Summarized
HTTPS: Run tomcat in https. ADFS Server: Configure ADFS server, which is the Identity Provider (Idp). Principal Toolbox: Configure toolbox, which is the Relying Party (RP).create java key store (jks) -> store inexport .cer from jks -> use on ADFS serverget federation metadata from ADFS server -> store inconfiguration should be configured in login.properties. login-template.properties can be used as a starting point. Browser: Configure browser to “trust” the SSO Identity provider (the ADFS server). Otherwise the browser will ask for credentials (so don’t do real SSO). |
Manual configuration walkthrough
- HTTPS: Setup Tomcat to use Https (development machines, on-premises customers. On Saas HTTPS is taken care of by a proxy).
- Create certificate. See https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration
- In Apache tomcat go to the /conf directory and define an SSL HTTP/1.1 connector, e.g:
<Connector port=”8443″ keystoreFile=”/home/<user>/.keystore” keystorePass=”changeit” clientAuth=”false” keyAlias=”tomcat” SSLEnabled=”true” scheme=”https” secure=”true” sslProtocol=”TLS” maxThreads=”150″ /> |
Principal Toolbox: Prepare certificate and java key store (containing the public and private key)
- Generate toolbox server jks (java key store):
keytool -genkeypair -alias ptb_test -keyalg RSA -keypass keypassword123 -keystore ptbKeystore.jks -keysize 4096 -sigalg SHA256withRSA -validity 1825 |
- Fill in the keystore password (may be different from the key password as specified above) and metadata information (like Organization, Country etc).
The result is a .jks file.
Although Spring does not support SHA2 yet, using a SHA2 certificate in the Toolbox is no problem.
This will create a certificate that is valid for 1825 days (5 years). Adapt to needs. The default value is only three months which is not very practical.
- Export certificate:
keytool -export -alias ptb_test -storepass keystorepassword123 -file ptb_test.cer -keystore ptbKeystore.jks |
The result is a .cer file
- Copy the jks file to the PTB server, in the WEB-INF/classes directory
- Spring configuration: The jks file name, the keystore password, the key password and the alias (e.g. ptb_test) should be specified in the spring security configuration (in the JKS KeyManager bean).
- Use the certificate file on the ADFS server for both the Encryption and Signature tab, on the Relying Party Trust properties.
ADFS Server: Setup ADFS server:
- In the AD FS Management tool go to “Trust Relationships/Relying Party Trusts” and select “Add Relying Party Trust” from the context menu and the wizard starts
- Data Source: select “Enter data about the relying party manually”.
- Specify Display Name: choose some display name for the relying party, which is the Principal Toolbox instance, e.g. “Principal Toolbox”
- Choose Profile: ADFS 2.0 profile
- Configure Certificate: Browse for the certificate as generated/exported from the java key store (see above). This certificate contains the public key of the relying party.
- Configure URL: Check “Enable support for SAML 2.0 WebSSO protocol” and fill in: “https://<toolbox base>/saml/SSO”
- Configure Identifiers: Add “https://<toolbox base>/saml/metadata”
- Choose Issuance Authorization Rules: “Permit all users to access this relying party”
- Leave “Open the Edit Claim Rules dialog” checkbox checked and finish the wizard
- Select “Add Rule”, choose “Send LDAP Attributes as Claims” and press Next
- When using email as unique identifier for toolbox users:
- Add Email as “Claim rule name”, choose “Active Directory” as Attribute store, choose “E-mail-addresses” as LDAP Attribute and “E-mail Address” as “Outgoing claim type”. Press OK.
- Add another Rule as now choose “Transform an Incoming Claim” as Claim Rule Template.
- Fill in “Transform Email to Name ID” as claim rule name.
- Specify “E-Mail Address” as Incoming claim type
- Specify “Name ID” as Outgoing claim type
- Choose “Pass through all claim values”
- When using username as unique identifier:
- Add “Username” as “claim rule name”, choose “Active Directory” as Attribute store, choose “SAM-Account name” as LDAP Attribute and “name ID” as “Outgoing claim type”. Press OK.
- Edit properties on the Relying party Trust (or double click):
- Select tab Advanced and change “Secure hash algorithm” to SHA-1
- On a Windows Server 2008 R2 or higher machine, which is not the primary AD server, install the ADFS 2.0 service.
- Run ADFS Federation Server Configuration Wizard to configure the basic settings.
- Configure Relying party trust
(Spring does not offer support for SHA >1 yet)
- Select tab Advanced and set “Secure hash algorithm” to SHA-1
- Select tab Signature and browse for the toolbox certificate as generated (same certificate as used for the Configure Certificate step in the wizard).
Principal Toolbox
- Copy the file login-template.properties (see attachment) to login.properties file in the Application/WEB-INF/classes directory
- Edit the login.properties file. You will need information used/created in above steps.
- Get IDP (for ADFS https://<ADFS Server name>/FederationMetadata/2007-06/FederationMetadata.xml) metadata file and store in Application/WEB-INF/classes directory
- Rename FederationMetadata to idp.xml
- Restart Tomcat to apply changes.
Browser: For internet Explorer the following (copied from https://support.microsoft.com/en-us/kb/2530569):
If a seamless, no-prompt experience is expected for domain-joined and domain-connected client computers, add the AD FS Federation Service URL to the local intranet zone in Windows Internet Explorer. For example, do the following:
In Internet Explorer, on the Tools menu, click Internet Options.Click the Security tab, click Local intranet, click Sites, and then click Advanced or add Site (depends on IE version)Type https://adfs.YOURDOMAIN.com in the Add this website to the zone box, and then click Add. Note “adfs.YOURDOMAIN.com” represents the FQDN of the AD FS Federation Service |