{"id":29791,"date":"2023-12-15T16:00:00","date_gmt":"2023-12-15T15:00:00","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=29791"},"modified":"2024-09-10T15:40:12","modified_gmt":"2024-09-10T13:40:12","slug":"howto-generate-a-custom-azuread-sso-certificate","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/","title":{"rendered":"HowTo – Generate a custom AzureAD SSO Certificate"},"content":{"rendered":"\n

As you know, Azure Active Directory offers quite a big range of solution for Single Sign-On (SSO) with out-of-the-box capabilities and features that are quite good. But once the initial setup has been done, you will then need to manage all the applications that were on-boarded into it and that can spice things up, especially if you need to work in environments that require short-lived certificate expiry.<\/p>\n\n\n\n

In this blog, I will talk about SAML2 Signing Certificates (which requires a PFX), but it would also apply to other solutions such as OAUTH2 or OpenID Connect (which require a CRT\/PEM). When on-boarding a new application to AzureAD SAML2 SSO, you will need to define what kind of trust you need and if I’m not wrong, that is explained in the documentation (https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/enterprise-apps\/certificate-signing-options). For the SAML2 exchanges between the Identity Provider (AzureAD) and the Service Provider (the resource that needs SSO), the assertion and response can be signed and that obviously requires a certificate. By default, AzureAD will generate a new, dedicated Signing Certificate for this application, that is valid for 3 years if I recall.<\/p>\n\n\n\n

Now let’s assume that you are working at a customer that requires all certificates, including the signing ones, to be valid for 6 months at most, that you have not 1 but 50 applications to manage (that’s still not that much), that each of them requires SSO on DEV\/QA\/PROD and that of course, you don’t have any way to automate the replacement on AzureAD side because it’s another team that manages it. What would you do in this case? Well, it’s either you perform between 2\/3 Signing Certificate replacement every day, or you need to not use the default certificates generated by AzureAD\u2026<\/p>\n\n\n\n

I had such case at a customer for which we managed several (on-prem) Kubernetes clusters on which were hosted ECM applications that required SAML2 SSO. Instead of using the AzureAD default signing certificate that is generated by AzureAD on the fly and that needs to be exchanged (through mail usually\u2026), there is the second solution of using a custom certificate through the “Import Certificate” feature. With the custom signing certificate, it would be possible to reduce the number of certificates to manage to a decent amount that wouldn’t compromise the security too much. For example, each application could re-use the same signing certificate for their DEV\/QA\/PROD environments which would divide by 3 the number of certificates to manage. Or all DEVs could use the same signing certificate and then unique ones for QA\/PROD. That is of course up to discussion with the customer and security architects to find what makes sense from a practical and security point of view.<\/p>\n\n\n\n

In any cases, you decided to create custom signing certificates, so how could that be done then? Well, it depends on the technologies that you have available, but it could be through simple shell scripts, through Ansible playbooks with passwords managed in vault, through custom containers\/service that you would create, etc\u2026 If you don’t have access to AzureAD, you will anyway not be able to fully automate the replacement (which is possible through PowerShell it seems). In this blog, since I only want to show the creation of the custom Signing Certificate, I will use a simple shell script that I created some years ago and that I still use from time to time.<\/p>\n\n\n\n

This simple script can be used to generate a new key (.key) as well as a new certificate (.crt), based on a request config file, which can be used for OAUTH2\/OpenID Connect. Then it will transform the PEM-based certificate into a PFX for the SAML2 option. It’s possible to add much more configuration in the request but an example of content is provided with some configuration that usually makes sense.<\/p>\n\n\n

