Tuesday, 16 April 2019

IMP Links and SAML Configuration with Alfresco

https://stackoverflow.com/questions/13994840/what-is-the-difference-between-classpath-and-classpath-in-spring-xml

https://stackoverflow.com/questions/11182821/import-another-property-file-from-alfresco-global-properties#

http://javaworld-abhinav.blogspot.com/2015/08/creating-scheduled-job-in-alfresco.html

http://docs.alfresco.com/5.1/references/dev-extension-points-scheduled-jobs.html

https://blog.arvixe.com/create-scheduled-job-in-alfresco/

https://community.alfresco.com/thread/204472-not-able-to-disable-suggestion-in-alfresco

http://docs.alfresco.com/5.0/tasks/dev-extensions-share-tutorials-add-action-doclib.html

http://docs.alfresco.com/5.1/tasks/alfresco-sdk-upgrading-alfresco-version-SDK-211-501-or-502-to-503.html

https://www.calculatestuff.com/financial/compound-interest-calculator

https://issues.alfresco.com/jira/browse/ALF-21420

https://wiki.rivetlogic.com/display/RAAR/RAAr+Design

https://support.rackspace.com/how-to/generating-rsa-keys-with-ssh-puttygen/

https://stackoverflow.com/questions/25951602/adding-an-ssl-certificate-to-jre-in-order-to-access-https-sites

https://stackoverflow.com/questions/28318297/spring-boot-application-specific-external-properties

https://linuxacademy.com/blog/linux/changing-the-time-zone-in-linux-command-line/

https://docs.alfresco.com/rm/tasks/rm-upgrade-2308.html

http://docs.alfresco.com/5.2/tasks/dev-extensions-share-tutorials-override-login-page.html

http://quizbucket.org/aws-solutions-2411

https://blog.dbi-services.com/alfresco-some-useful-database-queries/

https://pgportal.gov.in/

https://community.alfresco.com/thread/200646-installing-alfresco-51

https://www.dineshonjava.com/configuring-step-in-spring-batch-2/

https://docs.spring.io/spring-batch/trunk/reference/html/configureStep.html

https://stackoverflow.com/questions/16956810/how-do-i-find-all-files-containing-specific-text-on-linux

https://community.alfresco.com/docs/DOC-4938-scheduled-actions

https://www.programcreek.com/java-api-examples/?api=org.alfresco.service.cmr.version.VersionType

http://blakesmith.me/2010/02/08/understanding-public-key-private-key-concepts.html

http://www.serveridol.com/2015/02/03/how-do-i-install-mod_jk-on-apache-2-4-webserver/

http://tomcat.apache.org/download-connectors.cgi

https://www.javatpoint.com/factory-method-design-pattern

https://www.javamadesoeasy.com/2016/05/how-to-add-image-as-watermark-in-pdf-in.html

https://dzone.com/articles/how-to-create-an-immutable-class-in-java

https://stackoverflow.com/questions/41120129/java-stack-and-heap-memory-management

https://dzone.com/articles/java-memory-management

https://stackoverflow.com/questions/28572700/i-am-trying-to-set-maxfilesize-but-it-is-not-honored

https://stackoverflow.com/questions/35748022/multipart-file-maximum-size-exception-spring-boot-embbeded-tomcat/35864430

https://stackoverflow.com/questions/2947683/httprequest-maximum-allowable-size-in-tomcat

https://www.codota.com/code/java/methods/org.apache.poi.ss.usermodel.Sheet/protectSheet

https://poi.apache.org/components/spreadsheet/quick-guide.html#Validation

https://coderanch.com/t/639389/open-source/Apache-POI-Date-Validation-Excel

http://poi.apache.org/components/spreadsheet/quick-guide.html#Data+Validations

http://apache-poi.1045710.n5.nabble.com/sample-code-to-read-excel-listbox-values-td2308018.html

https://stackoverflow.com/questions/46450291/apache-poi-constraint-on-text-length-to-be-8-or-10

https://stackoverflow.com/questions/7819163/maven-failed-to-retrieve-plugin-descriptor-error

http://niketa-alfresco3.blogspot.com/2016/04/create-alfresco-share-sites-through.html

https://stackoverflow.com/questions/17012308/move-cursor-to-end-of-file-in-vim

------------------------------------------------------------------------------------------------------

Overview

Alfresco hosted on AWS will be configured with SAML to provide Single Sign-On (SSO) for CUSTOMER_NAME employees.
The steps to follow to configure Alfresco with CUSTOMER_NAME SAML is different then the usual SAML configuration done for the other applications deployed on cloud. Alfresco itself acts as Service Provider (SP) so no SP like Shibboleth needs to be installed on Alfresco instance.
CUSTOMER_NAME uses PingFederate as Identity Provider (IdP) for SAML integration.

