Implement/Configure ADFS authentication

Summarized

HTTPS: Run tomcat in https. ADFS Server: Configure ADFS server, which is the Identity Provider (Idp). Principal Toolbox: Configure toolbox, which is the Relying Party (RP).create java key store (jks) -> store inexport .cer from jks -> use on ADFS serverget federation metadata from ADFS server -> store inconfiguration should be configured in login.properties. login-template.properties can be used as a starting point. Browser: Configure browser to “trust” the SSO Identity provider (the ADFS server). Otherwise the browser will ask for credentials (so don’t do real SSO).

Manual configuration walkthrough

• HTTPS: Setup Tomcat to use Https (development machines, on-premises customers. On Saas HTTPS is taken care of by a proxy).
  • Create certificate. See https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration

1. In Apache tomcat go to the /conf directory and define an SSL HTTP/1.1 connector, e.g:

<Connector port=”8443″ keystoreFile=”/home/<user>/.keystore” keystorePass=”changeit” clientAuth=”false”    keyAlias=”tomcat” SSLEnabled=”true” scheme=”https” secure=”true” sslProtocol=”TLS” maxThreads=”150″ />

Principal Toolbox: Prepare certificate and java key store (containing the public and private key)

1. Generate toolbox server jks (java key store):

keytool -genkeypair -alias ptb_test -keyalg RSA -keypass keypassword123 -keystore ptbKeystore.jks -keysize 4096 -sigalg SHA256withRSA -validity 1825

1. Fill in the keystore password (may be different from the key password as specified above) and metadata information (like Organization, Country etc).
   The result is a .jks file. 

Although Spring does not support SHA2 yet, using a SHA2 certificate in the Toolbox is no problem.  

This will create a certificate that is valid for 1825 days (5 years). Adapt to needs. The default value is only three months which is not very practical.

1. Export certificate:

keytool -export -alias ptb_test -storepass keystorepassword123 -file ptb_test.cer -keystore ptbKeystore.jks

 The result is a .cer file

1. Copy the jks file to the PTB server, in the WEB-INF/classes directory
2. Spring configuration: The jks file name,  the keystore password, the key password and the alias (e.g. ptb_test) should be specified in the spring security configuration (in the JKS KeyManager bean).
3. Use the certificate file on the ADFS server for both the Encryption and Signature tab, on the Relying Party Trust properties.

 ADFS Server: Setup ADFS server:

• In the AD FS Management tool go to “Trust Relationships/Relying Party Trusts” and select “Add Relying Party Trust” from the context menu and the wizard starts
• Data Source: select “Enter data about the relying party manually”. 
• Specify Display Name: choose some display name for the relying party, which is the Principal Toolbox instance, e.g. “Principal Toolbox”
• Choose Profile: ADFS 2.0 profile
• Configure Certificate: Browse for the certificate as generated/exported from the java key store (see above). This certificate contains the public key of the relying party.
• Configure URL: Check “Enable support for SAML 2.0 WebSSO protocol” and fill in: “https://<toolbox base>/saml/SSO”
• Configure Identifiers: Add “https://<toolbox base>/saml/metadata”
• Choose Issuance Authorization Rules: “Permit all users to access this relying party” 
• Leave “Open the Edit Claim Rules dialog” checkbox checked and finish the wizard
• Select “Add Rule”, choose “Send LDAP Attributes as Claims” and press Next
• When using email as unique identifier for toolbox users: 
  • Add Email as “Claim rule name”, choose “Active Directory” as Attribute store, choose “E-mail-addresses” as LDAP Attribute and “E-mail Address” as “Outgoing claim type”. Press OK.
  • Add another Rule as now choose “Transform an Incoming Claim” as Claim Rule Template. 
  • Fill in “Transform Email to Name ID” as claim rule name.
  • Specify “E-Mail Address” as Incoming claim type
  • Specify “Name ID” as Outgoing claim type
  • Choose “Pass through all claim values”
• When using username as unique identifier:
  • Add “Username” as “claim rule name”,  choose “Active Directory” as Attribute store, choose “SAM-Account name” as LDAP Attribute and “name ID” as “Outgoing claim type”. Press OK. 
• Edit properties on the Relying party Trust (or double click): 
  • Select tab Advanced and change “Secure hash algorithm” to SHA-1

• On a Windows Server 2008 R2 or higher machine, which is not the primary AD server, install the ADFS 2.0 service.
• Run ADFS Federation Server Configuration Wizard to configure the basic settings.
• Configure Relying party trust 

(Spring does not offer support for SHA >1 yet)

1. Select tab Advanced and set “Secure hash algorithm” to SHA-1
2. Select tab Signature and browse for the toolbox certificate as generated (same certificate as used for the Configure Certificate step in the wizard).

 Principal Toolbox

1. Copy the file login-template.properties (see attachment) to login.properties file in the Application/WEB-INF/classes directory
2. Edit the login.properties file. You will need information used/created in above steps.
3. Get IDP (for ADFS https://<ADFS Server name>/FederationMetadata/2007-06/FederationMetadata.xml) metadata file and store in Application/WEB-INF/classes directory
4. Rename FederationMetadata to idp.xml
5. Restart Tomcat to apply changes.

 Browser: For internet Explorer the following (copied from https://support.microsoft.com/en-us/kb/2530569):
If a seamless, no-prompt experience is expected for domain-joined and domain-connected client computers, add the AD FS Federation Service URL to the local intranet zone in Windows Internet Explorer. For example, do the following:

In Internet Explorer, on the Tools menu, click Internet Options.Click the Security tab, click Local intranet, click Sites, and then click Advanced or add Site (depends on IE version)Type https://adfs.YOURDOMAIN.com in the Add this website to the zone box, and then click Add. Note “adfs.YOURDOMAIN.com” represents the FQDN of the AD FS Federation Service