SSO configuration with Alfresco Identity Service 1.3 and ACS 6.2.2 (optionally with standalone keycloak)

Alfresco provides Identity Service for SSO. I have integrated Alfresco 6.2.2 with Identity Service 1.3. It is working fine. But still if you want to implement standalone keycloak independently, it will work with same configuration. 

I have downloaded the zip of keycloak 9.0.3 and keycloak 11.0.0 (which is the underlying version of Identity Service 1.3); and tested with both these versions - both integrated with Alfresco one by one, and working correctly.

The configuration in alfresco files would remain the same : Below are the alfresco-global.properties settings. Keycloak is assumed to be running on port 8081:

authentication.chain=identity-service-1:identity-service,alfrescoNtlm-1:alfrescoNtlm
identity-service.auth-server-url=http://localhost:8081/auth
identity-service.enable-basic-auth=true
identity-service.realm=sharerealm
identity-service.resource=alfresco
csrf.filter.referer=http://localhost:8080
csrf.filter.origin=http://localhost:8080/*

aims.enabled=true
aims.realm=sharerealm
aims.resource=alfresco
aims.authServerUrl=http://localhost:8081/auth
aims.publicClient=true

Entry in share-config-custom.xml file:

<!-- AIMS -->
   
<config evaluator="string-compare" condition="AIMS">
<enabled>true</enabled>
<realm>sharerealm</realm>
<resource>alfresco</resource>
<authServerUrl>http://localhost:8081/auth</authServerUrl>
<sslRequired>none</sslRequired>
<publicClient>true</publicClient>
<autodetectBearerOnly>true</autodetectBearerOnly>
<alwaysRefreshToken>true</alwaysRefreshToken>
<principalAttribute>email</principalAttribute>
<enableBasicAuth>true</enableBasicAuth>
</config>

If you are working with ADF or ADW (Alfresco Digital Workspace), then the following entry in app.config.json:

"$schema": "../node_modules/@alfresco/adf-core/app.config.schema.json",
  "ecmHost": "http://localhost:8080",
  "aosHost": "http://localhost:8080/alfresco/aos",
  "baseShareUrl": "http://localhost:8080/adw",
  "providers": "ECM",
  "authType": "OAUTH",
  "oauth2": {
    "host": "http://localhost:8081/auth/realms/sharerealm",
    "clientId": "alfresco",
    "scope": "openid",
    "secret": "",
    "implicitFlow": true,
    "silentLogin": true,
    "publicUrls": [
      "**/preview/s/*",
      "**/settings"
    ],
    "redirectSilentIframeUri": "http://localhost:8080/adw/assets/silent-refresh.html",
    "redirectUri": "/adw",
    "redirectUriLogout": "/adw/#/login"
  },

Keycloak / Identity Service Configuration:

1) Download the keycloak-9.0.3.zip (or whichever version applicable). Unzipped

2) Go to keycloak-9.0.3\standalone\configuration
and edit the standalone.xml file to change the port numbers
(because Alfresco already running on port 8080):

 <socket-binding name="ajp" port="${jboss.ajp.port:8010}"/>
        <socket-binding name="http" port="${jboss.http.port:8081}"/>
        <socket-binding name="https" port="${jboss.https.port:8444}"/>

3) Go to keycloak-9.0.3\bin and run the standalone.bat file – This will start the
keycloak server on specified port 8081

4) Access the URL - http://localhost:8081/ and click
the “Administration Console” link. First time, it may ask to set the admin user
account. You can enter ‘admin’ and ‘admin’ and username and password.

5) Login with admin user:

6) Create a new realm ‘sharerealm’ by clicking ‘Add Realm’ option at the left top

7) 'sharerealm' settings are as follows:

8) Now, create a new client ‘alfresco’ using the 

‘Create’ button (if ‘alfresco’ client not already exist):

9) Client 'alfresco' settings:

 
1)     
10) Click ‘Save’ to save the above configuration.

11) Click ‘Users’ in the left panel to open the
‘Users’ screen. Click ‘Add User’ to add a few users in keycloak server to
authenticate and login in Alfresco

12 ) After entering the user details, click 'Save' . 

13) Go to credentials tab of that user, and set the temporary password for that user. Click 'Set Password':

14) This password is saved, and keycloak will ask this user to update/change the
password when he first time logs in.

15) That's it. Configuration is done at keycloak side.

Irrespective of whether you are using Identity Service 1.3 OR standalone keycloak 11.0.0 

OR standalone keycloak 9.0.3 - the same above keycloak configuration will work fine with 

alfresco, by keeping the configurations in alfresco as it is.