SAML Integration using SimpleSAMLphp for ADFS

Transcription

1 SAML Integration using SimpleSAMLphp for ADFS For the authentication of users, you can use SAML integration in Jedox Web. Security Assertion Markup Language (SAML) is an XML-based, openstandard data format for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee. The SAML integration in Jedox uses SimpleSAMLphp for Active Directory Federation Services (ADFS). Setup includes the following steps: Installation Exchange Metadata Create a service provider configuration in SimpleSAMLphp Create the Relying Party Trust in ADFS 2012R2 5. Jedox customization

2 1 Installation First, install Jedox (we recommend using the standard paths). Download SimpleSAMLphp here: Extract it into the docroot directory (/opt/jedox/ps/htdocs/app/docroot) and rename it simplesaml. Note: if you change the name to something else, you ll need to keep that in mind when changing the other files. Open /config/config.php and 1. update baseurlpath to point from the web root to the www folder, e.g change adminpassword to something else (it won t let you keep the default). 5. Generate a certificate and add it to config/authsources.php as explained in section 1 of the following document: 6. Point your browser to whatever you set as the base URL above (e.g. localhost/simplesaml/www/) and you should see the SimpleSAMLphp installation page.

3 2 Exchange Metadata Open a browser and navigate to the FederationMetadata.xml location at ata.xml, where you ll be prompted to save the file to disk. Open the file and copy its contents to the clipboard. Browse to our web application s installation of SimpleSAMLphp. Navigate to the Federation tab and click on XML to simplesamlphp metadata converter: Paste the contents of the file FederationMetadata.xml into the XML metadata field and click the Parse button:

4 The page will return two sets of data. For our purposes, the first set, saml20-sp-remote, can be ignored, since we are not using SimpleSAMLphp as an identity provider (that s ADFS job). Scroll to saml20-idp-remote and copy the contents of this field to the clipboard. Browse to the installation of SimpleSAMLphp in the Jedox installation and open the metadata folder. Open the file saml20-idp-remote.php in your preferred text editor. Paste the converted metadata at the bottom of the file and then save it:

5 3 Create a service provider configuration in SimpleSAMLphp Navigate to your SimpleSAMLphp installation folder in Jedox and open the config folder. Open the file authsources.php in your preferred text editor. Here we will create a service provider configuration that uses our ADFS server. The name of your SP is your choice. In this example, it s called jedoxsp:

6 The image above shows how the code looks inside the authsources.php file. Note that the SP code defines the actions sign.logout, redirect.sign, and assertion.encryption, meaning that we need a certificate and key to sign and encrypt these communications. We already did that with step 4 in the installation steps. The final declaration enforces the best-practice use of SHA-256.

7 4 Create the Relying Party Trust in ADFS 2012R2 Now that the service provider configuration is complete, SimpleSAMLphp creates the SAML 2.0 SP metadata that we can use to import into ADFS. First you ll need to add the certificate from your SAML environment to your Trusted Root Certification Authorities:

8 Navigate to the web application s SimpleSAML application and click the Federation tab. In this example, we are using jedox-sp. If you want to see the metadata, click the Show metadata link, but before you do, copy the Entity ID: URL. We need to give this URL to ADFS when we configure the Relying Party Trust. On your ADFS server, open the ADFS Management console, expand Trust Relationships, and select the Relying Party

9 Trusts node. In the Actions pane, click Add Relying Party Trust. Click Start, then paste the Entity ID URL into to the Federation Metadata address field and click Next: Click OK at the warning screen:

10 Click your way through the wizard until you reach the Ready To Add Trust page. Here you ll want to review the numerous tabs; check that the Encryption and Signature tabs have certificates associated with them. Click Next and the sso.lewisroberts.com Relying Party Trust is added: Select the Relying Party Trust we ve just added and then click Edit Claim Rules

11 Add an Issuance Transform Rule based on the Send LDAP Attributes as Claims template. Select at least UPN; Whatever else you select here is your choice, but add another attribute, such as mail or uid (depends on what you re using as username, in normal cases you use the uid. This is important for the next steps.):

12 Add another Issuance Transform Rule, but this time based on the Transform an Incoming Claim template. This one is important and is required to allow SimpleSAMLphp to talk with ADFS:

13 Once configured, you should have two Issuance Transform Rules that appear as follows:

14 5 Jedox customization Add in /opt/jedox/ps/htdocs/app/docroot these two files: saml_logged_out.php and saml_logout.php.

