|
| 1 | +--- |
| 2 | +title: Administer Outlook Integration |
| 3 | +--- |
| 4 | + |
| 5 | +This section contains information related to administration of the Outlook Integration. |
| 6 | + |
| 7 | +## Using SAML SSO with Outlook Integration {#usingsaml} |
| 8 | + |
| 9 | +Use this information to set up SAML Single Sign-On (SSO) authentication for Alfresco Content Services with the Outlook Integration. |
| 10 | + |
| 11 | +> **Note:** With the deprecation of the SAML Module for Alfresco Content Services, the configuration to enable SAML has been moved to Identity Service. Outlook Integration uses the OpenId Connect protocol to manage the authentication against the Identity Service, while the Identity Service handles the SAML-related part depending on the configuration of the SAML provider. |
| 12 | +
|
| 13 | +See the [Identity Service documentation]({% link identity-service/latest/tutorial/sso/saml.md %}) for details. |
| 14 | + |
| 15 | +### Prerequisites |
| 16 | + |
| 17 | +* Identity Service needs to be installed and configured to be used with an Alfresco Content Services instance. |
| 18 | +* A SAML Identity Provider (IdP) like Active Directory Federation Services (AD FS) needs to be configured for Identity Service: |
| 19 | + * See steps 3 - 5 of the [Identity Service SAML guide]({% link identity-service/latest/tutorial/sso/saml.md %}). |
| 20 | +* Outlook Integration needs to be able to reach the Identity Service and the SAML IdP to handle authentication. |
| 21 | + |
| 22 | +Once you've installed the Outlook client and completed the configuration, you should see the OIDC authentication radio button in the Outlook plugin |
| 23 | +configuration. |
| 24 | + |
| 25 | +To see this option, open Microsoft Outlook, and in the **Alfresco Client** tab select **Configure** to view the client configuration: |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +## Configuration in Identity Service |
| 30 | + |
| 31 | +### Valid Redirect URIs |
| 32 | + |
| 33 | +The OpenId Connect authentication in Outlook Integration uses an embedded browser in combination with the `authorization_code` grant type to authenticate the user against the Identity Service. Extracting the authentication tokens is done within the embedded browser while the redirect happens. As the token extraction is happening within the embedded browser, Outlook Integration does not need to open a web server or a listener on a specific port. It requires an arbitrary URL the Outlook client can be redirected to by the Identity Service after a successful login. |
| 34 | + |
| 35 | +As per the default configuration, a specific loopback address `https://127.0.0.1:6543/OutlookCallback` is defined. This address must be added in the Identity Service - **Valid Redirect URIs** section for the OpenId Connect client that is used. |
| 36 | + |
| 37 | +You can change the redirect URI, if needed. It just needs to match the valid redirect URIs. |
| 38 | + |
| 39 | +### Refresh Tokens |
| 40 | + |
| 41 | +Outlook integration relies on refresh tokens from the Identity Service to automatically retrieve new AccessToken/RefreshToken pairs while Outlook is open. This reduces the number of times for a re-authentication against the SAML IdP. |
| 42 | + |
| 43 | +To ensure this works, the configured OpenId Connect client must provide refresh tokens with the authentication response. To do this, set the following configuration parameters in the Identity Service. |
| 44 | + |
| 45 | +### (Optional) Set up an OpenId Connect Client for Outlook Integration |
| 46 | + |
| 47 | +1. Create a new OpenId Connect client for the realm that is used: |
| 48 | + 1. Client authentication: `Off`. |
| 49 | + 2. Authorization: `Off`. |
| 50 | + 3. Authentication flow: enable `Standard flow`. |
| 51 | +2. Specify a valid redirect URI. |
| 52 | + |
| 53 | +> **Note:** Although this step is optional, it is possible to use the default Alfresco client. Setting up a specific OpenId Connect client for Outlook is the preferred way. |
| 54 | +
|
| 55 | +Make sure the client specific settings match the server-side configuration. |
| 56 | + |
| 57 | +## Configuration in Alfresco Outlook Integration |
| 58 | + |
| 59 | +The Outlook clients initiates the authentication process directly against the Identity Service server. Therefore, you must configure the IDS configuration parameters on the client-side to match the system environment: |
| 60 | + |
| 61 | +* Authentication Server URL |
| 62 | +* Realm |
| 63 | +* Client ID |
| 64 | +* Redirect URL |
| 65 | + |
| 66 | +Details about the configuration parameters are in the [configuration]{% link microsoft-outlook/2.10/config/index.md %} page. |
| 67 | + |
| 68 | +> **Note:** To allow the use of the SAML provider without additional user interaction, you must force the use of the SAML provider. See [Identity Service documentation]({% link identity-service/latest/tutorial/sso/saml.md %}#step-5-optional-enforcing-saml) for |
| 69 | +details. |
| 70 | + |
| 71 | +## Single Sign-On (SSO) |
| 72 | + |
| 73 | +SSO requires that the SAML IdP and the environment is set up properly. If SSO is not working and a form-based authentication dialog is shown, you may need to extend the list of allowed agents for Windows Integration Authentication on the Active Directory Federation Services side with `Trident/7.0`. |
0 commit comments