000032131 - An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 17, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032131
Applies ToRSA Product Set: Identity Management and Governance 
RSA Version/Condition: 6.9.x
IssueThis article explains how to configure SSO using SAML to connect to an Active Directory Federation Services (ADFS) Identity Provider (IDP).  RSA Identity Management and Governance 6.9.x and ADFS share SAML support, allowing an ADFS IDP to be used for SSO.
TasksThis article outlines an ADFS configuration we have successfully used with RSA Identity Management and Governance over SAML.  
Note that not all possible ADFS configurations would be expected to work.  
Further details on ADFS are out of the scope of this document and should be directed to that application vendor.
  1. Install ADFS 2.0 following instructions from your vendor.
  2. Configure ADFS 2.0, including:
    1. IIS Certificate
    2. ADFS Settings
  3. Setup the authentication source in RSA Identity Management and Governance.
  4. Establish trust with RSA Identity Management and Governance.
Resolution

Install ADFS 2.0


ADFS 2.0 is not included in Windows 2008 R2. ADFS 2.0 is a separate (free) download from Microsoft and can be obtained from their website after logging in or registering a new account.  
This article uses the Windows 2008 R2 AMD64 version.  


  1. Download the software.
  2. Once the download is complete launch the AdfsSetup executable.
  3. During the installation, on the Server Role page, select Federation Server.  
  4. Once installation completes choose Finish to launch the ADFS management tool.


IIS Certificate


Prior to launching the ADFS configuration wizard, you will need to create a certificate to install in IIS.  For this example we create a self-signed certificate.


  1. Launch IIS Manager.  
  2. Select the root node (the node with the name of the server).
  3. Double-click on Server Certificates.  
  4. On the action menu on the right, select Create Self-Signed Certificate, and provide a name that will distinguish this certificate from others.  This example uses the name saml_adfs.
  5. In the main IIS Manager tree, navigate to Default Web Site.
  6. Click the Bindings action on the right.  
  7. In the Site Bindings window, select Add and enter the following information:
  • Type: https
  • IP Address: Static IP address of the server.  If dynamic, select All Unassigned.
  • Port: 443
  • SSL Certificate: The name of the certificate created earlier (saml_adfs in this example).
  1. Select OK.
  2. Click OK when done.
  3. Close the Site Bindings Window, then close IIS Manager.
     

ADFS Settings


  1. From the main page of the ADFS 2.0 management tool, click the link to launch the ADFS 2.0 Federation Server Configuration Wizard.
  2. Select Create a new Federation Service and click Next.  
  3. Select Stand-alone Federation Server and click Next.    
  4. You should see the certificate that was configured in IIS selected and click Next.
  5. Click Next on the summary page, the configuration will take several minutes.  Close the window when it finishes.  The console should refresh and contain a message that a trusted relying party needs to be added.
 

Setup authentication source in RSA Identity Management and Governance


  1. To setup the IMG authentication source,
  2. Log into the IMG UI.
  3. Select Admin > System.  
  4. Click the Authentication tab.  
  5. Choose Create Authentication Source.  
  6. Provide a name, and choose SSO SAML for the authentication type.
  7. Click Next.  The following options will need to be specified:

  • UnifiedUserColumn: Defaults to USER_ID.  This value will be used by ADFS to match the user.  For instance, if you wanted to use email addresses you could change this to EMAIL_ADDRESS.


  • IgnoreCase: True or false depending on if the login names are case sensitive.  Default is false


  • IdentityURL: SAML endpoint URL.


  • SAMLAuthenticatorClass: Should indicate com.aveksa.server.authentication.SAMLAuthenticatorImpl.


  • AveksaURL: URL for IMG UI.


  • GlobalLogout: Whether an application logout will also logout from the IDP


  • LogOffURL: Set redirection URL or leave blank.


  • IDPCertificate: The certificate used by ADFS for token signing.  This certificate will be labeled Token-Signing.


  1. Click Finish.  


  2. Select the authentication source we just created to view the details.  


  3. At the top of that page, click the Download Certificate button.  Verify that the certificate is not expired (if it is, regenerate it).


  4. Click the Download Certificate button.  Save this certificate as we will need to provide it to ADFS.

Further documentation is available in the RSA Identity Management & Governance 6.9.1 Administrators Guide.
 

