SAML with ADFS Setup Guide Version 1.0 Corresponding Software Version: 4.2 This document is copyright of the Celonis SE. Distribution or reproduction are only permitted by written approval of the Celonis SE. Usage only permitted, if a valid software license is available.
Index Notes 3 Set up your config values 3 Set up your certificates 4 Retrieve SAML Meta Data from your Identity Provider (ADFS) 5 Generate Meta Data from your Celonis Server 6 Register your service as a relying party in ADFS 6 Configure additional attributes 11 Test your setup 16 2017 Celonis SE SAML with ADFS Setup Guide 2
Notes This guide describes the setup of SAML for use in Celonis. If you set up ADFS from scratch, make sure to install ADFS Version 2.0 older ADFS Versions do not yet have SAML support built in. For reference, please refer to https://technet.microsoft.com/de-de/library/dd807092(v=ws.10) Set up your config values You setup SAML for Celonis by adding the following lines to your custom-config.properties-file. The following configuration options are available when using SAML with Celonis: # SAML Configuration # ------------------ # To enable SAML based authentication, set active to true saml.active=true # The SAML claim attribute which contains a list of groups of the authenticated user saml.claims.groups=http://schemas.xmlsoap.org/claims/group # The SAML claim attribute which contains the first name of the user saml.claims.firstname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname # The SAML claim attribute which contains the last name of the user saml.claims.lastname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname # The SAML claim attribute which contains the email address of the user saml.claims.emailaddress=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress # Set to true to automatically create all groups the user is mapped to saml.groups.autocreate=false # Set to true to automatically assign all groups the user is mapped to. # When using autocreate, this is automatically set to true saml.groups.autoassign=false # Set to true to automatically create users when they log in saml.users.autocreate=false # Enter a group name which is required for users to be able to log in (and be created). # Note that all group names are Case Sensitive saml.users.requiredgroup=testgroup # Key store settings for SAML saml.keystore.path=e:/work/saml-example/samlkeystore.jks saml.keystore.password=somepw # The name of the key in the keystore to be used for encryption and signing saml.keystore.keyname=somekey saml.keystore.keypassword=somepw # SAML Entity configuration saml.entityid=de:celonis:pm:samldemo # SAML Metadata Configuration. Right now, Celonis only supports static metadata configuration. saml.metadatapath=e:/work/saml-example/federationmetadata.xml 2017 Celonis SE SAML with ADFS Setup Guide 3
The options which are mandatory and should be customized in any case are the keystore, the metadata path and the entity id. The entity ID is used to identify your service for the ADFS Server. The federation metadata can be retrieved from your ADFS Server and describes the service endpoint (containing the certificates used for encryption and signature). Note that Celonis only supports local meta data right now, no HTTP based meta data retrieval is implemented. Set up your certificates IMPORTANT: It is highly recommended to use the supplied keytool located in <sappminstalldir>/jre/bin/keytool When using SAML, you need to generate certificates for your server. These certificates can either come from your enterprise certification authority, or, for testing, you can use a self-signed certificate. For the application to be able to access these certificates, both the private key and the public key have to be available in a JKS key store. To generate a self-signed certificate, use the following commands (Note that the key has to be an RSA key): keytool -genkeypair -alias somekey -keyalg RSA -keysize 2048 -keypass somepw -keystore samlkeystore.jks to import an existing certificate provided by a Certification Authority (e.g. in PFX format) use the following command: keytool -importkeystore -srckeystore key.p12 -srcstoretype PKCS12 -srcstorepass password \ -alias some-alias -destkeystore samlkeystore.jks -destalias some-alias \ -destkeypass changeit The values printed in BOLD have to be updated in the config file. 2017 Celonis SE SAML with ADFS Setup Guide 4
This is the output of the certificate setup used in this guide. Retrieve SAML Meta Data from your Identity Provider (ADFS) In the next step and before finishing the setup, we need to retrieve the SAML Meta Data from our Identity Provider. To retrieve SAML Meta Data from the Identity Provider, use the following URL in a browser: https://myserver.domain.com/federationmetadata/2007-06/federationmetadata.xml where myserver.domain.com is the ADFS server. In our example, ADFS is installed on https://testdc.test.celonis.corp/federationmetadata/2007-06/federationmetadata.xml This file should be stored on the Celonis Server and the configuration pointed to it. When all the paths are set correctly in the configuration, fire up the Celonis server. Note that the SAML setup is not done yet, but the SAML meta data from the Celonis server has to be generated and published in ADFS to establish the trust. Also note that the Celonis server should have SSL enabled for SAML to work correctly. 2017 Celonis SE SAML with ADFS Setup Guide 5
Generate Meta Data from your Celonis Server You should start your Celonis server now. Monitor the log for exceptions. If the server comes up correctly, you should be able to open the https://localhost/cpm/saml/metadata URL which will provide you with your server s SAML meta data. If you can t open this URL, please check that the paths are all set correctly and check the log for errors. For testing SSL, you can also deactivate SAML from the configuration. A file celonis_saml_metadata.xml will be downloaded by the browser. This file contains the certificates of your Celonis service, your entity ID and some additional information. This file now has to be published and registered in ADFS. Register your service as a relying party in ADFS To register your service as a relying party, open the ADFS 2.0 Management Console. Click Add Relying Party Trust from the actions on the right. 2017 Celonis SE SAML with ADFS Setup Guide 6
2017 Celonis SE SAML with ADFS Setup Guide 7
Choose Import data about the relying party from a file and upload the metadata file generated earlier. 2017 Celonis SE SAML with ADFS Setup Guide 8
Name your party/service appropriately 2017 Celonis SE SAML with ADFS Setup Guide 9
Choose who you want to be able to access the relying party (the Celonis Service). By default, everybody who can successfully authenticate will get access to the Celonis Service. Review and finish the wizard. 2017 Celonis SE SAML with ADFS Setup Guide 10
Configure additional attributes You can configure additional attributes which will be auto-populated for the user account when automated user account creation is enabled. The following configuration will synchronize all AD groups of the user, as well as first name, last name and email. Click Add Rule and add a Rule providing the Name ID as well as additional information. 2017 Celonis SE SAML with ADFS Setup Guide 11
2017 Celonis SE SAML with ADFS Setup Guide 12
We choose Name ID as name. Add the following attributes: 2017 Celonis SE SAML with ADFS Setup Guide 13
2017 Celonis SE SAML with ADFS Setup Guide 14
The rule has been set up. Our Celonis Service is set up as a relying party now and we should be able to access the service with SSO. 2017 Celonis SE SAML with ADFS Setup Guide 15
Make sure the secure hash algorithm is set to SHA-256. Test your setup Restart your Celonis Service. Open your Celonis instances root path (in our test case: https://localhost/cpm/). 2017 Celonis SE SAML with ADFS Setup Guide 16