Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2020-01-05 20:00:48 GMT <fwu2018> hello all

2020-01-05 20:01:00 GMT <fwu2018> Happy new year to everyone

2020-01-05 20:31:35 GMT <fwu2018> afaust, I saw your last message about keycloak integration. does it work with 5.2? And how it works - does it use that Microsoft approach with the need to use login pages from ADFS?

2020-01-05 20:49:27 GMT <AFaust> fwu2018: So Keycloak is not supported out-of-the-box with Alfresco 5.2 - I am currently building my own Keycloak module as an open source module, and that is aimed to be 5.x compatible

2020-01-05 20:50:48 GMT <AFaust> As with regards to the login page question - it depends on the specific Keycloak configuration you want to run with and the identity providers you integrate with. By default - with no external identity providers - Keycloak will use a regular login page, though it already supports setting up OTP authentication.

2020-01-05 20:52:16 GMT <AFaust> But you can integrate it with Kerberos controllers, SAML or OIDC identity providers, and then the user may not even see the login page, if you set it up for automated authentication using one of these providers - they may potentially see some redirect pages and/or consent / agreement pages depending on your setup.

2020-01-05 20:53:52 GMT <AFaust> So far I have only integrated it with Azure Domain Services for authentication myself in one customer environment, and there the user only gets to see the Azure account selection form, if they have not already been logged in with Azure.

2020-01-05 21:14:27 GMT <fwu2018> afaust, before trying keycloak Im trying to authenticate using ADFS services

2020-01-05 21:14:50 GMT <fwu2018> my goal is to avoid login pages

2020-01-05 21:15:04 GMT <fwu2018> of course I still need to make some modifications in Alfresco

2020-01-05 21:15:18 GMT <fwu2018> but just regarding the authentication im trying to avoid login pages.

2020-01-05 21:15:56 GMT <fwu2018> and here I have a doubt, maybe you can help me if you already used Azure

2020-01-05 21:17:10 GMT <fwu2018> My adfs login page is working. I only have the default active directory in the slection form

2020-01-05 21:17:19 GMT <fwu2018> so my goal is to make a direct post

2020-01-05 21:18:43 GMT <fwu2018> I can get a code, and then a token on the next call

2020-01-05 21:19:51 GMT <fwu2018> but the user/password is not validated against the active directory = the claim provider trust I have defined

2020-01-05 21:19:56 GMT <fwu2018> So basically, I have:

2020-01-05 21:20:08 GMT <fwu2018> a claim provider trust defined = active directory

2020-01-05 21:20:26 GMT <fwu2018> a relying party trust

2020-01-05 21:20:41 GMT <fwu2018> and an a application group for oauth

2020-01-05 21:21:01 GMT <fwu2018> but it seems there is no conenctiong between my oauth config and that party trust

2020-01-05 21:21:50 GMT <fwu2018> so when I try to get a code and a token, Im able to get it, but the user/password of active directory is not authenticated... basically it is not used

2020-01-05 21:22:06 GMT <fwu2018> and thus I can have a token without any user/password...argh

2020-01-05 21:22:19 GMT <fwu2018> Im using this post as an example in postman:

2020-01-05 21:24:29 GMT <fwu2018> https://medium.com/@anjola.awofisoye/how-to-setup-automated-token-retrieval-in-adfs-3-0-using-postman-8b66cb4c5d85

2020-01-05 21:24:30 GMT <alfbot> Title:How to setup automated token retrieval in ADFS 3.0 using Postman (at medium.com)

2020-01-05 21:24:44 GMT <fwu2018> Im sugin adfs 4.0 but it shouldnt make any difference

2020-01-05 21:26:15 GMT <fwu2018> So, in the authorize service, it is inrrelevant if I set a user and password. And I dont understand why.

2020-01-05 21:26:49 GMT <fwu2018> this should be a "simple" post to the login page, so that the user doesnt need to insert any data

2020-01-05 21:30:57 GMT <AFaust> I am not sure I follow all... Are you trying to authenticate a user in ADFS against an Azure domain instance or via Active Directory? Because you framed the start with "if you already used Azure", but then nothing in the subsequent messages referred to Azure at all...

2020-01-05 21:33:34 GMT <AFaust> Did you check the ID token / details in the token you get for what user this token is for? Is it always for the same user (not necessarily the user you specified) or are there actually differences between having user name specified and not having it?

2020-01-05 21:34:28 GMT <AFaust> I don't think that ADFS is comparable to Azure Domain Services at all, so I don't know how much my limited Azure knowledge might actually be relevant here

2020-01-05 21:36:22 GMT <fwu2018> well, I think adfs is implemented in azure, just that

2020-01-05 21:36:28 GMT <fwu2018> in my case, of course

2020-01-05 21:39:02 GMT <AFaust> Sure, but it is still a separate service from the raw / basic Azure Active Directory Domain Services (AADDS)

2020-01-05 21:42:54 GMT <AFaust> ADFS is the service that makes Azure Active Directory usable in the on-prem AD, whereas Azure Active Directory Domain Services are the management services for Azure Active Directory and provides endpoints for cloud + on-prem services only to that directory.

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco