December 11, 2013 | Posted in:tools

All the puzzles behind how to setup / configure ADFS & OpenAm integration covered

While delivering a recent enterprise project team at ensarm solutions scratched their heads for a few days to syndicate with ADFS for user authentication. Realizing what a serious mess it can be, we decided to publish our experience and steps to help other fellow developers.

Kindly refer to the steps below at your own risk :) . Although feel free to contact us if you have any questions. We will do our best to revert to you asap. Kindly provide verifiable information along with a descriptive message if you really want us to respond.

=====================================================

 Openam + fedlet + adfs setup

The following steps were performed while setting up the fedlet and adfs federation test::

1.   We had added the openam-9 war in the tomcat of machine with ip:10.10.10.150 (Machine A). This tomcat has ssl enabled.

2.   We have done all the necessary configuration for the openam and created the sp.xml and sp-extend.xml for openam using sso-admin tool.

3.   When the configuration are and all necessary certificates of openam is added in tomcat and java we:

a.    Login into the openam application and create the hosted identity provider using the idp.xml (going to explain below how it is generated) (**ipd.xml is this case is the file obtained from or local adfs during its setup**) and dummy idp-extend.xml created by and containing only the name of the circle of trust.

b.   Once the hosted identity provider is created it gives us sereval option one of which is creating a fedlet using this we create a fedlet and sets its url in such a way that we are deploying on the same tomcat where the openam is setup as we need fedlet url to be secure (we have done this in our case else we can deploy it any where and our fedlet access link is https://10.10.10.150/fedlet)

4.   On the adfs server machine we have set up the adfs and during its setup we also got a federation file which contains many information out of which while creating the hosted identity provider I have created the dummy file with only sp and idp related tags.

(we call this adfs server as Machine B)

5.   The fedlet is added as the relying party into the adfs console using the sp.xml found in the fedlet war’s conf directory. And setup the algorithm is SHA-1

What is done:

1.   When we access the fedlet url from machine B it opens a fedlet index page and then there are to link one say to initiate the sso login using post and other with artifact.

2.   When we click on the post link it redirect us to adfs login page wherein we provide the login credentials and after entering correct credentials it redirects us back to the fedlet application page but with the invalid response and throws a 500 exception saying the response is invalid when we decode the response we get something like this :

  <samlp:Status>

      <samlp:StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:Requester”>

          <samlp:StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy” />

      </samlp:StatusCode>

  </samlp:Status>

and what we want::

<saml2p:Status>

  <saml2p:StatusCode Value=”urn:oasis:names:tc:SAML:2.0:status:Success”></saml2p:StatusCode>

</saml2p:Status>

 Note – The links below are provided only as example and are not expected to work.

https://win2k8.yourlink.com:8443/FederationMetadata/2007-06/FederationMetadata.xml

just open the url in any browser and you will get the file

 Finally the fedlet and adfs integration works:

Following are the steps performed :

*** for openam setup***

1. use the openam- 9.0 and deploy it on the local tomcat.

2. Perform the basic configuration for openam setup :

a. provide the password : amadmin1

b. provide a directory path where all the configuration will made and have all related data.

c. provide these values on the next screen:

   dc=ensarm, dc =com

d. use the default data store provide by openam.

e. select no option on the next screen

f. now the configuration will be created .

3. once the openam is setup you can access it using : https://server.yourlink.com/openam/

***For adfs setup***

1. Do the adfs setup first using some documentation

2. for generating the federation metadata we can use this url  (And this file wil be idp.xml):

https://win2k8.yourlink.com:8443/FederationMetadata/2007-06/FederationMetadata.xml

3. then edit this file : and remove all the content under this tag === ds:Signature , RoleDescriptor, SPSSODescriptor

4. So the content for this file will look something like this:

<EntityDescriptor ID=”_084a9712-83f3-4c5f-be57-13b6d0b03b4b”

entityID=”http://win2k8.yourlink.com/adfs/services/trust” xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”>

<IDPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>

<KeyDescriptor use=”encryption”>

<KeyInfo xmlns=”http://www.w3.org/2000/09/xmldsig#”>

<X509Data>

<X509Certificate>

MIIC5DCCAcygAwIBAgIQFDAgVWh5MblOedpyX2m6AzANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIEVuY3J5cHRpb24gLSB3aW4yazguZW5zYXJtLmNvbTAeFw0xMjExMDcwMzU4NDhaFw0xMzExMDcwMzU4NDhaMC4xLDAqBgNVBAMTI0FERlMgRW5jcnlwdGlvbiAtIHdpbjJrOC5lbnNhcm0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz6/2z+/r2nvGTIjUcVHQeDy3YaBGdNcEqtiGWPnZWizYkLYN2RF4phFrSBTdw5vLkLkyztNYP39hsG+s/qn1ykQ+1aeBkEfonLwvXhPQNEJpFqy3VHsq3oCf6IgCGtaa+CLMWf3KUF7PX8jBkAWXbGxnjewqYffGHY8kCbnOQ5bACKUOlfBS1A/RXtYXVK08xqelAZVEq/8AFFTl8TcFqKIcIfeAe96YzEr0prjfggyknFKZP8JfqdBKvj7EPnYizd4Vp8dYsMH+/2xE+l+U/Th90hxymCN5P7NtiwHzFTr+9m1eP47UDZOvaDgrRoe/Uo2v62UrmEkD2TWPnfOg7QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBdr1WdrF5I3Ne1mN862eO1mtP+9hQFlyDceXsqZqlFlOcuWQcjogMUy56RuM42c2Is8peCdiyenCnFbH7stCCyqfNrsA9NZBOYgRIrcoUnM8837W4xrZ0tKhHvN7qV3/uxkYbL9Rdj3cgdxKamk+nXusU1YFP26qP5ZAXJxHG+oHC2U5hs835JCYD1CHTXG0sN3QRID9YI+Ryls82vVa89FBsZ+pNtYnprR+LAEOvQmIOkhzpfmShm+gOf51ZMxojUrF2hH41yru2AP1aoNsMYQdxfnP4mmf+L+8MP8ihTsnO56YrxOmsT3lF3WWL1S25pEpRy0t725OnjMHJT/Yqz

</X509Certificate>

</X509Data>

</KeyInfo>

</KeyDescriptor>

<KeyDescriptor use=”signing”>

<KeyInfo xmlns=”http://www.w3.org/2000/09/xmldsig#”>

<X509Data>

<X509Certificate>

MIIC3jCCAcagAwIBAgIQU2mxwgjOF4FAp31ZbxAQezANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSB3aW4yazguZW5zYXJtLmNvbTAeFw0xMjExMDcwMzU4MjBaFw0xMzExMDcwMzU4MjBaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIHdpbjJrOC5lbnNhcm0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApKxo1i/THY8wNsGM7iaze/aHFG8nBX+7idovLUGpUsL8zhdr30tjuRB6xrRML3fKv/Hviz3+xo0OMzdQU1+ORBcyAAD4Z+VL30LCU0u+rnwydd/OKOiiwxc+FGzZ2q3f9w4mCWAlbsI3zp7xOtgYV1P1ba1ytJ1GtlS/ZHVJuPQZjpMs83lOZVVoURll+8qU5uWUyWci6Imwp6RvGRpn4vJyxEWpnMtSAQ52l6kbjLZTlsfRR/R3PlZ1J0NBu1PDALMgXhrHck9GnCT89RGKTfbvrzcC8Jhr4Uz0WOANWYDMmPQS3uS13C5Pc7qV1soreEvlERZC2c3SYiCskbhgtQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBZdrezR2Dmby8zAaj7HBXktQPTpVjblRuFFI44YqMURvDxmI8vI9wRjKNtpQq2yUSjbXRoocsEwYcjHFCC1WJrW+UnjOhacj+TChq+k84OeqWG3wpIHncW3i35xvjpXg0x01tgLuUgAOIYN2OKn+kVsrt/bkey1RzbehZBjseII2Saiknea5Af/18amiTuwLaA1V6ZYdbRTTdN3P+xDGbtaAdPJ9SMpgQY58P+QfuZb2l1y+4zaZG+HxYbx+UiRXpiyDe7259n3GdmTkGjGyVYtAosr062ucDDjnnFnZrSJoKROqnVmT63p6XmBWgSTW3/Kv8m9MxVVHPqluBaRutU

