7.1.6. ADFS 2.0 configuration for SAML authentication

Introduction

In conditions when it is required SSO functionality for an application server that cannot be part of the Domain (Active Directory), ADFS gives an option to use SAML Authentication.
Detailed information regarding ADFS and SAML can be found here
https://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.11.2).aspx

Requirements

- ADFS 2.0 Server accessible by clients and the EPC Server host
- DNS alias for EPC 11.4 Server host
- SSL certificate for EPC 11.4 Server communication encryption

ADFS Configuration

Giving the fact that there is a DNS alias defined for EPC Server (ex. epc.company.com – used in the following examples), we will need to create the Trust Party record in ADFS.
1. Open ADFS 2.0 Management console
2. Browse to Trust Relationships  Relying Party Trusts
3. On the right side Actions panel click on “Add Relying Party Trust…” link

4. In the Setup wizard click Start button
5. In Select Data Source page select the “Enter data about the relying party manually”

6. In Specify Display Name page enter the name for the configuration
Example: SAML for epc.company.com

7. Select AD FS 2.0 profile in the Choose profile page

8. Click Next in the Configure Certificate page

 
9. Type the https URL for EPC Server in the second field on the Configure URL page

10. Type the https URL for EPC Server in the second field on the Configure Identifier page and click Add button

11. Select “Permit all users to access this relying party” in the Choose Issuance Authorization Rules page
12. Click Next on the Ready to Add Trust page
13. Click close button (leave the check mark selected on the last wizard page)
14. In the Claim Rules appeared window click the button to add Rule
15. In the “Add Transformation Claim Rule Wizard” click Next

16. In the Configure Claim Rule page type the Rule name “Issue SAM-Account-Name”
Select Active Directory in the Attribute store dropdown menu
For LDAP each attribute select a value as shown on the screenshot and after that, click the Finish button

17. Open The properties for the created Trust Party and switch to Endpoints Tab

18. Click the Add button and fill in the Endpoint as shown in the screenshot below in the window that was open. After that, click OK.

19. The resulting Endpoints should be two as shown below

20. For reference, here are the rest of the screens for the properties windows that have values

Save the Signing certificate in base 64 formats to a cer file

Open The ADFS console and navigate to Service  Certificates
Select and export the ADFS Signing certificate as a cer file

Open the saved certificate in notepad and remove the header and footer.
Remove all the line returns to have one line of text.
Use the certificate in the next step – Configuration.

EPC Configuration

In order to configure the EPC 11.3 Web portal to use SAML authentication, kindly follow the following steps
1. Open the EPC 11.3 Web portal
2. Switch to System Admin page
3. Open the System Setting tab
4. Edit the property “PASSPORT_SAML”

Update the value according to the bellow configuration:
{“entryPoint”: “https://adfs.interfacing.com/adfs/ls/”, “issuer”: “https://epc11.interfacing.com”, “callbackUrl”: “https://epc11.interfacing.com/login/saml”, “privateCertString”: “”, “certString”: ““, “authnContext”: “http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password”, “acceptedClockSkewMs”: -1, “identifierFormat”: null, “signatureAlgorithm”: “sha256”, “logoutUrl”: “https://adfs.interfacing.com/adfs/ls/”, “additionalLogoutParams”: {“wa”: “wsignout1.0”}, “logoutCallbackUrl”: “https://epc11.interfacing.com/login”, “nameIDFormat”: “NXOqskznZinwixe”, “samlUserIdProp” : “samlUserIdProp”, “justInTime”: true, “samlFirstNameProp”: “samlFirstNameProp”, “samlLastNameProp”: “samlLastNameProp”, “samlEmailProp”: “samlEmailProp”
}

5. Edit the property “PASSPORT_STRATEGY_TO_USE”
Set the value to be SAML (instead of LOCAL) and save
6. Apply the configuration by clicking the button “Copy Link and Apply the Changes”
7. Restart the webapp docker by exectuting on the EPC Frontend server the following command

1. docker restart docker_webapp_1
   8. NOTE: For seamless login to EPC Web portal, you may change the above configuration, the URL http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password to
   http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows and enable windows authentication on the IIS that is used by the ADFS server.
   

Note: For Cloud deployment configuration, kindly notify Interfacing Support when the configuration is saved to the EPC Server. Interfacing Support will activate the configuration on the server.