You are here

Authenticating users with SAML SSO for REST API

After configuring and enforcing SAML in Alfresco, if you want to access any SAML-protected site(s), you need to authenticate the users for SAML SSO with REST API.
Without authenticating the user, if you try to access any of the SAML-protected URLs, for example:
https://localhost:8443/alfresco/api/-default-/public/alfresco/versions/1/sites
you will get an unauthorized 401 response, as shown below:
{
    "status" :
  {
    "code" : 401,
    "name" : "Unauthorized",
    "description" : "The request requires HTTP authentication."
  }, 
  
  "message" : "02210007 Authentication failed for Web Script org\/alfresco\/api\/ResourceWebScript.get", 
  "exception" : "org.springframework.extensions.webscripts.WebScriptException - 02210007 Authentication failed for Web Script org\/alfresco\/api\/ResourceWebScript.get",
 
  "callstack" :
  [
          ""      ,"org.springframework.extensions.webscripts.WebScriptException: 02210007 Authentication failed for Web Script org\/alfresco\/api\/ResourceWebScript.get"
      ,"org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:404)"
      ,"org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:281)"
      ...
      ,"org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)"
      ,"java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)"
      ,"java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)"
      ,"java.lang.Thread.run(Thread.java:745)"
  ],
 
  "server" : "Enterprise v5.0.3 (r122151-b84) schema 8 040",
  "time" : "21 mars 2017 11:45:44"
}

In order to avoid this problem, you need to authenticate the users for SAML using the steps below:

  1. To authenticate the user, use the following URL:

    https://localhost:8443/alfresco/service/saml/-default-/rest-api/authenticate

    You will be redirected to your identity provider's login page.

  2. Specify the login credentials.

    A SAML ticket is provided in the form of a JSON response.

  3. Access the original site URL with the SAML ticket generated above.

    Append the SAML ticket to the site URL, in this case - https://localhost:8443/alfresco/api/-default-/public/alfresco/versions/1/sites. For example:

    https://localhost:8443/alfresco/api/-default-/public/alfresco/versions/1/sites?alf_ticket=TICKET_ed6db2aca17e94864799c9849780f66c0a738e9b

    The URL returns a REST response and the user is successfully authorized.

To logout from Alfresco using REST API, use the following /logout-request:
https://localhost:8443/alfresco/service/saml/-default-/rest-api/logout-request?alf_ticket=TICKET_17196d7019fc1704ed29a270bf4f54598393abdc
Response:
{"entry":{}}

The SAML ticket is now invalid and the user can no longer access Alfresco. To access Alfresco again, repeat the above mentioned steps.

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.