</X509Certificate>

</X509Data>

</KeyInfo>

</KeyDescriptor>

<ArtifactResolutionService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP” Location=”https://win2k8.yourlink.com:8443/adfs/services/trust/artifactresolution” index=”0″/>

<SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”https://win2k8.yourlink.com:8443/adfs/ls/”/>

<SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://win2k8.yourlink.com:8443/adfs/ls/”/>

<NameIDFormat>

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

</NameIDFormat>

<NameIDFormat>

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

</NameIDFormat>

<NameIDFormat>

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

</NameIDFormat>

<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”https://win2k8.yourlink.com:8443/adfs/ls/”/>

<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://win2k8.yourlink.com:8443/adfs/ls/”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”E-Mail Address”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Given Name”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Name”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”UPN”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/claims/CommonName” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Common Name”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/claims/EmailAddress” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”AD FS 1.x E-Mail Address”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/claims/Group” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Group”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/claims/UPN” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”AD FS 1.x UPN”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/role” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Role”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Surname”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”PPID”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Name ID”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Authentication time stamp”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Authentication method”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Deny only group SID”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Deny only primary SID”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Deny only primary group SID”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Group SID”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Primary group SID”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Primary SID”/>

<Attribute xmlns=”urn:oasis:names:tc:SAML:2.0:assertion” Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri” FriendlyName=”Windows account name”/>

</IDPSSODescriptor>

<ContactPerson contactType=”support”/>

</EntityDescriptor>

5. I have created a dummy idp-extended.xml file. Whose contents goes as below :

 

<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>

<EntityConfig entityID=”http://win2k8.yourlink.com/adfs/services/trust” hosted=”1″ xmlns=”urn:sun:fm:SAML:2.0:entityconfig”>