\n[morgan@srv01 ~]$ cd ssl\n[morgan@srv01 ssl]$ cat create-cert.sh\n#!\/bin\/bash\n############################################################\n# Author: Morgan Patou (dbi services)\n# Creation Date: 05-Feb-2013\n# Version: 1.0\n#\n# History:\n#    1.0 - 05-Feb-2013: Creation of script\n#\n############################################################\n\nssl_folder="$HOME\/ssl"\nmkdir -p ${ssl_folder}\n\nif [[ -f "${ssl_folder}\/req.conf" ]]; then\n  cert_name="`grep ^CN ${ssl_folder}\/req.conf | sed 's,CN[[:space:]]*=[[:space:]]*,,'`"\n  # Generate .key and .crt\n  openssl req -x509 -nodes -days 190 -newkey rsa:4096 -keyout "${ssl_folder}\/${cert_name}.key" -out "${ssl_folder}\/${cert_name}.crt" -config "${ssl_folder}\/req.conf" -extensions 'v3_req'\n  # Transform .key and .crt into .pfx\n  openssl pkcs12 -export -out "${ssl_folder}\/${cert_name}.pfx" -inkey "${ssl_folder}\/${cert_name}.key" -in "${ssl_folder}\/${cert_name}.crt"\nelse\n  echo "INFO - Please create the file '${ssl_folder}\/req.conf' first and re-execute this script afterwards."\n  echo ""\n  echo "Example of content:"\n  echo "-------------------"\n  echo "[req]"\n  echo "distinguished_name = dn"\n  echo "x509_extensions = v3_req"\n  echo "prompt = no"\n  echo ""\n  echo "[dn]"\n  echo "C = CH"\n  echo "ST = JU"\n  echo "L = Delemont"\n  echo "O = dbi services"\n  echo "OU = IT"\n  echo "CN = dms.poc.it.dbi-services.com"\n  echo ""\n  echo "[v3_req]"\n  echo "keyUsage = keyEncipherment, dataEncipherment"\n  echo "extendedKeyUsage = serverAuth"\n  echo "subjectAltName = @alt_names"\n  echo ""\n  echo "[alt_names]"\n  echo "DNS.1 = dms.poc.it.dbi-services.com"\n  echo "DNS.2 = alfresco1.it.dbi-services.com"\n  echo "DNS.3 = alfresco2.it.dbi-services.com"\nfi\n[morgan@srv01 ssl]$\n[morgan@srv01 ssl]$ chmod 750 create-cert.sh\n[morgan@srv01 ssl]$\n[morgan@srv01 ssl]$ .\/create-cert.sh\nINFO - Please create the file '$HOME\/ssl\/req.conf' first and re-execute this script afterwards.\n\nExample of content:\n-------------------\n[req]\ndistinguished_name = dn\nx509_extensions = v3_req\nprompt = no\n\n[dn]\nC = CH\nST = JU\nL = Delemont\nO = dbi services\nOU = IT\nCN = dms.poc.it.dbi-services.com\n\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = dms.poc.it.dbi-services.com\nDNS.2 = alfresco1.it.dbi-services.com\nDNS.3 = alfresco2.it.dbi-services.com\n[morgan@srv01 ssl]$\n[morgan@srv01 ssl]$ ls -l\ntotal 4\n-rwxr-x---. 1 morgan users 1624 Nov 23 13:35 create-cert.sh\n[morgan@srv01 ssl]$\n<\/pre><\/div>\n\n\n
Since what we want is a Signing Certificate and not a WebServer SSL Certificate, we don’t need the CN (or the SAN) to be a HostName\/DNS, it can just be something that makes sense. There won’t be any hostname verification, the certificate will just be used by the AzureAD to sign the exchanges. Therefore, let’s create a config file and launch the script:<\/p>\n\n\n
\n[morgan@srv01 ssl]$ echo '\n[req]\ndistinguished_name = dn\nx509_extensions = v3_req\nprompt = no\n\n[dn]\nC = CH\nST = JU\nL = Delemont\nO = dbi services\nOU = IT\nCN = DEV_AzureAD_SAML2\n\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = DEV_AzureAD_SAML2\n' > req.conf\n[morgan@srv01 ssl]$\n[morgan@srv01 ssl]$ ls -l\ntotal 8\n-rwxr-x---. 1 morgan users 1624 Nov 23 13:35 create-cert.sh\n-rw-------. 1 morgan users  303 Nov 23 13:38 req.conf\n[morgan@srv01 ssl]$\n[morgan@srv01 ssl]$ .\/create-cert.sh\nGenerating a RSA private key\n.......................++++\n....................................................++++\nwriting new private key to '$HOME\/ssl\/DEV_AzureAD_SAML2.key'\n-----\nEnter Export Password:\nVerifying - Enter Export Password:\n[morgan@srv01 ssl]$\n[morgan@srv01 ssl]$ ls -l\ntotal 24\n-rwxr-x---. 1 morgan users 1624 Nov 23 13:35 create-cert.sh\n-rw-------. 1 morgan users 2025 Nov 23 13:38 DEV_AzureAD_SAML2.crt\n-rw-------. 1 morgan users 3272 Nov 23 13:38 DEV_AzureAD_SAML2.key\n-rw-------. 1 morgan users 4205 Nov 23 13:39 DEV_AzureAD_SAML2.pfx\n-rw-------. 1 morgan users  303 Nov 23 13:38 req.conf\n[morgan@srv01 ssl]$\n[morgan@srv01 ssl]$ # Don't need the .key or .crt for SAML2, so removing these files\n[morgan@srv01 ssl]$ rm DEV_AzureAD_SAML2.crt DEV_AzureAD_SAML2.key\n[morgan@srv01 ssl]$\n<\/pre><\/div>\n\n\n
The PFX creation command will request for a password as you can see on the prompt, so the PFX and its password need to be shared with the AzureAD SAML2 team so that they can update whatever app they need with this newly generated PFX. In the end, this PFX creation can be automated rather easily so that it refreshes your needed Service Provider(s) with the certificate to decrypt the SAML2 communication and the alignment on AzureAD side will be required to make sure both sides can communicate together.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
