Alfresco Office Services with Single Sign-On

We were recently involved with helping a new client install and configure Alfresco. Part of the configuration included integration with the client’s existing single sign-on software. This post will describe some of the hurdles and lessons learned with getting Alfresco Office Services (AOS) working in their environment.

Alfresco supports many authentication methods, including LDAP, NTLM, and Kerberos. These methods can be chained together to offer a variety of authentication options for the various components of Alfresco.

Often our clients want to integrate Alfresco with existing single sign-on (SSO) software that they already have in place. Alfresco and Share can handle this easily by configuring the external authentication subsystem. This subsystem allows authentication credentials to be securely passed to Alfresco via HTTP headers, which is standard for many web applications. Configuration instructions for Alfresco can be found here and additional instructions for Share can be found here.

External authentication worked great for the client until users tried to utilize the “Edit Online” feature in Alfresco Share. This feature is part of Alfresco Office Services (AOS), which can be optionally installed with repository. The problem was that when the “Edit Online” action was clicked, the Microsoft Office application opened as expected, but instead of opening the document for editing, it opened an HTML rendering of the client’s SSO login screen.

As it turns out, external authentication is NOT supported with AOS, but this information was inadvertently omitted from the Alfresco 5 documentation and has since been added back. You can see the documentation here.

To work around this limitation, the client decided to add an additional authentication method to the authentication chain to handle authentication for AOS. Because they’re already using LDAP for user and group synchronization, they chose to use LDAP authentication. The final step was to update the web server configuration (Apache HTTPD in this case) to exclude the AOS URL patterns from our SSO configuration. The AOS URL patterns can be found here.

After making these changes, when a user clicks Edit Online, they are prompted for their username and password, which is authenticated against LDAP. Unfortunately their SSO credentials cannot be used, but users can save their credentials so that they don’t have to reenter them every time they use the Edit Online feature. While a compromise was necessary, users are glad to be able to use the feature.