You are here

SAML Single Sign-On (SSO) for SkyVault Content Services 1.0.1 » Configuring SAML SSO » Step 2. Configure SAML SSO in SkyVault » Configuring SAML SSO for Share

Configuring SAML SSO settings for Share using properties files

Administrators can enable and configure SAML SSO authentication for Share using the <classpathRoot>/alfresco-global.properties file and a combination of subsystem properties files. Use this as an alternative to configuring SAML SSO using the Admin Console.

The SAML module uses subsystems to control, configure, and extend the service providers that are supported, therefore it is recommended to use this approach when configuring the subsystems. The SAML subsystems can be configured like any other SkyVault subsystem. For more information, see Extension classpath.

Properties set in the SkyVault-global.properties file apply to the entire SAML module, including all the SAML subsystem instances, such as Share, REST API, and AOS.

To configure Share, create the properties file in the following folder structure:

<classpathRoot>/alfresco/extension/subsystems/SAML/share/share/my-custom-share-sp.properties

The default saml.properties file for Share type can be found in the <TOMCAT_HOME>/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/SAML/share directory. Use this file to copy the SAML settings into your <classpathRoot>/alfresco/extension/subsystems/SAML/share/share/my-custom-share-sp.properties file, as an alternative to setting these in the Admin Console.

Note: Changes to <classpathRoot>/alfresco-global.properties, are applicable in a single service provider scenario only.

If you use multiple service providers, use subsystem extensions for type and instance. For example, for the Share service provider, create a my-custom-share-sp.properties file with the following classpath:

<TOMCAT_HOME>/shared/classes/alfresco/extension/subsystems/SAML/share/share/my-custom-share-sp.properties
  1. Locate the <TOMCAT_HOME>/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/SAML/share/saml.properties file.

    These are the settings:

    #SAML key store configuration
saml.keystore.location=classpath:alfresco/keystore/saml.keystore
saml.keystore.keyMetaData.location=classpath:alfresco/keystore/saml-keystore-passwords.properties
saml.keystore.provider=
saml.keystore.type=JCEKS

# Time, in milliseconds, that message state is valid
# 300000 = 5 minutes
saml.message.state.duration.in.millis=300000
# Clock skew - the number of seconds before a lower time bound, or after an upper time bound, to consider still acceptable.     
saml.issueInstantRule.check.clock.skew.in.seconds=60
# Number of seconds after a message issue instant after which the message is considered expired  expires
saml.issueInstantRule.check.expiration.in.seconds=30

# will be appended to Share URL - eg. https://my.alfresco.com/share/{network} + spSsoURLSuffix => https://my.alfresco.com/share/{network}/saml/authnresponse
saml.share.spSsoURLSuffix=/saml-authnresponse
# will be appended to Share URL - eg. https://my.alfresco.com/share/{network} + spSloURLSuffix => https://my.alfresco.com/share/{network}/saml/logoutresponse
saml.share.spSloResponseURLSuffix=/saml-logoutresponse
# will be appended to Share URL - eg. https://my.alfresco.com/share/{network} + spSloURLSuffix => https://my.alfresco.com/share/{network}/saml/logoutrequest
saml.share.spSloRequestURLSuffix=/saml-logoutrequest

# It is RECOMMENDED that a system entity use a URL containing its own domain name to identify itself
saml.sp.idp.spIssuer.namePrefix=

# The SAML attribute (or 'Subject/NameID' for SAML subject NameID) to map to the SkyVault user's ID
saml.sp.user.mapping.id=Subject/NameID

# TODO will be used for user provisioning (SAML-175)
# The SAML attribute to map to the SkyVault user's email
saml.sp.user.mapping.email=Email

# The SAML attribute to map to the SkyVault user's first name
saml.sp.user.mapping.firstName=GivenName

# The SAML attribute to map to the SkyVault user's last name
saml.sp.user.mapping.lastName=Surname

# Whether or not SAML is enabled for the service provider
saml.sp.isEnabled=false

# Whether or not SAML login is enforced
saml.sp.isEnforced=true

# IdP description if you choose to enforce SAML login
saml.sp.idp.description=

# IdP URL to which the Authentication Request from SkyVault is posted for the service provider
saml.sp.idp.sso.request.url=

# IdP URL to which a logout *request* from SkyVault is posted when logging out from the service provider
saml.sp.idp.slo.request.url=

# IdP URL to which a logout *response* from SkyVault is posted when receiving a logout request from your IdP for the service provider
saml.sp.idp.slo.response.url=

# Path to the certificate used to validate the requests and responses from the IdP
saml.sp.idp.certificatePath=

# Entity identification (issuer) for the service provider.  Some IdPs may use this to determine which SP connection to use.
saml.sp.idp.spIssuer=
  2. To enable SAML, use these settings in your <classpathRoot>/alfresco/extension/subsystems/SAML/share/share/my-custom-share-sp.properties file: 

    saml.sp.isEnabled=true
saml.sp.isEnforced=false
saml.sp.idp.description=<Identity Provider>
    where:

    saml.sp.isEnabled specifies whether or not SAML is enabled for the service provider.

    saml.sp.isEnforced accepts a boolean value and specifies whether or not SAML login is enforced. If set to false, SAML login is not enforced.

    saml.sp.idp.description accepts a string value and specifies the IdP description at the login screen if you choose to not enforce SAML login.

  3. Set the Identity Provider (IdP) settings:

    • saml.sp.idp.sso.request.url: The address where the authentication request is sent. This redirects you to the identity provider login page.
    • saml.sp.idp.slo.request.url: The address where the logout request is sent when logging out of SkyVault. This logs you out of SkyVault and any other applications that use your SSO setup.
    • saml.sp.idp.slo.response.url: The address where the logout response is sent when the identity provider gets a logout request.
    • saml.sp.idp.spIssuer: Some IdPs use the issuer to determine which service provider connection to use.
    • saml.sp.user.mapping.id: The SAML attribute that maps to an SkyVault User ID. The SAML attribute is the Subject/NameID specified for the SAML subject NameID.
  4. Enter a path to the certificate: saml.sp.idp.certificatePath

    Note: If SAML is enabled, SkyVault always checks for a existing certificate.
  5. Review the other SAML settings in the saml.properties file to understand if they apply to your setup.
  6. Save and close all the properties files, and restart SkyVault to apply your changes.

You have configured the SAML settings for Share.

You can also configure your settings dynamically using JMX. Remote JMX connectivity is disabled by default in SkyVault. See Using a JMX client to change settings dynamically for more information about JMX.

Parent topic: Configuring SAML SSO for Share

© 2017 TBS-LLC. All Rights Reserved.