Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Keith Bailey
    @mckeithyb-ssl
    @rgauss - Its as if the authentication filter gets loaded during startup, then disappears. Even with lots of debug, there's nothing in the logs. If I connect with share (so no bearer token) - its fine.
    Ray Gauss II
    @rgauss

    Hmm, you should be seeing more debug logging.

    If you’re doing this from repo you should be able to curl against localhost to eliminate any ELB issues.

    I would also try a more generic endpoint like /api/-default-/public/alfresco/versions/1/people/-me-.

    How is the token being obtained in these tests?

    Keith Bailey
    @mckeithyb-ssl
    @rgauss - I login to digital-workspace, then grab the request from the trace in chrome developer tools
    @rgauss - Its as if its not even hitting the authentication subsystem. So despite it showing the debug during startup, I dont see anything in the log unless I login with normal basic auth through share.
    Keith Bailey
    @mckeithyb-ssl
    @rgauss .. And to answer your other question - that long loadbalancer hostname resolves to localhost (127.0.0.1) - if you use directly on the server now. But we see the same behaviour using localhost.
    Ray Gauss II
    @rgauss
    @mckeithyb-ssl What version of ACS?
    Keith Bailey
    @mckeithyb-ssl
    @rgauss - Hi Ray - 6.1.0 - I've just been chatting with your colleague @dbaker-alfresco about version numbers - we're going to upgrade the repo to 6.2.0 ASAP, and recheck.
    Keith Bailey
    @mckeithyb-ssl
    @rgauss @dbaker-alfresco - I am pleased to report it appears to be working fine in 6.2.0 - my theory is the issue was fixed in 6.1.1, and unfortunately we were on 6.1.0
    Ray Gauss II
    @rgauss
    @mckeithyb-ssl, good to hear! The SSO Guide you referenced above does state ACS 6.1.1, perhaps we should make that more prominent.
    Keith Bailey
    @mckeithyb-ssl
    @rgauss - I'm afraid the SSO guide didnt quite cater for our use-case, as we didn't need SAML. It wasn't clear from that doc whether it was going to work at all. The main ACS documentation doesnt relate to a specific point release, but the 6.1 docs mention OAUTH and IDS, so it seemed worth a go. Anyway, we have a way forward, and the customer has now successfully hooked up Keycloak with ForgeRock OpenAM as an identity provider - which seems to be working nicely. BTW - The support guys are now calling it AIMS ? Is the IDS name now defunct ?
    Ray Gauss II
    @rgauss

    The support guys are now calling it AIMS ? Is the IDS name now defunct ?

    The new official acronym is still under consideration :-)

    Ayman Harake
    @aymanthefirst

    Alfresco Identity Service 1.2.0 is now available at https://github.com/Alfresco/alfresco-identity-service/releases

    It has been upgraded to included Keycloak 8.0.1. See the release notes and documentation for more details:
    https://github.com/Alfresco/alfresco-identity-service/blob/master/CHANGELOG.md
    https://docs.alfresco.com/identity/concepts/identity-overview.html

    The image can be found on Docker Hub:
    https://hub.docker.com/r/alfresco/alfresco-identity-service

    Also, the helm chart alfresco-identity-service:2.0.0 was published to the Alfresco stable helm charts repository at https://kubernetes-charts.alfresco.com/stable which uses the new Docker Hub image.

    Daniel Gradecak
    @dgradecak
    @aymanthefirst is there any important changes (or any changes) on the ACS side for identity service authentication?
    beside the upgrade to the kc adapter
    Ayman Harake
    @aymanthefirst
    Hi @dgradecak , the main changes are the the move to KeyCloak 8.0.1 and our additional security fixes. As for the ACS side, there were a few issues that were fixed in order for SSO to work properly.
    Keith Bailey
    @mckeithyb-ssl
    All - does anyone know if the ACS office services integration supports IDS/Keycloak ? Our customer is running ACS 6.2 / IDS 1.1, but when they try to "open in office" from ADF, it seems to work with basic auth only (or at least, there is nothing to tell Office to contact the iDP). I am aware that it is unlikely that any mechanism exists to hand the session/credentials over to office, but if office was to present a token obtained by other means.....?
    Martin Muller
    @mmuller88
    @mckeithyb-ssl with the SAML extension it does
    Keith Bailey
    @mckeithyb-ssl
    @mmuller88 - thanks for that. Just trying to articulate what needs to happen... So as I understand it, the basic ACS platform supports OAUTH against IDS (see my conversations with Ray above), but there is no full support in AOS. By installing the SAML SSO amp, and configuring appropriately we should be ok. User's with authenticate with OAUTH in ADF, and when they come to open in office, presumably they will be asked to reauthenticate in Office with the same credentials, but using SAML against keycloak. Or will SSO work ?
    @mmuller88 @rgauss - Are there any plans to merge the SAML support into the platform as has been done with OAUTH?
    Martin Muller
    @mmuller88
    But you got it
    SSO will work for Office only for the Edge Browser AFAIK
    @mckeithyb-ssl for other browser you have to put the credentials again
    GabrielLuke
    @GabrielLuke19_twitter

    I am using Identity service(keycloak) for ACS and APS. But when I create the user from keycloak it is not getting synced in APS and in ACS does not have First Name Last Name of created user.
    Do any one knows how to resolve it.

