configuring openam idp proxy with adfs and remote service

1

2

3

4 5

6 7

8

9

10

11

12 13 14

Configuring OpenAM IDP Proxy with ADFS and remote Service Provider

IntroductionFederation Entities in OpenAM

Circle of TrustRemote Service Provider SalesforceRemote Identity Provider ADFS 20Hosted IDP Proxy

IDP SectionIDP Section continuedSP SectionSP Section Continued

Preliminary Steps Configure OpenAMStep 5 Creating the Single Sign On settings in SalesforceStep 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20

Optional ADFS 20 configurationTesting

Introduction

This post will describe how OpenAM can be configured as a hosted SAML Identity Provider Proxy with Salesforce acting as Service Provider and Active

Directory Federation Services 20 as the Identity Provider Note that this use case uses Salesforce as the Service Provider Note that to a Service Provider an IdP Proxy looks like an ordinary IdP Likewise to an Identity Provider an IdP Proxy looks like an SP Thus an IdP Proxy has the combined capability of being both an IdP and SP

The following table is lifted from Like a Web (HTTP) Proxy an IdP Proxy delivers increased efficiency security and flexibilitySpaces

Web Proxy IdP Proxy

Efficiency cache web pages cache attributes

Security controlled access to web pages controlled access to federation IdPs

Flexibility HTTP requestresponse filtering SAML requestresponse filtering

Presented here is the IdP Proxy flow

A browser client requests a web resource protected by a SAML SP (Salesforce) If a security context for the principal already exists at Salesforce skip to step 14The client is redirected to the IdP component of the IdP Proxy (OpenAM-IdP ) which is protected by the SP component of the IdP Proxy (OpenAM-SP0 1)

The client makes a SAML AuthnRequest to the SSO service at OpenAM-IdP If a security context for the principal already exists at OpenAM-IdP 0 0skip to step 10The AuthnRequest is cached and the client is redirected to the terminal IdP (ADFS) ADFS presents a BA prompt for authentication by defaultThe client makes a SAML AuthnRequest to the SSO service at ADFS If a security context for the principal does not exist ADFS identifies the principalADFS updates its security context for this principal issues one or more assertions and returns a response to the clientThe client submits the response to the assertion consumer service at OpenAM-SP The assertion consumer service validates the assertions in the 1responseOpenAM-SP updates its security context for this principal and redirects the client to OpenAM-IdP 1 0The client makes a SAML AuthnRequest to OpenAM-IdP the same AuthnRequest made at step 30OpenAM-IdP updates its security context for this principal issues a single assertion and returns a response to the client The response may also 0contain the assertions issued by ADFS at step 6The client submits the response to the assertion consumer service at Salesforce The assertion consumer service validates the assertions in the responseSalesforce updates its security context for this principal and redirects the client to the resourceThe client requests the resource the same request issued at step 1The resource makes an access control decision based on the security context for this principal and returns the Salesforce landing page to the client

For starters please refer to Victors excellent post about preparing the metadata files for a similar scenario at SAMLv2 IDP Proxy Part 1

Follow steps 1-4 in that post to prepare your metadata

Federation Entities in OpenAM

In this section we will survey the entities you have imported in OpenAM so far

Circle of Trust

Remote Service Provider Salesforce

Your settings should be very similar to those presented here

Signing and encryption can be turned off if not needed

This screen shows a critical settings related to the IDP Proxy Ensure your ADFS 20 Entity ID is correctly defined in the list

Remote Identity Provider ADFS 20

Hosted IDP Proxy

IDP Section

Set ldquotestrdquo as the signer certificate in the IDP section of the Hosted IDPSP proxy entity

IDP Section continued

SP Section

The first page

Assertion processing screen

The mapping shown below is critical Here we map the ADFS credential to an internal (anonymous) user in our case it is demo It could be anonymous if such a user is present in your user repository

Since ADFS does not support Scoping elements also necessary to achieve this integration is a custom Service Provider adapter that removes the Scoping element from SAML AuthRequest sent to ADFS

