In Techno
Organisations using Google Apps for Business can benefit from using the single sign on possibilities it provides. First, the Google domain users are the only set to manage. But second, you can also benefit from the advanced authentication methods Google provides. Google supports two way authentication but also authentication with a hardware token.

Two-way authentication greatly improved the security. For really sensitive information, user name and password are not sufficient. By using two way authentication, users log in using username and password, but also enter a code which is provded by a personal device i.e. smart phone.

Authentication using a hardware token is kind of the same way of authentication, but now the second step of authentication is being done by inserting a token or key into the computer.

Besides the fact users can be managed from the Google domain, using Google authentication greatly improves the way information in Alfresco is secured and managed.

Using Google authentication is done via SAML2. This is a protocol for identity managed over different applications. SAML2 is available for Google users on a paid plan. The occasional Gmail user won’t be able to to this. But other services for authentication can be used instead of Google, as long as the SAML2 protocol is supported.


We implemented this way of logging into Alfresco for a proot-of-concept for a large Dutch municipality together with our friends from WEB-R (http://www.webr.nl), a Google implementation partner.

We like to keep Alfresco as out-of-the-box as possible and we like using common known techniques. So in fact, we didn’t really do anything in Alfresco. Instead, we used Apache HTTPD and the mod_auth_mellon module. Let’s go.

Please note that for this setup to work, Google has to be able to connect to your server. So the server would by default be publicly accessible. In our proof-of-concept we’re aiming for the best collaboration environment, so that’s no problem.

Registering a SAML App

  • Go to the Google admin console at https://admin.google.com/
  • Choose “Apps” and SAML Apps,
  • Add a new app and choose the setup your own custom app. The wizard continues to step 2
  • In step 2, Download the IdP metadata. You will be using it in the mod_auth_mellon configuration later on
  • In step 3, give the application a name by which you and your users can recognise it from the Google app launcher.
  •  In step 4, you provide an “Assertion Consumer Service (ACS) URL”. This is the URL where Google can post the authentication result to. The url is the url of your Alfresco server with “/mellon/postResponse” appended, for example https://alfresco.contezza.nl/mellon/postResponse. The Entity ID is a unique identifier for this application. I think it should follow the URN standard, but anything will go as long as you consequently use it and it is unique within your Google domain. In the example we would choose https://alfresco.contezza.nl/share
  • In step 5 you can do attribute mapping, but we won’t be using that. So you can Finish the wizard and save your App.​

Configuring Apache HTTPD
We’re assuming you already have an Apache HTTPD running with some virtualhost handling HTTPS and proxying through to Alfresco. We’re also assuming your Apache is running on Centos7, although differences for distributions are managable. We based out setup on https://github.com/UNINETT/mod_auth_mellon/wiki/GenericSetup

  • Install mod_auth_mellon using yum install mod_auth_mellon
  • Download this script https://raw.githubusercontent.com/UNINETT/mod_auth_mellon/master/mellon_create_metadata.sh and execute it with the previous defined entity id (https://alfresco.contezza.nl/share) and the url to the SAML directory (https://alfresco.contezza.nl/mellon) as the two parameters.
  • Upload the IdP metadata file you downloaded from Google to the server
  • Put the results of the script and the idp-metadata,xml file in a directory.

We will now modify the Apache configuration. Modify your virtualhost so that it includes the following lines:

<Location /mellon>
MellonEnable auth
</Location>
<Location “/”>
MellonEnable auth
MellonSPPrivateKeyFile /opt/mellon/[output of the executed script].key
MellonSPCertFile /opt/mellon/[output of the executed script].cert
MellonSPMetadataFile /opt/mellon/[output of the executed script].xml
MellonIdPMetadataFile /opt/mellon/idp-metadata.xml
MellonEndpointPath /mellon
</Location>
RequestHeader set MELLON_NAME_ID %{MELLON_NAME_ID}e

  •  Restart Apache

Configuring Alfresco

The following instructions are taken from http://docs.alfresco.com/4.0/concepts/auth-external-props.html and http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html.

  • Edit the alfresco-global.properties and add/modify the authentication settings:

authentication.chain=external1:external
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.proxyHeader=MELLON_NAME_ID

  • Edit the share-config-custom.xml and uncomment the SSO Remote section
  • Change the endpoint to use alfrescoHeader instead of alfrescoCookie
  • within the alfrescoHeader connector, change the userHeader element to the name of our header; MELLON_NAME_ID
  • Restart Alfresco

Now you should be done. Next thing is to enforce your users to use two way authentication. This is a Google setting.

Please note that this setup does not synchronize users with Alfresco. Authenticated users are created without a profile if they don’t already exist.

​Happy authenticating!

Recent Posts

Start typing and press Enter to search