    Identity Service is implemented on top of JBoss Keycloak, which is both an ID verification Provider (IdP) and a token issuer for OAuth 2 tokens. Keycloak deals with authentication, safety password storage, SSO, two factor authentication etc. Keycloak supports protocols such as OpenID Connect and SAML. Keycloak can store the user data in a variety of places, such as LDAP, Active Directory, and RDBMS.

    Eddie May
    @freshwebs_twitter
    Alfresco CEO, Jay Bhatt to provide an update on Alfresco’s recent developments in its online community. Make a beeline to registration: https://www.alfresco.com/events/webinars/jay-bhatt-alfresco-community-update
    Tahir Malik
    @shazada

    We're having an issue with the SAML Setup. Enterprise issue is made but maybe good to ask the community about it.
    Issue is with the issue timing betweend ADFS and IDS. So even when logged in succesfully it gives a session expired/timed-out.
    After hitting F5/Refresh everything works.
    There is a setting, but not sure how to pass this through in Docker
    https://www.keycloak.org/docs/8.0/securing_apps/#_sp-idp-allowedclockskew
    Any tips? Or others who had the same issue?

    It's not a server/docker time issue, because switching to Open-ID works directly and without IDS and just the SSO SAML module of Alfresco it works as well.

    Didn't even knew there was gitter for IDS :D
    Eddie May
    @freshwebs_twitter

    Alfresco Tech Talk Live - Igniting ACS – Alternative caching to scale your repository, Wednesday, July 8th, 2020, 10:00 AM EDT | 3:00 PM BST | 4:00 PM CEST, register at: https://www.alfresco.com/events/webinars/tech-talk-live-igniting-acs-alternative-caching-scale-your-repository

    VijayVelu-ClearCadence
    @VijayVelu-ClearCadence
    Hi- we have an APS(Alfresco Process Services) configured with IDS for authentication. Is there a config present on IDS to control the session inactivity logout? currently it seems to logout within 15 odd mins... any pointers would help- thank you...
    VijayVelu-ClearCadence
    @VijayVelu-ClearCadence
    correction- in the above scenario, ACS and APS configured with IDS-
    Martin Muller
    @mmuller88
    Are you using keycloak for handling the oauth stuff? I think there was a limitation from keycloak regarding that.
    VijayVelu-ClearCadence
    @VijayVelu-ClearCadence
    yes using IDS/keycloak for authentication- no SSO SAML, only auth-
    Martin Muller
    @mmuller88
    @VijayVelu-ClearCadence I’m pretty sure there was or is a limitation from keycloak regarding that. I recommend going to Alfresco Discord channel as there you most likely get an answer.
    VijayVelu-ClearCadence
    @VijayVelu-ClearCadence
    @mmuller88 Thank you- could you give me the link to the Alfresco discord channel please?
    Martin Muller
    @mmuller88
    @VijayVelu-ClearCadence sure :) https://discord.gg/tCXzQC
    VijayVelu-ClearCadence
    @VijayVelu-ClearCadence
    @mmuller88 Thank you...!
    VijayVelu-ClearCadence
    @VijayVelu-ClearCadence
    hi- I have a query regarding password hashing config on Identity Service- If i had to use Password hashing algorithm PBKDF2 SHA-512 which is supported by keycloak, where could i perform the config change? would there be any custom development required for this?
    Džiugas Juozapaitis
    @dziugasj
    Hi, does anyone have tried to configure SAML in Community Edition ?
    And also, please provide link to Alfresco discord channel. Because the recent one has expired
    Martin Muller
    @mmuller88
    Yeah I think they can help you there
    Marcodewame
    @Marcodewame
    Hello, could you give me a new link to the Alfresco discord server please ?
    1 reply
    Liam Smith
    @liams_smith_twitter
    Hi, I think you need identity verification services, if you need then shuftipro is the top best company that provides identity verification in just 60 sec.
    Resources:
    https://shuftipro.com/identity-verification
    Muhammed Eren Demir
    @mhmmderen3
    Hi, Can we connect Alfresco with multi realm and keycloak. For example, open tenant verify from the acme realm?
    Martin Muller
    @mmuller88
    @mhmderen3 not really. You will run into the problem that yes authentication to keycloak will work but user provisioning not. user provisioning just works with one ldap AFAIK
    Zain ul Abideen
    @zain-abideen-87
    Hi, I'm trying identity service and for this purpose I used ACS trial username/pwd but when accessing quay for identity service container, it says access is not authorized
    can anyone share link to register for trial license of identity svc ?
    Riccardo Saponi
    @riccardosaponi
    I guy i'm trying to setup SSO with Alfresco Identity Service and Alfresco Content Service (CE). These properties are available also for Community edition?

    identity-service.authentication.enabled=true
    identity-service.enable-basic-auth=true
    identity-service.authentication.defaultAdministratorUserNames=admin
    identity-service.authentication.validation.failure.silent=false

    identity-service.auth-server-url=http://xxx.elb.amazonaws.com:8090/auth

    identity-service.realm=alfresco
    identity-service.resource=alfresco
    identity-service.public-client=true
    identity-service.ssl-required=none

    Martin Muller
    @mmuller88
    better you try asking on Discord https://discord.gg/TNXxTyC6