As you know, Azure Active Directory offers quite a big range of solution for Single Sign-On (SSO) with out-of-the-box capabilities and features that are quite good. But once the initial setup has been done, you will then need to manage all the applications that were on-boarded into it and that can spice things up, especially […]<\/p>\n","protected":false},"author":20,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3271,525],"tags":[1338,2638,1149,3202,3203,1229,3201,445],"type_dbi":[],"class_list":["post-29791","post","type-post","status-publish","format-standard","hentry","category-azure","category-enterprise-content-management","tag-azure","tag-azuread","tag-certificate","tag-oauth2","tag-openid-connect","tag-saml2","tag-single-sign-on","tag-sso"],"acf":[],"yoast_head":"\nHowTo - Generate a custom AzureAD SSO Certificate - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HowTo - Generate a custom AzureAD SSO Certificate\" \/>\n<meta property=\"og:description\" content=\"As you know, Azure Active Directory offers quite a big range of solution for Single Sign-On (SSO) with out-of-the-box capabilities and features that are quite good. But once the initial setup has been done, you will then need to manage all the applications that were on-boarded into it and that can spice things up, especially […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-15T15:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-10T13:40:12+00:00\" \/>\n<meta name=\"author\" content=\"Morgan Patou\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@MorganPatou\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Morgan Patou\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/\"},\"author\":{\"name\":\"Morgan Patou\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"headline\":\"HowTo – Generate a custom AzureAD SSO Certificate\",\"datePublished\":\"2023-12-15T15:00:00+00:00\",\"dateModified\":\"2024-09-10T13:40:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/\"},\"wordCount\":814,\"commentCount\":0,\"keywords\":[\"Azure\",\"AzureAD\",\"Certificate\",\"OAUTH2\",\"OpenID Connect\",\"SAML2\",\"Single Sign On\",\"SSO\"],\"articleSection\":[\"Azure\",\"Enterprise content management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/\",\"name\":\"HowTo - Generate a custom AzureAD SSO Certificate - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2023-12-15T15:00:00+00:00\",\"dateModified\":\"2024-09-10T13:40:12+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HowTo – Generate a custom AzureAD SSO Certificate\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\",\"name\":\"Morgan Patou\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"caption\":\"Morgan Patou\"},\"description\":\"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex & critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.\",\"sameAs\":[\"https:\/\/blog.dbi-services.com\/author\/morgan-patou\/\",\"https:\/\/x.com\/MorganPatou\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"HowTo - Generate a custom AzureAD SSO Certificate - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/","og_locale":"en_US","og_type":"article","og_title":"HowTo - Generate a custom AzureAD SSO Certificate","og_description":"As you know, Azure Active Directory offers quite a big range of solution for Single Sign-On (SSO) with out-of-the-box capabilities and features that are quite good. But once the initial setup has been done, you will then need to manage all the applications that were on-boarded into it and that can spice things up, especially […]","og_url":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/","og_site_name":"dbi Blog","article_published_time":"2023-12-15T15:00:00+00:00","article_modified_time":"2024-09-10T13:40:12+00:00","author":"Morgan Patou","twitter_card":"summary_large_image","twitter_creator":"@MorganPatou","twitter_misc":{"Written by":"Morgan Patou","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/"},"author":{"name":"Morgan Patou","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"headline":"HowTo – Generate a custom AzureAD SSO Certificate","datePublished":"2023-12-15T15:00:00+00:00","dateModified":"2024-09-10T13:40:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/"},"wordCount":814,"commentCount":0,"keywords":["Azure","AzureAD","Certificate","OAUTH2","OpenID Connect","SAML2","Single Sign On","SSO"],"articleSection":["Azure","Enterprise content management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/","url":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/","name":"HowTo - Generate a custom AzureAD SSO Certificate - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2023-12-15T15:00:00+00:00","dateModified":"2024-09-10T13:40:12+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/howto-generate-a-custom-azuread-sso-certificate\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"HowTo – Generate a custom AzureAD SSO Certificate"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8","name":"Morgan Patou","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","caption":"Morgan Patou"},"description":"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex & critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.","sameAs":["https:\/\/blog.dbi-services.com\/author\/morgan-patou\/","https:\/\/x.com\/MorganPatou"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/29791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=29791"}],"version-history":[{"count":2,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/29791\/revisions"}],"predecessor-version":[{"id":29793,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/29791\/revisions\/29793"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=29791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=29791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=29791"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=29791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}