Configuring Alfresco SAML SSO Module with Okta IdP

Alfresco recently released a new patch for their SAML Single Sign On solution module. This module allows Alfresco user’s to configure their Alfresco installation with their Single Sign On (SSO) Identity Provider. In this tutorial, I’ll explain the process of configuring Okta to be used with the module.

Note: This tutorial is assuming you’ve followed the steps to install SAML SSO in Alfresco, via Alfresco’s official documentation.

Configuring Okta for Alfresco

Step one. From your Okta Admin Panel (In the Classic UI) go to the Applications tab, and click the button Add Application as shown below.

Next you’ll click the Create new App button shown below.

Then, in the Create a New Application Integration menu, make sure the Platform is Web and the Sign on method is SAML 2.0 as shown below.

The first menu is General Settings. This is where you can choose a name for your integration. In this case, we’ll just name it Alfresco Share SAML SSO. Optionally, you can upload a logo or adjust the application visibility. Click the Next button once everything is configured.

On the next menu we’ll get into the meat of the configuration. Here we will input all of the information necessary to link Okta to Alfresco for SSO and Single Log Out (SLO). Use the image below as a template for your own settings. Replace {host} and {port} with their appropriate values. The Name ID format should be Unspecified. The Application username should be an attribute linking to your Alfresco User’s usernames (In this case, Okta Username).

Don’t forget to download the Okta Certificate. We’ll be using it later to configure Alfresco Share SAML SSO.

Under the basic settings there are some advanced settings we will need to modify. Shown below is what you’ll need to set in order for proper SSO and SLO configuration. In the current release you MUST configure for SLO in order for this to work. Don’t forget to upload the certificate you downloaded from the Admin Console during the installation process. Again, replace {host} and {port} with appropriate values for your Alfresco Installation.

On the following section you are given the option of mapping attributes. While it is not required, we recommend that you map basic attributes like first name, last name, and email address as shown below.

From there you’ll click the Next button and go to the third portion, where the questions asked do not affect your configuration. Once answered, click the Finish button to be redirected to your application’s page in the Sign On tab. You’ll then need to click on the View Setup Instructions button in order to complete configurations in Alfresco.

From the View Setup Instructions screen you will need the Identity Provider Single Sign-On URL and Identity Provider Single Logout URL. If you didn’t download the Okta certificate from before you will also want to click the Download button under the X.509 Certificate section. With that information we can move on to configuring Alfresco Share for SAML SSO.

Configuring Share for SAML SSO

For this process we will be acting upon the Alfresco Admin Console, where you downloaded your SP Certificate earlier. Below is a screenshot of the screen and some placeholder text we will elaborate on further down.

  • Enable SAML(SSO) Authentication: This option is simply to determine if you want SAML to be enabled, for the purposes of this tutorial, we have it checked.
  • Enforce SAML Login: This option is to determine whether or not all logins will be forced through SAML if this box is checked. For this tutorial we are leaving it unchecked, as that allows users to choose between logging in through SAML or logging in through normal Share Login.
  • Identity Provider (IdP) Description: This is the name of the Identity provider, and will be the name that users will see available to them to click on in order to log in to Share.
  • IdP Authentication Request Service URL: This will be filled by the Identity Provider Single Sign-On URL collected earlier.
  • IdP Single Logout Request Service URL: This will be filled by the Identity Provider Single Logout URL collected earlier.
  • IdP Single Logout Response Service URL: This will be filled by the same URL from the IdP Single Logout Request Service URL.
  • Entity Identification (Issuer): This will match the Audience URI (SP Entity ID) from the Okta section.
  • User ID Mapping: This is the name of the Attribute that will map to an existing Alfresco User ID.
  • Upload IdP Certificate: This is where you will upload your Okta certificate, that you downloaded earlier.

It is important to note, that the {host} you used through this tutorial, must match the share.host property, set in your alfresco-global.properties file, or you will receive an error.

Alfresco SAML SSO Okta

After that, users should be able to login using Okta as the Single Sign-On Solution. Happy Configuring!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

From our Blog...

Configuring Alfresco SAML SSO Module with Okta IdP

Alfresco recently released a new patch for their SAML Single Sign On solution module. This module allows Alfresco user’s to configure their Alfresco installation with their Single Sign On (SSO) Identity Provider. In this tutorial, I’ll explain the process of configuring Okta to be used with the module. Note: This tutorial is assuming you’ve followed… Read more »

Read More

Content Migration: Being Prepared

Much like negotiating a treaty between two countries who do not share a common language, someone will be faced with the task of translating. If that translator is not properly prepared the outcome might create more problems than it solves.

Read More

Debugging and Integration Testing in Alfresco SDK 3.0

Alfresco has updated its SDK! See our articles here and here about the basics. In its current state, SDK 3.0 doesn’t support unit testing. It does, however, have a robust Integration Testing framework which, in many ways, covers the same ground and then some. In this article I’ll be going into the basics of Integration… Read more »

Read More