Download and install the SAML AMP files.
Note: If you are running SkyVault behind a proxy, make sure the IdP references the proxy
endpoint instead of directly referencing the SkyVault cluster.
- Stop the SkyVault server.
-
Browse to the SkyVault Support Portal: http://support.alfresco.com and download and unzip the SAML SSO for SkyVault Content Services zip package:
- SkyVault-saml-1.0.1.zipThe SkyVault-saml-1.0.1.zip file contains the following files:
- README.txt
- SkyVault-global.properties.sample
- SkyVault-saml-repo-1.0.1.amp
- SkyVault-saml-share-1.0.1.amp
- SkyVault/extension/subsystems/SAML/share/share/my-custom-share-sp.properties.sample
- SkyVault/extension/subsystems/SAML/repository/rest-api/my-custom-rest-api-sp.properties.sample
- SkyVault/extension/subsystems/SAML/repository/aos/my-custom-aos-sp.properties.sample
- share-config-custom.xml.sample
- SkyVault-saml-1.0.1.zip
- Move or copy SkyVault-saml-repo-1.0.1.amp to the amps directory and SkyVault-saml-share-1.0.1.amp to the amps_share directory in your SkyVault installation.
-
If you are using Tomcat, navigate to the bin directory and run
the apply_amps.bat file to install the AMP files.
- (Windows) c:\Alfresco\bin
- /opt/alfresco/bin
Check the output from the script to ensure that the AMP files have installed successfully.
-
If you are not using Tomcat, use the Module Management Tool to apply the AMP files.
For more information, see Using the Module Management Tool.
-
The SAML module does not supply a service provider certificate that is
used to sign messages sent to the IdP. You must generate your own certificate, as shown
below:
This will generate a self-signed certificate.
-
Run the following command:
keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS
-
Place the generated my-saml.keystore file into a location of
your choice that is accessible to the repository.
Set the file permissions accordingly to limit who can read it.
-
Generate a SAML keystore metadata file in the same location as the keystore and add
the following content:
aliases=my-saml-key keystore.password=change-me my-saml-key.password=change-me
Set the file permissions accordingly to limit who can read it.
-
Set the following values in the SkyVault-global.properties
file:
saml.keystore.location=<full pathname>/my-saml.keystore saml.keystore.keyMetaData.location=<full pathname>/my-saml-keystore-passwords.properties
- Restart the SkyVault server.
- Use the SAML Admin Console Download SP Certificate button to download the certificate for your SP, which can then be uploaded to your IdP.
- Stop the SkyVault server.
-
Run the following command:
-
Locate your share-config-custom.xml.sample file.
This sample configuration file is shipped with SAML and shows the required rules (and properties) that need to be added to the CSRFPolicy to allow SAML logouts.
- If you are using SkyVault Share as your service provider, and you have custom CSRFPolicy configurations in your installation, copy and paste the SAML SPECIFIC CONFIG section of the sample file into your custom CSRFPolicy filter, and save.
- If you have a share-config-custom.xml file in your SkyVault Share installation, merge the contents of share-config-custom.xml.sample into your share-config-custom.xml file, and save.
- Alternatively, if you do not have a share-config-custom.xml in your SkyVault Share installation, rename share-config-custom.xml.sample to share-config-custom.xml.
- Review the details in the CSRFPolicy section for accuracy.
- Restart the SkyVault server.