Establishing Trust with RSA Identity Management and Governance


In the ADFS console,


  1. Click the link to Add a trusted relying party (RP).  
  2. If you have already added other trusted relying parties to this ADFS server, you can navigate to ADFS 2.0 /Trust Relationships/Relying Party Trusts, and clicking the action Add Relying Party Trust.  
  3. Start the wizard and select the option for Enter data about the relying party manually (RSA Identity Management and Governance does not support SAML metadata).
  4. Click Next.  
  5. Enter a display name.  You can enter anything you would like, we have used saml_adfs as an example.
  6. Click Next.  
  7. Choose ADFS 2.0.
  8. Click Next.  
  9. Do not enter a claim encryption certificate, as they are not supported by RSA Identity Management and Governance.  
  10. Skip this step by clicking Next.  
  11. Also skip the URL configuration for now by clicking Next.  
  12. The identifier for the relying party (RP) should match the entity ID sent by RSA Identity Management and Governance.  This will look like: https://<img_host_name>:<img_port_num>/aveksa/main.  
  13. Enter the URL and click add then click Next.  
  14. Select Permit all users to access this relying party.
  15. Click Next.  
  16. The next page has many options available through sub-tabs but we were unable to modify the values from this page so leave everything as it is and click Next.
  17. Uncheck the box for Edit Claim Rules.
  18. Click Close.  
  19. Verify the new RP's trust is listed.
  20. Select the trust we just created and click Properties.  
  21. Select the Signature tab.  
  22. Click Add and select the certificate we downloaded from IMG in the previous step.
  23. Select the Endpoints tab.  You must define login and logout endpoints used to communicate between ADFS and RSA Identity Management and Governance.  
  24. Click Add to create a new endpoint and enter the following:
  1. Click OK to add the login endpoint.  
  2. Click Add to create another endpoint and enter the following:
  1. Click https://<img_host_name>:<img_port_num>/aveksa/main to add the logout endpoint.  
  2. Select the Advanced tab and select SHA-1 if it isn't already selected.
  3. Click OK to close the properties.  
  4. Click the action Edit claim rules.  For this example we will create three claim rules, each of which is an Issuance Transform Rule.  To create a new rule:
    1. Click Add Rule.
    2. Select rule template
    3. Click Next.
    4. Fill in data.
    5. Click Finish.

Rule 1


  • Claim rules template: Send Claims using a Custom Rule
  • Claim rule name: rule1
  • Custom rule: 

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
=> add(store = "_OpaqueIdStore", types = ("http://test.cloud-test.aveksa.com/internal/sessionid"),
query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "ID", param = c2.Value);


 

Note that the URL above of http://test.cloud-test.aveksa.com/internal/sessionid can be whatever you would like, but must match between Rule1 and Rule 2.

Rule 2


  • Claim rules template: Transform an Incoming Claim
  • Rule name: rule2
  • Incoming Claim Type: http://test.cloud-test.aveksa.com/internal/sessionid (or whatever you used in Rule 1. Note that you will have to type this, it won't be in the drop-down)
  • Outgoing Claim Type: Name ID
  • Outgoing Name ID Format: Transient Identifier
  • Select: Pass through all claim values

Rule 3


  • Claim rules template: Send LDAP Attributes as Claims
  • Rule name: rule3
  • Attribute Store: Active Directory
  • LDAP Attribute: SAM-Account-Name
  • Outgoing Claim Type: Name
Notes

The URL for access to ADFS (the IDP URL) must have the following format:


The trailing slash is important, as IIS/ADFS will not work correctly without it.
 

Important


When a SAML authentication source is configured, local accounts and AveksaAdmin accounts are required to use a special URL to access the RSA login window because the login is redirected to the SAML IDP. SAML cannot authenticate the local accounts. This URL is only available when SAML is enabled. The format of this special URL is https://<server>/aveksa/main?SSOLogin=false. When this URL is used, only a local account can be used for login.
 


Notes on IIS/ADFS Integration



There are several HTTP authentication mechanisms provided by IIS. The default settings look like this:


<add name="Integrated" page="auth/integrated/" />
<add name="Forms" page="FormsSignIn.aspx" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />

By default, some browsers (e. g., Firefox) don't work with integrated authentication. When an attempt is made to use integrated authentication, it will immediately fall-back to basic HTTP authentication (i. e., a popup window for username/password), regardless of whatever other options may have been specified in IIS.


There are several ways to avoid this use of basic authentication:


  1. Change IIS to use forms-based authentication (i. e., a web page) rather than integrated authentication.  To begin,
  2. Launch IIS Manager. 
  3. Navigate to Sites > Default Web Site > adfs > ls under your server.
  4. Right click on Explore and select ls.
  5. Open the web.config file in a text editor.
  6. Navigate to the tag for microsoft.identityServer.web.  We want to always use form access, so change the order to the following:

<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />


  1. Save the file.

This option is to configure Firefox to work with integrated authentication. Note that this must be done for each client.


In a browser window,

  1. Open the about:config page. If this is the first time you've done so, a warning will appear.  
  2. Enter network.automatic-ntlm-auth.trusted-uris in the search field.  This attribute takes host names of servers to permit integrated Windows authentication. For example, to allow access when connected to saml-adfs.cloud-test.aveksa.com, enter that name in the attribute in Firefox.  

Attachments

    Outcomes