SAML Integration using SimpleSAMLphp for ADFS

image_pdfimage_print

For the authentication of users, you can  use SAML integration in Jedox.

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee. The SAML integration in Jedox uses SimpleSAMLphp for Active Directory Federation Services (ADFS).

Setup includes the following steps:

  1. Installation
  2. Exchange Metadata
  3. Create a service provider configuration in SimpleSAMLphp
  4. Create the Relying Party Trust in ADFS 2012R2
  5. Jedox customization

 

1  Installation

  1. First, install Jedox (we recommend using the standard paths).
  2. Download SimpleSAMLphp here: http://simplesamlphp.org/.
  3. Extract it into the docroot directory (/opt/jedox/ps/htdocs/app/docroot) and rename it simplesaml.
    Note: if you change the name to something else, you’ll need to keep that in mind when changing the other files.
  4. Open /config/config.php and
    1. update baseurlpath to point from the web root to the www folder, e.g. https://yourserver/simplesaml/www/
    2. change adminpassword to something else (it won’t let you keep the default).
  5. Generate a certificate and add it to config/authsources.php as explained in section 1 of the following document: http://simplesamlphp.org/docs/stable/simplesamlphp-sp.
  6. Point your browser to whatever you set as the base URL above (e.g. localhost/simplesaml/www/) and you should see the SimpleSAMLphp installation page.

 

2  Exchange Metadata

Open a browser and navigate to the FederationMetadata.xml location at https://adfs_server_addr/FederationMetadata/2007-06/FederationMetadata.xml, where you’ll be prompted to save the file to disk.

Open the file and copy its contents to the clipboard.

Browse to our web application’s installation of SimpleSAMLphp. Navigate to the Federation tab and click on XML to simpleSAMLphp metadata converter:

Paste the contents of the file “FederationMetadata.xml” into the “XML metadata” field and click the Parse button:

The page will return two sets of data. For our purposes, the first set, saml20-sp-remote, can be ignored, since we are not using SimpleSAMLphp as an identity provider (that’s ADFS’ job). Scroll to saml20-idp-remote and copy the contents of this field to the clipboard.

Browse to the installation of SimpleSAMLphp in the Jedox installation and open the metadata folder. Open the file “saml20-idp-remote.php” in your preferred text editor. Paste the converted metadata at the bottom of the file and then save it:

 

3  Create a service provider configuration in SimpleSAMLphp

Navigate to your SimpleSAMLphp installation folder in Jedox and open the config folder. Open the file “authsources.php” in your preferred text editor. Here we will create a service provider configuration that uses our ADFS server.

The name of your SP is your choice. In this example, it’s called jedox-sp:

The image above shows how the code looks inside the authsources.php file.

Note that the SP code defines the actions sign.logout, redirect.sign, and assertion.encryption, meaning that we need a certificate and key to sign and encrypt these communications. We already did that with step 4 in the installation steps.

The final declaration enforces the best-practice use of SHA-256.

 

4  Create the Relying Party Trust in ADFS 2012R2

Now that the service provider configuration is complete, SimpleSAMLphp creates the SAML 2.0 SP metadata that we can use to import into ADFS.

First you’ll need to add the certificate from your SAML environment to your Trusted Root Certification Authorities:

Navigate to the web application’s SimpleSAML application and click the Federation tab. In this example, we are using jedox-sp.

If you want to see the metadata, click the Show metadata link, but before you do, copy the Entity ID: URL. We need to give this URL to ADFS when we configure the Relying Party Trust.

On your ADFS server, open the ADFS Management console, expand Trust Relationships, and select the Relying Party Trusts node. In the Actions pane, click Add Relying Party Trust….

Click Start, then paste the Entity ID URL into to the Federation Metadata address field and click Next:

Click OK at the warning screen:

Click your way through the wizard until you reach the “Ready To Add Trust” page. Here you’ll want to review the numerous tabs; check that the Encryption and Signature tabs have certificates associated with them.

Click Next and the sso.lewisroberts.com “Relying Party Trust” is added:

Select the Relying Party Trust we’ve just added and then click Edit Claim Rules…

Add an Issuance Transform Rule based on the “Send LDAP Attributes as Claims template. Select at least UPN; Whatever else you select here is your choice, but add another attribute, such as mail or uid (depends on what you’re using as username, in normal cases you use the uid. This is important for the next steps.):

Add another Issuance Transform Rule, but this time based on the “Transform an Incoming Claim” template. This one is important and is required to allow SimpleSAMLphp to talk with ADFS:

Once configured, you should have two Issuance Transform Rules that appear as follows:

 

5 Jedox customization

Add in /opt/jedox/ps/htdocs/app/docroot
these two files: saml_logged_out.php and saml_logout.php.

saml_logged_out.php

 

saml_logout.php

Replace in /opt/jedox/ps/htdocs/app/docroot/ui/login
the file index.php with the new created index.php.

IMPORTANT!
Here you’ll need to change the uid to whatever you’ve named the attribute in your Claim Rule (see previouse steps).
If you named it uid, you can use the script as it is, otherwise check the “saml login” part.

index.php

This needs to be added to the index.php. This is an example how you could realize the SAML negotiation and return username and password to SupervisionServer.
For $pass = <AUTH_TOKEN>; you can decide what kind of information you’d like to use for the check.
In this case it’s returned as password.

Add the following entries to /opt/jedox/ps/Data/palo.ini:

  • worker /svs-Linux-x86_64/SupervisionServer
  • workerlogin authorization

Change the file /opt/jedox/ps/svs-Linux-x86_64/SupervisionServer/sep.inc.php to point to the needed PHP script. For example:

Use the OnUserAuthenticate function (instead of the standard function for the Supervision Server) to check and allow access to Jedox.
This is an example Script with a check if the user exists.
You’ll need to add some code for a check and return true.

 

image_pdfimage_print
Was this post helpful?
NoYes (+1 rating, 3 votes)
Loading...