15 saml_logged_out.php <?php require_once '../base/rtn/uri.php'; require_once 'simplesaml/lib/_autoload.php'; try { if ($_REQUEST['LogoutState']) { $state = SimpleSAML_Auth_State::loadState((string)$_REQU EST['LogoutState'], 'MyLogoutState'); else { echo "Were you logged in?"; exit; catch (Exception $e) { echo 'Caught exception: ', $e->getmessage(), "\n"; exit; $ls = $state['saml:sp:logoutstatus']; // Only works for SAML SP if ($ls['code'] === 'urn:oasis:names:tc:saml:2.0:status:success' &&!isset($ls['subcode'])) { // Successful logout. //echo('you have been logged out.');

16 setcookie('samlout', 'true', 0, '/ui/login/', '', false, true); header('location: '. uri::authority(). '/ui/login/'); die; else { // Logout failed. Tell the user to close the browser. echo("we were unable to log you out of all your sessions. To be completely sure that you are logged out, you need to close your web browser."); saml_logout.php <?php require_once '../base/rtn/uri.php'; require_once 'simplesaml/lib/_autoload.php'; $as = new SimpleSAML_Auth_Simple('jedox-sp'); $as->logout(array( 'ReturnTo' => uri::authority(). '/saml_logged_out.php', 'ReturnStateParam' => 'LogoutState', 'ReturnStateStage' => 'MyLogoutState',

17 )); Replace in /opt/jedox/ps/htdocs/app/docroot/ui/login the file index.php with the new created index.php. IMPORTANT! Here you ll need to change the uid to whatever you ve named the attribute in your Claim Rule (see previouse steps). If you named it uid, you can use the script as it is, otherwise check the saml login part. index.php This needs to be added to the index.php. This is an example how you could realize the SAML negotiation and return username and password to SupervisionServer. For $pass = <AUTH_TOKEN>; you can decide what kind of information you d like to use for the check. In this case it s returned as password. // saml login if(!isset($_get['user'])) { if (isset($_cookie['samlout'])) { setcookie('samlout', '', EXPIRE, '/ui/login/', '', false, true); elseif(!defined('logged_out'))

18 { require_once '../../simplesaml/lib/_autoload.php'; $as = new SimpleSAML_Auth_Simple('jedox-sp'); $as->requireauth(); $attributes = $as->getattributes(); if(!empty($attributes['uid'][0])) { $user = $attributes['uid'][0]; $pass = <AUTH_TOKEN>; header('location: '. uri::authority(). '/ui/login/?user='.$user.'&pass='.$pass); die(); else { header('location: '. uri::authority(). '/saml_logout.php'); die; Add the following entries to /opt/jedox/ps/data/palo.ini: worker /svs-linux-x86_64/supervisionserver workerlogin authorization

19 Change the file /opt/jedox/ps/svs-linuxx86_64/supervisionserver/sep.inc.php to point to the needed PHP script. For example: <?php include './custom_scripts/sep.inc.saml.php';?> Use the OnUserAuthenticate function (instead of the standard function for the Supervision Server) to check and allow access to Jedox. This is an example Script with a check if the user exists. You ll need to add some code for a check and return true. public function OnUserAuthenticate($username, $password) { // bool if(empty($username)){ sep_log("<<!! Exception: No user from Federation Server returned. Username: $username!!>>"); return false; $does_user_exist_in_olap = palo_subsetsize('supervisionserver/system', "#_USER_",1,NULL,NULL, palo_tfilter(array("$username"),false),null,nul L,NULL); if($does_user_exist_in_olap == 0){ sep_log("<<!! Exception: User is not in

20 OLAP. Username: $username!!>>"); return false; // ADD check for AUTH_TOKEN verification.