   <IDPSSOConfig metaAlias=”/idp”>

       <Attribute name=”description”>

           <Value/>

       </Attribute>

       <Attribute name=”signingCertAlias”>

           <Value>idp_ts</Value>

       </Attribute>

       <Attribute name=”encryptionCertAlias”>

            <Value>idp_te</Value>

       </Attribute>

       <Attribute name=”basicAuthOn”>

           <Value>false</Value>

       </Attribute>

       <Attribute name=”basicAuthUser”>

           <Value/>

       </Attribute>

       <Attribute name=”basicAuthPassword”>

           <Value/>

       </Attribute>

       <Attribute name=”autofedEnabled”>

           <Value>false</Value>

       </Attribute>

       <Attribute name=”autofedAttribute”>

           <Value/>

       </Attribute>

       <Attribute name=”assertionEffectiveTime”>

           <Value>600</Value>

       </Attribute>

       <Attribute name=”idpAuthncontextMapper”>

           <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>

       </Attribute>

       <Attribute name=”idpAuthncontextClassrefMapping”>

           <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>

       </Attribute>

       <Attribute name=”idpAccountMapper”>

           <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>

       </Attribute>

       <Attribute name=”idpAttributeMapper”>

           <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>

       </Attribute>

       <Attribute name=”assertionIDRequestMapper”>

           <Value>com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper</Value>

       </Attribute>

       <Attribute name=”nameIDFormatMap”>

           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>

           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>

           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName=</Value>

           <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>

           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>

       </Attribute>

       <Attribute name=”idpECPSessionMapper”>

           <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>

       </Attribute>

       <Attribute name=”attributeMap”/>

       <Attribute name=”wantNameIDEncrypted”>

           <Value/>

       </Attribute>

       <Attribute name=”wantArtifactResolveSigned”>

           <Value/>

       </Attribute>

       <Attribute name=”wantLogoutRequestSigned”>

           <Value/>

       </Attribute>

       <Attribute name=”wantLogoutResponseSigned”>

           <Value/>

       </Attribute>

       <Attribute name=”wantMNIRequestSigned”>

           <Value/>

       </Attribute>

       <Attribute name=”wantMNIResponseSigned”>

           <Value/>

       </Attribute>

       <Attribute name=”cotlist”>

           <Value>mycot</Value>

       </Attribute>

       <Attribute name=”discoveryBootstrappingEnabled”>

           <Value>false</Value>

       </Attribute>

       <Attribute name=”assertionCacheEnabled”>

           <Value>false</Value>

       </Attribute>

       <Attribute name=”assertionNotBeforeTimeSkew”>

           <Value>600</Value>

       </Attribute>

       <Attribute name=”saeAppSecretList”/>

       <Attribute name=”AuthUrl”>

           <Value/>

       </Attribute>

       <Attribute name=”appLogoutUrl”>

           <Value/>

       </Attribute>

       <Attribute name=”idpSessionSyncEnabled”>

           <Value>false</Value>

       </Attribute>

       <Attribute name=”relayStateUrlList”/>

   </IDPSSOConfig>

</EntityConfig>

Once this basic configuration is created you can move on with these steps:

 

1. login into openam : https://server.yourlink.com/openam/UI/Login

using the username : amadmin      &&    password : amadmin1

2. click on the : Comman task  ⇒  click on the create hosted identity provider and create the provider using the above idp.xml and idp-extended.xml and name the cot as “mycot”  and create the identity provider. Note :- select realm ⇒ test.

 

3 . Once the provider is created , create the fedlet setting the above created provider is idp and give the name as fedlet and provide  Destination URL of the Service Provider which will include the Fedlet: the url using which we are going to access the fedlet . For me its : https://openam.yourlink.com/fedlet/

4. Then provide the follwing three Attribute Mapping :

CommonName=cn, GivenName=sn, and UserStatus=inetUserStatus.

 

Now create the fedlet.

 

5. The fedlet will now be created in the F:/openam_443/myFedlet directory. This is the openam configuartion directory .

 

6. Unzip the Fedlet.zip  which will have 2 file fedlet.war and readme file.

 

7. Use this fedlet.war file and deploy it on the tomcat you want. I have deployed it on the tomcat where i have openam.

*** setup at fedlet  ***

1. start the tomcat , access the fedlet from browser https://openam.yourlink.com/fedlet/

2. create the fedlet configuration directory or use the default location.

Now some important steps:

3. In the openam directory F:\openam_443\openam you will find these three file keystore.jks ,  .keypass, .storepass files copy these files and add them into the fedlet config directory (not war config).

4. Once done open the keystore file you will only have test in it and password will be “changeit”.

 

*** setup at adfs ***

1. add the relying party as the fedlet using the sp.xml which is present in the conf directory of the fedlet.

2.  give a display name ⇒ permit all user ⇒ next ⇒ finish.

3. add the following claim rules:

a. add rule ⇒ transform incoming claim rule ⇒ incoming claim type :: Name Id ⇒ claim format :: transient identifier ⇒ outgoing claim type :: Email address

b. Send claim using custom rule and add this:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]

=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = “fedlet”);

4. Double click on the fedlet and in the advance tab select sha-1.

From the same adfs snap-in ⇒ under the certificates tab export the signing and encryption certificate. Once done import these certificates in the keystore of fedlet.

Restart tomcat and adfs and start accessing the link.

 

 

 

email