You are here

Configuring SAML SSO settings for REST API using properties files

Administrators can enable and configure SAML SSO authentication for REST API using the <classpathRoot>/ file and a combination of subsystem properties files. Use this as an alternative to configuring SAML SSO using the Admin Console.

To configure REST API, create the properties file in the following folder structure:


The default file for repository type can be found in the <TOMCAT_HOME>/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/SAML/repository directory. Use this file to copy the SAML settings into your <classpathRoot>/alfresco/extension/subsystems/SAML/repository/rest-api/ file, as an alternative to setting these in the Admin Console.

Note: Changes to <classpathRoot>/, are applicable in a single service provider scenario only.

If you use multiple service providers, use subsystem extensions for type and instance. For example, for the REST API service provider, create a file with the following classpath:

  1. Locate the <TOMCAT_HOME>/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/SAML/repository/ file.

    These are the settings:

    #SAML key store configuration
    # Time, in milliseconds, that message state is valid
    # 300000 = 5 minutes
    # Clock skew - the number of seconds before a lower time bound, or after an upper time bound, to consider still acceptable.
    # Number of seconds after a message issue instant after which the message is considered expired  expires
    # It is RECOMMENDED that a system entity use a URL containing its own domain name to identify itself
    # The SAML attribute (or 'Subject/NameID' for SAML subject NameID) to map to the Alfresco user's ID
    # TODO will be used for user provisioning (SAML-175)
    # The SAML attribute to map to the Alfresco user's email
    # The SAML attribute to map to the Alfresco user's first name
    # The SAML attribute to map to the Alfresco user's last name
    # Whether or not SAML is enabled for the service provider
    # Whether or not SAML login is enforced
    # IdP description if you choose to enforce SAML login
    # IdP URL to which the Authentication Request from Alfresco is posted for the service provider
    # IdP URL to which a logout *request* from Alfresco is posted when logging out from the service provider
    # IdP URL to which a logout *response* from Alfresco is posted when receiving a logout request from your IdP for the service provider
    # Path to the certificate used to validate the requests and responses from the IdP
    # Entity identification (issuer) for the service provider.  Some IdPs may use this to determine which SP connection to use.
    # Provide a ticket to the user after authentication
    # Establish a session after authentication
    # Some IdPs, like LemonLDAP, may require a specific format for NameID section of the logout request.
  2. To enable SAML, use these settings in your <classpathRoot>/alfresco/extension/subsystems/SAML/repository/rest-api/ file:

    saml.sp.idp.description=<Identity Provider>

    saml.sp.isEnabled specifies whether or not SAML is enabled for the service provider.

    saml.sp.isEnforced accepts a boolean value and specifies whether or not SAML login is enforced. If set to false, SAML login is not enforced.

    saml.sp.idp.description accepts a string value and specifies the IdP description at the login screen if you choose to not enforce SAML login.

  3. Set the Identity Provider (IdP) settings:

    • saml.sp.idp.sso.request.url: The address where the authentication request is sent. This redirects you to the identity provider login page.
    • saml.sp.idp.slo.request.url: The address where the logout request is sent when logging out of Alfresco. This logs you out of Alfresco and any other applications that use your SSO setup.
    • saml.sp.idp.slo.response.url: The address where the logout response is sent when the identity provider gets a logout request.
    • saml.sp.idp.spIssuer: Some IdPs use the issuer to determine which service provider connection to use.
    • The SAML attribute that maps to an Alfresco User ID. The SAML attribute is the Subject/NameID specified for the SAML subject NameID.
  4. Enter a path to the certificate: saml.sp.idp.certificatePath

    Note: If SAML is enabled, Alfresco always checks for a existing certificate.
  5. Review the other SAML settings in the file to understand if they apply to your setup.
  6. Save and close all the properties files, and restart Alfresco to apply your changes.

You have configured the SAML settings for REST API.

You can also configure your settings dynamically using JMX. Remote JMX connectivity is disabled by default in Alfresco. See Using a JMX client to change settings dynamically for more information about JMX.

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.