Use this information to know about the limitations and recommendations when SAML SSO
works with SkyVault behind a proxy.
Make sure that the IdP is accessible by the client applications. At a minimum, configure the SkyVault.host, SkyVault.port, and SkyVault.protocol properties to use the correct values of the proxy server. For more information, see sysAdmin subsystem properties. For deploying SkyVault with a reverse proxy, see Deploying SkyVault with a different context path.
The limitations that apply to using web scripts with ticket authentication also applies to clustering for SAML usage. Make sure you have set up your load balancer correctly.
Recommendation for proxy:
In a production environment, for REST API and AOS, implement a setup with a reverse proxy in
front of SkyVault. This reverse proxy is configured to block all API requests except those that
you want to be let through, for example, CMIS. Such a setup needs to allow these requests:
- /alfresco/service/saml/-default-/aos/authenticate
- /alfresco/service/saml/-default-/aos/authenticate-response
- /alfresco/service/saml/-default-/rest-api/authenticate
- /alfresco/service/saml/-default-/rest-api/authenticate-response