DevOps

Enable 2FA/MFA in Alfresco 7.4: Keycloak Guide

Learn how to enable Two-Factor Authentication (2FA/MFA) in Alfresco Content Services 7.4 using external IdPs like Keycloak, Azure AD, or Okta. No native support—follow official guides for secure Alfresco authentication via SAML/OIDC.

1 answer 1 view

How can I enable Two-Factor Authentication (2FA/MFA) in Alfresco Content Services 7.4?

  • Is there native 2FA support in Alfresco 7.4?
  • Are there officially supported or certified solutions to add 2FA (for example via an external identity provider)?
  • What is the recommended approach to improve authentication security in Alfresco 7.4?
  • Where can I find official documentation or configuration guides?

Alfresco Content Services 7.4 lacks native built-in 2FA or MFA support, so the best way to enable Alfresco 2FA is by integrating an external identity provider like Keycloak, Azure AD, or Okta that handles multi-factor authentication at the IdP level. This delegates secure Alfresco authentication to proven systems while keeping your content repository humming smoothly. Official docs push this approach hard, with detailed guides for SAML, OIDC, and Keycloak setups—no hacks needed.

Contents

Overview of 2FA in Alfresco 7.4

Picture this: you’re running a beefy Alfresco Content Services 7.4 setup, handling sensitive docs for your team. Basic passwords? That’s yesterday’s news. Users expect Alfresco 2FA or MFA to lock things down. But here’s the kicker—Alfresco 7.4 doesn’t bundle it natively. Instead, it smartly offloads authentication to external systems that do support it.

Why? Alfresco’s auth model relies on subsystems like LDAP, NTLM, or external IdPs. The official securing guide spells it out: delegate to Keycloak, Azure AD, or Okta for MFA. This keeps your repo lightweight while adding that second factor—think app push, SMS, or hardware keys.

And it works across Share, Digital Workspace, REST APIs, even WebDAV. No more “password-only” vulnerabilities. But what if you’re on Community Edition? Same story, confirmed in the 7.4 release notes.

Does Alfresco 7.4 Have Native 2FA Support?

Short answer: nope. Alfresco 7.4 ships without any built-in TOTP, OTP, or push-based MFA modules. The auth sync docs are crystal clear—authentication chains through LDAP, Kerberos, external SSO, or the Identity Service, but none include 2FA out of the box.

They yanked the old Keycloak adapter in 7.4, swapping it for Spring Security OIDC/SAML. Great for flexibility, but it means MFA lives outside Alfresco. Local NTLM? Fine for admin tweaks, but don’t rely on it for users craving Alfresco MFA.

Community chatter echoes this. Release notes double down: no new 2FA features. If you’re upgrading from 7.2 or earlier, don’t expect miracles—it’s IdP-or-bust.

Ever tried forcing it? Spoiler: custom hacks break on upgrades. Stick to official paths.

Officially Supported Solutions via External IdPs

Yes, Hyland (Alfresco’s parent) officially backs external IdPs for Alfresco authentication with MFA. No “certified plugins” per se, but their docs guide you through SAML, OIDC, CAS, and more. Top picks?

  • Keycloak: Free, open-source, MFA-ready. ACS 7.4 integrates seamlessly via Spring Security.
  • Azure AD / Entra ID: Enterprise fave with adaptive MFA.
  • Okta, PingFederate: SAML pros with every MFA flavor imaginable.

The SAML tutorial walks you through it. IdP authenticates (with 2FA), issues a token, Alfresco trusts it. Boom—secure logins for Share, repo, APS.

LDAP users? Chain it: LDAP first, then IdP for MFA. Properties like authentication.chain=external1:external,ldap1:ldap make it happen. Disable basic auth to enforce it: identity-service.enable-basic-auth=false.

Certified? Not like Red Hat levels, but these are the recs straight from Hyland. Vendors like miniOrange pitch plugins, but they’re unofficial—proceed with caution.

Step-by-Step: Configuring Keycloak for Alfresco MFA

Ready to implement Alfresco 2FA? Keycloak’s your quickest win. Here’s the hands-on guide, pulled from official sources.

  1. Install Keycloak: Grab the latest (say, 24.x) and spin it up. Create a realm like “alfresco”.

  2. Enable MFA in Keycloak: Head to Authentication > Flows > Browser. Duplicate the default, add “OTP Form” (TOTP via Google Authenticator) or Duo/U2F. Set it required.

  3. Create Clients: One per app—alfresco-share, alfresco-repo, alfresco-adw, alfresco-aps. Use SAML or OIDC. Client ID: matches your redirect URIs (e.g., http://localhost:8080/share).

  4. Alfresco Config: In alfresco-global.properties:

authentication.chain=identity-service:identity-service,alfrescoNtlm:alfrescoNtlm
identity-service.enable-basic-auth=false
identity-service.authentication.clientId=alfresco-share
identity-service.authentication.clientSecret=your-secret
identity-service.authentication.authorizationServerUrl=http://keycloak:8080/realms/alfresco

Restart repo and Share.

  1. Test: Hit login. Keycloak prompts password + TOTP. Alfresco gets the assertion. Done.

From the securing docs: enforce HTTPS via reverse proxy first. Proxy header: X-Alfresco-Remote-User.

Stuck? The auth chain guide has full props examples. Works for Community too.

What about mTLS? Layer it for service calls—7.4 release notes cover it.

Community Add-Ons for TOTP 2FA

DIY fans, check the Alfresco TOTP Authenticator. It’s an AMP for 6.2+ (yes, 7.4), adding Google Auth-style TOTP for local users.

Install:

  1. Download AMP from GitHub releases.
  2. Drop in amps folders (repo + Share).
  3. Restart.
  4. Users enable via /share/page/<username>/totp-settings.

LDAP? Kinda works—settings page loads, but profile link might flake. Not official, so test thoroughly. No support from Hyland.

Better than nothing for quick wins, but IdPs scale nicer.

Broader Authentication Security Best Practices

Alfresco 2FA is table stakes. Layer more:

  • Hashed Passwords: Bcrypt for DB users.
  • Encrypt Secrets: alfresco-global.properties passwords.
  • Non-Root Services: Docker? User alfresco.
  • HTTPS Everywhere: Nginx reverse proxy, TLS 1.3.
  • Kill Unused Protocols: No FTP/IMAP if idle.
  • Dedicated Accounts: No admin for integrations.

Securing guide checklist is gold. External admin users only—external.authentication.defaultAdministratorUserNames=admin.

Audits? Enable enforced SAML in Keycloak—no password fallback.

Sources

  1. Alfresco Docs - Securing your installation
  2. Alfresco Docs - Set up authentication and sync
  3. Alfresco Docs - SAML
  4. Alfresco Community Edition 7.4 Release Notes
  5. Alfresco TOTP Authenticator

Conclusion

Enabling Alfresco MFA in 7.4 boils down to external IdPs—Keycloak’s free and docs-backed, delivering robust 2FA without native hacks. Skip community add-ons unless you’re testing; they’re fun but flaky for prod. Prioritize HTTPS, chains, and best practices for ironclad Alfresco authentication. Dive into those official guides today—your users (and auditors) will thank you. Secure setups don’t build themselves.

Authors
NeuroAnswers
Author
Verified by moderation
NeuroAnswers
Moderation
Enable 2FA/MFA in Alfresco 7.4: Keycloak Guide