Prerequisite

Please make sure you have following things available before starting the SAML configurations:
  1. Alfresco SAML patch (amp files)
  2. Public certificate of the company SAML server (Based on the enviornment being configured - stage or prod, get the public certificate of relevant server)

Part 1: Submit application information on SAML portal

In order to enable an application with SAML, first step is to register the application with SAML portal. Follow below mentioned step to 
  1. Open '<CUSTOMER_NAME> Self Service SAML API' portal.
  2. Following information needs to be added on the portal.
    Field Name
    Description
    Sample Value
    Entity IDEntity ID. This is used by IdP to identify connection with the application.
    Please use the following standard as a guideline: “bu-appname-env”
    Where:
    • bu = Business unit abbreviation.
      For example, ‘og’ for Oil & gas or ‘pw’ for Power & Water
    • appname = is the name of your application.
    • env = is the type of environment your application instance is running in.
      For example, ‘stg’ for staging, ‘prd’ for production. 
    Examples:
    • pw-distrib-web-stg
    • av-sptc-prd
    • og-dre-aex-bsr-qa
    		di***-dev
    App NameName of the application. Use RM in name instead of Alfresco.*** Dev
    ACS URLAssertion Consumer Service URL. This URL will be used by Alfresco to post authentication request to SAML IdP. The format of the URL must be: https://<host>/share/page/saml-authnresponsehttps://dev***/share/page/saml-authnresponse
    Base URLBase URL of Alfresco. This should be the URL which users will use to access Alfresco. This should not be AWS ELB URL. Make sure that there is no trailing / in URL for this field else form submission will be failed.https://dev***
    3rd Party?Is the application being configured non-CUSTOMER (not hosted in CUSTOMER enviornment)No
    First NameFirst Name of the person submitting the request but use application owner's first name***
    Last NameLast Name of the person submitting the request but use application owner's last name***
    Email AddressEmail id of the person submitting the request but use application owner's email address*****@companyname.com
    PromiseCheck that you promise that you've read the saml information worksheetAlways (tick) (wink)
  3. Click on Submit. On successful submission, message similar to following will be displayed on the page:
  4. Save this page with values for future reference.

Part 2: Configure Alfresco for SAML

Step 1: Create self signed certificate

To enable SAML configuration in Alfresco, one of the main requirement is to have a valid certificate of Service Provider (SP). As Alfresco itself is acting as SP in this case, you need to generate a self signed certificate and configure in Alfresco. Unless the signed certificate for SP in configured, Alfresco will not allow to enable SAML login.
Follow below mentioned steps to create a self signed certificate.
  1. Log on to EC2 instance where Alfresco is installed. Connect to AWS Bastion node from CUSTOMER network
  2. Move to Alfresco extension root and create directory named saml-keystore.
    sudo cd /usr/share/tomcat/shared/classes/alfresco/
    sudo mkdir saml-keystore
  3. Use following command to generate the certificate.
    keytool -genkeypair -alias customer-alfresco-saml-key -keypass change-me -storepass change-me -keystore customer-alfresco-saml.keystore -storetype JCEKS
      
    Here change-me is the password, please choose complex password with minmum 6 characters long.
      
    Ex.:
    keytool -genkeypair -alias customer-alfresco-saml-key -keypass A***412 -storepass A***412 -keystore customer-alfresco-saml.keystore -storetype JCEKS
  4. Provide following information for the certificate when asked
    What is your first name and last name?
    *** ***
    What is the name of your organization Unit?
    ***
    What is the name of your organization?
    *** ***Company
    What is the name of your city or location?
    San ***
    What is the name of your state or province?
    California
    What is the two-letter country code for this unit?
    US
      
    Is CN=*** ***, OU=***, O=***, L=San ***, ST=California, C=US correct?
    [no]: yes
      
    The file named as customer-alfresco-saml.keystore  should be created in current directory.
  5. Generate a file named customer-alfresco-saml-keystore-passwords.properties in the existing directory with the following content:
    cat customer-alfresco-saml-keystore-passwords.properties
    aliases=customer-alfresco-saml-key
    keystore.password=A***12
    customer-alfresco-saml-key.password=A***2
      
    Here aliases is the value you provided with  -alias attribute while creating the certificate, change-me is the password you have used to create the certificate.
    Perform these chnages on all the Alfresco instnaces.

