Alfresco discussion and collaboration. Stick around a few hours after asking a question.
Official support for Enterprise subscribers: support.alfresco.com.
Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.
More information about the channel is in the wiki.
More help is available in this list of resources.
2020-01-05 20:00:48 GMT <fwu2018> hello all
2020-01-05 20:01:00 GMT <fwu2018> Happy new year to everyone
2020-01-05 20:31:35 GMT <fwu2018> afaust, I saw your last message about keycloak integration. does it work with 5.2? And how it works - does it use that Microsoft approach with the need to use login pages from ADFS?
2020-01-05 20:49:27 GMT <AFaust> fwu2018: So Keycloak is not supported out-of-the-box with Alfresco 5.2 - I am currently building my own Keycloak module as an open source module, and that is aimed to be 5.x compatible
2020-01-05 20:50:48 GMT <AFaust> As with regards to the login page question - it depends on the specific Keycloak configuration you want to run with and the identity providers you integrate with. By default - with no external identity providers - Keycloak will use a regular login page, though it already supports setting up OTP authentication.
2020-01-05 20:52:16 GMT <AFaust> But you can integrate it with Kerberos controllers, SAML or OIDC identity providers, and then the user may not even see the login page, if you set it up for automated authentication using one of these providers - they may potentially see some redirect pages and/or consent / agreement pages depending on your setup.
2020-01-05 20:53:52 GMT <AFaust> So far I have only integrated it with Azure Domain Services for authentication myself in one customer environment, and there the user only gets to see the Azure account selection form, if they have not already been logged in with Azure.
2020-01-05 21:14:27 GMT <fwu2018> afaust, before trying keycloak Im trying to authenticate using ADFS services
2020-01-05 21:14:50 GMT <fwu2018> my goal is to avoid login pages
2020-01-05 21:15:04 GMT <fwu2018> of course I still need to make some modifications in Alfresco
2020-01-05 21:15:18 GMT <fwu2018> but just regarding the authentication im trying to avoid login pages.
2020-01-05 21:15:56 GMT <fwu2018> and here I have a doubt, maybe you can help me if you already used Azure
2020-01-05 21:17:10 GMT <fwu2018> My adfs login page is working. I only have the default active directory in the slection form
2020-01-05 21:17:19 GMT <fwu2018> so my goal is to make a direct post
2020-01-05 21:18:43 GMT <fwu2018> I can get a code, and then a token on the next call
2020-01-05 21:19:51 GMT <fwu2018> but the user/password is not validated against the active directory = the claim provider trust I have defined
2020-01-05 21:19:56 GMT <fwu2018> So basically, I have:
2020-01-05 21:20:08 GMT <fwu2018> a claim provider trust defined = active directory
2020-01-05 21:20:26 GMT <fwu2018> a relying party trust
2020-01-05 21:20:41 GMT <fwu2018> and an a application group for oauth
2020-01-05 21:21:01 GMT <fwu2018> but it seems there is no conenctiong between my oauth config and that party trust
2020-01-05 21:21:50 GMT <fwu2018> so when I try to get a code and a token, Im able to get it, but the user/password of active directory is not authenticated... basically it is not used
2020-01-05 21:22:06 GMT <fwu2018> and thus I can have a token without any user/password...argh
2020-01-05 21:22:19 GMT <fwu2018> Im using this post as an example in postman:
2020-01-05 21:24:29 GMT <fwu2018> https://firstname.lastname@example.org/how-to-setup-automated-token-retrieval-in-adfs-3-0-using-postman-8b66cb4c5d85
2020-01-05 21:24:30 GMT <alfbot> Title:How to setup automated token retrieval in ADFS 3.0 using Postman (at medium.com)
2020-01-05 21:24:44 GMT <fwu2018> Im sugin adfs 4.0 but it shouldnt make any difference
2020-01-05 21:26:15 GMT <fwu2018> So, in the authorize service, it is inrrelevant if I set a user and password. And I dont understand why.
2020-01-05 21:26:49 GMT <fwu2018> this should be a "simple" post to the login page, so that the user doesnt need to insert any data
2020-01-05 21:30:57 GMT <AFaust> I am not sure I follow all... Are you trying to authenticate a user in ADFS against an Azure domain instance or via Active Directory? Because you framed the start with "if you already used Azure", but then nothing in the subsequent messages referred to Azure at all...
2020-01-05 21:33:34 GMT <AFaust> Did you check the ID token / details in the token you get for what user this token is for? Is it always for the same user (not necessarily the user you specified) or are there actually differences between having user name specified and not having it?
2020-01-05 21:34:28 GMT <AFaust> I don't think that ADFS is comparable to Azure Domain Services at all, so I don't know how much my limited Azure knowledge might actually be relevant here
2020-01-05 21:36:22 GMT <fwu2018> well, I think adfs is implemented in azure, just that
2020-01-05 21:36:28 GMT <fwu2018> in my case, of course
2020-01-05 21:39:02 GMT <AFaust> Sure, but it is still a separate service from the raw / basic Azure Active Directory Domain Services (AADDS)
2020-01-05 21:42:54 GMT <AFaust> ADFS is the service that makes Azure Active Directory usable in the on-prem AD, whereas Azure Active Directory Domain Services are the management services for Azure Active Directory and provides endpoints for cloud + on-prem services only to that directory.
The other logs are at http://esplins.org/hash_alfresco