SSO Authentication with ADFS SAML 2.0 Ephesoft Transact Documentation
Table of Contents Configure Ephesoft Transact... 1 Configure ADFS Server... 3 Export Certificate from ADFS Server... 7
Configure Ephesoft Transact 1) Configure Tomcat server to run on HTTPS http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html 2) Configure SAML SSO in Ephesoft Transact http://wiki.ephesoft.com/home/documentation/security-compliancesupport-saml-v2 3) The following changes need to be made in the applicationcontextsecurity.xml file: a. In the ephesamlfilter bean, update the value of the constructor argument which you added in ADFS. The third constructor argument must be true for superadmin access--otherwise it should be false. If a rule can be defined in ADFS for superadmin, that claim name can be passed as an argument. b. In the metadatageneratorfilter bean, enter entityid as configured in ADFS. c. Configuration of the metadata bean can be done in one of several ways: i. Save ADFS metadata in a file and place it in the EPHESOFT_HOME/application/WEB-INF/classes/security folder. Update the bean class to: org.opensaml.sam2.metadata.provider.filesystemmetadataprovider and the classpath to classpath:security/<filename.xml>. w w w. e p h e s o f t. c o m Page 1
ii. Using the ADFS metadata URL, modify the metadata bean and use ExtendedMetadataDelegate and HttpMetadataProvider as shown below. Also, define metadatatrustcheck=false to skip signature validation. d. Prior to version 4.5.0.0, Ephesoft Transact supported only SHA-1 as signature algorithm and digest algorithm for SAML. From version 4.5.0.0, Transact by default uses SHA-256 as signature algorithm and digest algorithm. It is recommended to use SHA-256. If you need to change the signature algorithm and digest algorithm to SHA-1, remove the signaturealgorithmuri and digestalgorithmuri property of bean class com.ephesoft.dcma.saml.configuration.ephesoftsamlbootstrap as shown below. w w w. e p h e s o f t. c o m Page 2
4) Import ADFS certificates into Ephesoft Transact using the command below. keytool.exe -import cert alias adfssigning -keystore samlkeystore.jks -file adfscertificate.cer To export certificates from ADFS, reference the Export Certificate from ADFS Server section in this document. 5) In the web.xml file, update the logouturl parameter to https://<ip:port>/dcma/saml/logout 6) If authenticationtype=2 (i.e., authentication and authorization are done by the ADFS server) in the web.xml file and the group is not received from the ADFS server, then by default the group used is what has been defined for the default_group property of the application.properties file. Configure ADFS Server 1) Download the Ephesoft Transact metadata from the path: https://<ephesoft_ip:port>/dcma/saml/metadata. 2) Select Add Relying Party Trust in ADFS by right clicking on the Relying Party Trusts folder under ADFS\Trust Relationships w w w. e p h e s o f t. c o m Page 3
3) Choose the Import data about the relying party from a file option and select the XML metadata saved in step 1. w w w. e p h e s o f t. c o m Page 4
4) Provide a display name and click Next (choosing defaults) and Finish. 5) The Edit Claim Rules dialog will open automatically. This can be done alternatively by right clicking the added relying party name and selecting Edit Claim Rules. Add the following claims: a. NameId: Sends Name ID i. Rule Name: NameId ii. Choose SAM-Account-Name as the LDAP attribute and Name ID as the outgoing claim type. b. FirstName: Sends name details i. Rule Name: FirstName ii. Choose SAM-Account-Name as the LDAP attribute and Name as the outgoing claim type. c. Group: Sends group details. Configure this rule as desired. For example, a user can be a member of multiple groups. The service provider expects a particular group called Enterprise. Sending all groups would be irrelevant to the service provider. A filter can be defined for this scenario by the two rules below. i. This rule retrieves all groups and adds as an incoming claim for the next rule. The output of this claim will be used by the next rule for processing. Add the rule name as Get all groups user belongs. Define the custom rule as follows: w w w. e p h e s o f t. c o m Page 5
c:[type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokengroups;{0}", param = c.value); ii. Filtering Groups: define a filter to restrict groups sent in claims. Select the pass through or filter an incoming claim template. Add the rule name as Filter Groups. In the field Pass through all claims that start with a specific value, specify Enterprise. Note: 1. Group and Filter Group claim rules only need to be configured if authenticationtype=2 in the web.xml file. 2. In the web.xml file, if authenticationtype is 1 (i.e., SSO authentication only), then authorization will be handled by Ephesoft Transact. ADFS simply needs to send the username as a claim. 3. If there are multiple groups that are returned from ADFS servers, Transact uses the first group value. 6) Open the Relying Party Trust by double clicking it. In the Advanced Tab, change Secure Hash Algorithm to SHA-1. w w w. e p h e s o f t. c o m Page 6
Export Certificate from ADFS Server 1) In ADFS, select the Certificate option under ADFS/Service 2) Double click the certificate to export. Go to the Details tab, click on Copy to File, and save this as a DER encoded certificate in your file system. w w w. e p h e s o f t. c o m Page 7
When accessing any Ephesoft Transact URL the user will be redirected to the ADFS Login page. w w w. e p h e s o f t. c o m Page 8
On successful authentication the user will be redirected to the appropriate Ephesoft Transact page. w w w. e p h e s o f t. c o m Page 9