled or not, for example true.
    ldap.synchronization.full.cronExpression The cron expression describing how often the full synchronization should run, for example 0 0 0 * * ?.
    ldap.synchronization.differential.enabled Sets whether differential LDAP synchronization is enabled or not, for example true.
    ldap.synchronization.differential.cronExpression The cron expression describing how often the differential synchronization should run, for example 0 0 */4 * * ?.
    ldap.synchronization.userSearchBase The section of the LDAP directory to restrict user synchronization to, for example ou=users,dc=alfresco,dc=com.
    ldap.synchronization.groupSearchBase The section of the LDAP directory to restrict group synchronization to, for example ou=groups,dc=alfresco,dc=com.
  2. Configuration with the Alfresco Process Services can be achieved manually for WAR file deployments using the activiti-identity-service.properties or reference an external file for Docker and Kubernetes deployments:
    Property Description
    keycloak.enabled Sets whether Process Services will use Keycloak to authenticate against, for example true.
    keycloak.realm The realm name configured in Keycloak for the Alfresco applications, for example alfresco.
    keycloak.auth-server-url Keycloak’s base URL, for example https://keycloak.example.com/auth.
    keycloak.ssl-required Sets whether SSL is mandatory for access or not, for example all.
    keycloak.resource The Client ID set up in Keycloak for Process Services. The client needs to exist underneath the realm set for IDENTITY_SERVICE_REALM, for example alfresco.
    keycloak.principal-attribute The attribute to identify users by for authentication. This needs to be set to email for Process Services, for example email.
    keycloak.public-client The adapter will not send credentials for the client to Keycloak if this is set to true, for example true.
    keycloak.always-refresh-token Sets whether a token should be refreshed for every request or not, for example true.
    keycloak.autodetect-bearer-only This should be set to true to serve both a web application and web services, for example true.
    keycloak.token-store The location of where account information token should be stored, for example cookie.
    keycloak.enable-basic-auth Sets whether basic authentication is also supported by Keycloak, for example true.