Technology Services Group

well documented.

Alfresco Office Services with Single Sign-On

We were recently involved with helping a new client install and configure Alfresco. Part of the configuration included integration with the client’s existing single sign-on software. This post will describe some of the hurdles and lessons learned with getting Alfresco Office Services (AOS) working in their environment.

Alfresco supports many authentication methods, including LDAP, NTLM, and Kerberos. These methods can be chained together to offer a variety of authentication options for the various components of Alfresco.

Often our clients want to integrate Alfresco with existing single sign-on (SSO) software that they already have in place. Alfresco and Share can handle this easily by configuring the external authentication subsystem. This subsystem allows authentication credentials to be securely passed to Alfresco via HTTP headers, which is standard for many web applications. Configuration instructions for Alfresco can be found here and additional instructions for Share can be found here.

External authentication worked great for the client until users tried to utilize the “Edit Online” feature in Alfresco Share. This feature is part of Alfresco Office Services (AOS), which can be optionally installed with repository. The problem was that when the “Edit Online” action was clicked, the Microsoft Office application opened as expected, but instead of opening the document for editing, it opened an HTML rendering of the client’s SSO login screen.

As it turns out, external authentication is NOT supported with AOS, but this information was inadvertently omitted from the Alfresco 5 documentation and has since been added back. You can see the documentation here.

To work around this limitation, the client decided to add an additional authentication method to the authentication chain to handle authentication for AOS. Because they’re already using LDAP for user and group synchronization, they chose to use LDAP authentication. The final step was to update the web server configuration (Apache HTTPD in this case) to exclude the AOS URL patterns from our SSO configuration. The AOS URL patterns can be found here.

After making these changes, when a user clicks Edit Online, they are prompted for their username and password, which is authenticated against LDAP. Unfortunately their SSO credentials cannot be used, but users can save their credentials so that they don’t have to reenter them every time they use the Edit Online feature. While a compromise was necessary, users are glad to be able to use the feature.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Tweets

Tech. Services Group
@tsgrp

RSS Blog

  • DynamoDB – Database model for Document Management November 16, 2018
    One of the ongoing myths about DynamoDB for Document Management we hear too often is “but isn’t that just for big data?”  This post will try to explain the benefits of DynamoDB’s big data capabilities and data model in a Document Management context compared to traditional database systems.  Examples will include how we are currently […]
  • DynamoDB and Hadoop / HBase – What are some of the differences? November 15, 2018
    As an Amazon Web Services Partner, TSG has begun developing out our document management solution for DynamoDB, we have been surprised with some of the implementation differences between DynamoDB and Hadoop / HBase.  This post will dive into the differences in building we have encountered some examples while building out our ECM/Content Process Services solution. Creating […]

Contact

22 West Washington St
5th Floor
Chicago, IL 60602
inquiry@tsgrp.com
312.372.7777

Join Us on Social

Read previous post:
Documentum or Alfresco – Bulk Upload and “Heads up” indexing

One of the most common issues we see at our clients is with the initial indexing of attributes for documents...

Close