Step 2: Prepare alfresco-global.properties

Add following properties at the end of alfresco-global.properties:
#SAML key store configuration
saml.keystore.location=classpath:alfresco/saml-keystore/customer-alfresco-saml.keystore
saml.keystore.keyMetaData.location=classpath:alfresco/saml-keystore/customer-alfresco-saml-keystore-passwords.properties
saml.keystore.provider=
saml.keystore.type=JCEKS
# The SAML attribute (or 'Subject/NameID' for SAML subject NameID) to map to the Alfresco user's ID
saml.sp.user.mapping.id=ssoid
# TODO will be used for user provisioning (SAML-175)
# The SAML attribute to map to the Alfresco user's email
saml.sp.user.mapping.email=mail
# The SAML attribute to map to the Alfresco user's first name
saml.sp.user.mapping.firstName=firstname
# The SAML attribute to map to the Alfresco user's last name
saml.sp.user.mapping.lastName=lastname
Perform these chnages on all the Alfresco instnaces.

Step 3: Prepare share-config-custom.xml

Add following SAML specific configurations under CSRF configurations in share-config-custom.xml in Share web extension root.
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
    <!--
        If using https make a CSRFPolicy with replace="true" and override the properties section.
        Note, localhost is there to allow local checks to succeed.
         
        I.e.
        <properties>
            <token>Alfresco-CSRFToken</token>
            <referer>https://your-domain.com/.*|http://localhost:8080/.*</referer>
            <origin>https://your-domain.com|http://localhost:8080</origin>
        </properties>
    -->
        <filter>
             
            <!-- SAML SPECIFIC CONFIG -  START -->
             
            <!--
             Since we have added the CSRF filter with filter-mapping of "/*" we will catch all public GET's to avoid them
             having to pass through the remaining rules.
             -->
            <rule>
                <request>
                    <method>GET</method>
                    <path>/res/.*</path>
                </request>
            </rule>
             
            <!-- Incoming posts from IDPs do not require a token -->
            <rule>
                <request>
                    <method>POST</method>
                    <path>/page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest</path>
                </request>
            </rule>
             
            <!-- SAML SPECIFIC CONFIG -  STOP -->
          </filter
</config>

Step 4: Deploy SAML AMPs and related files

Connect to AWS Bastion node from CUSTOMER_NAME network
Manual deployment on AWS Alfresco Instance

Step 5: Add SAML Configurations

  1. Once the patch is successfully applied and Alfresco is up and running, login to Alfresco Admin Page for SAML configuration:
       http://<host>:<port>/alfresco/s/enterprise/admin/admin-saml Ex. https://dev.***/alfresco/s/enterprise/admin/admin-saml
  2. Go to Share tab.
  3. Verify that SAML Status is Enabled.


    If the SAML Status is disabled, please check the configurations for self signed certificate. Unless Alfresco is successfully able to load the self signed certificate, the status will be disabled only.
  4. Provide value for following fields:
    Field Name
    Description
    Value
    Enable SAML(SSO) AuthenticationEnable SAML based SSO for browser login(tick)
    Enforce SAML LoginWhether all the browser logins must be through SAML only, if this is unchecked then user will have option to go with manual Alfresco login or with SAML SSO(tick)
    Identity Provider (IdP) Description:Name of the Identity ProviderCUSTOMERNAME Single Sign-On (SSO)
    IdP Authentication Request Service URL:The URL where Alfresco will post credentials for authenticationStage: https://*****/fss/idp /SSO.saml2

    prod: https://*****/fss/idp /SSO.saml2
    Entity Identification (Issuer):The entity identifier through which IdP will recognize the SP. This is the value you have provided into Entity ID section while submitting application details on SAML self help portal in step 1.di***dev
    User ID Mapping:The SAML attribute that maps to an Alfresco User IDssoid
    Leave rest of the fields empty.
    SLO Configurations

    SLO - Single Log Out is used to invalidate the SAML session. In <customer_name>, when user closes the browser the SSO session is getting destroyed. Same will be applicable for Alfresco. So no need to add SLO related configurations.
  5. Click on Upload IdP Certificate and upload the related certificate provided by CUSTOMER SSO team.
  6. Submit the form.
Do not configure SAML for REST API. All the fields in this tab should be empty or unchecked.

Step 6: Test SAML based SSO Login

To test the SAML based SSO login:
  1. Create user in Alfresco with username actual CUSTOMERNAME SSO. 
  2. Open Alfresco using LB URL in incognito window.
  3. It should work.
Posted by at No comments:
Subscribe to: Comments (Atom)