SP Section Continued

Add the Entity ID for Salesforce here

Preliminary Steps Configure OpenAM

1 Import certificates into OpenAM keystore and Java keystoreusrjavajdk170_45binkeytool -importcert -alias sfdc -file SelfSignedCert_09Mar2014_053347crt -keystore keystorejksusrjavajdk170_45binkeytool -importcert -alias adfs -file adfscertcer -keystore keystorejksusrjavajdk170_45binkeytool -exportcert -alias adfs -file adfscertcrt -keystore keystorejks usrjavajdk170_45binkeytool -exportcert -alias sfdc -file sfdccrt -keystore keystorejks usrjavajdk170_45binkeytool -importcert -alias adfs -file ccgadfscrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacertsusrjavajdk170_45binkeytool -importcert -alias sfdc -file sfdccrt -trustcacerts -keystore usrjavajdk170_45jrelibsecuritycacerts

2 In OpenAM after importing the metadata files add the Federation Authentication Module under local realm

Step 5 Creating the Single Sign On settings in Salesforce

In Salesforce under Security Controls -gt Single Sign On Settings create a new SAML Single Sign-On Setting and fill in the Identity Provider Login URL and Logout URLs from the metadata file machinebidpproxycom-idp-metaxml in Step 4a

Step 6 Importing the Service Provider descriptor from the IdP Proxy into ADFS 20

On the Windows server start up AD FS 20 Management utility and create a new relying part trust by cliking on Add Relying Party Trust

Select Import data about the relying party from a file and use the machinebidpproxycom-sp-metaxml you created in Call it Salesforce via Step 4cOpenAM IDP Proxy and finish

Select the newly created relying party and ensure the settings match the screenshots presented here

For example change the default SAML ACE from Artifact to POST

Also change the secure hash algorithm to SHA-1 as shown here

Click on Edit Claim Rules and follow instructions given in to create the first ruleOpenAM and ADFS2 configuration

Create a custom claim rule using the following script

c[Type == ] =gt issue(Type = httpschemasxmlsoaporgws200505identityclaimsupn httpschemasxmlsoaporgws200505identityclaims Issuer = cIssuer OriginalIssuer = cOriginalIssuer Value = cValue ValueType = cValueType Properties[nameidentifier httpschemasxmlsoaporgws

] = Properties[200505identityclaimpropertiesformat urnoasisnamestcSAML11nameid-formatunspecified httpschemasxmlsoaporgws200505] = ltentity-id of ADFS 20gt Properties[identityclaimpropertiesnamequalifier httpschemasxmlsoaporgws200505identityclaimproperties

] = ltentity-id of your IDP proxygt)spnamequalifier

You should see two rules now

1

2

3

4

5

a

b

Click ok to finish editing claim rules

Optional ADFS 20 configuration

You can configure ADFS to not encrypt or sign SAML responses Follow these steps if necessary

Use Windows Power Shell to check for installed ADFS snap-in Get-PSSnapin -RegisteredYou should be able to see MicrosoftAdfsPowerShell 10 ldquoThis powershell snap-in contains cmdlets used to manage Microsoft Identity Server resourcesrdquoNow proceed to add it Add-PSSnapin MicrosoftAdfsPowershellConfigure ADFS to not encrypt SAML response Set -ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptClaims $FalseIf you get an erroneous SAML StatusCode Responder error in OpenAM during testing run these commands to turn off certificate revocation checks in ADFS

Set-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -EncryptionCertificateRevocationCheck NoneSet-ADFSRelyingPartyTrust -TargetName ldquoSalesforce via OpenAM IDP Proxyrdquo -SigningCertificateRevocationCheck None

Testing

Navigate to your Salesforce SSO URL you will immediately be taken to the ADFS basic authentication prompt

Enter your ADFS domain credentials here and hit Log In If all is well you should be taken to your Salesforce landing page


Remote Service Provider Salesforce

Your settings should be very similar to those presented here

Signing and encryption can be turned off if not needed



Hosted IDP Proxy

IDP Section



SP Section

The first page























1

2

3

4

5

a

b






Testing






Hosted IDP Proxy

IDP Section



SP Section

The first page























1

2

3

4

5

a

b






Testing





SP Section

The first page























1

2

3

4

5

a

b






Testing


























1

2

3

4

5

a

b






Testing




configuring openam idp proxy with adfs and remote service

Documents