SSO SAML2.0 on W2008 R2 server and LiquidFiles
Liquidfiles SSO can be configured to work with Active Directory and AD FS server. LiquidFiles will work as a Service Provider (SP) and AD FS server will represent Identity Provider (IdP). In this how-to AD FS will be served by W2008 R2 (or W2008) server standard edition.
- W2008 R2 standard
- Active directory domain service
- Certificate (or self signed certificate, which is used in this demo)
- IIS (I used IIS manager > your server > Server certificates tool to generate self signed certificate for this how-to as well)
- Check your time and timeservers on your LF appliance and Windows server
NOTE to AD FS versions
Windows W2008 server is able to support SAML2.0 only if you download and install AD FS 2.0 RTW (Release To the Web) from Ms pages. W2012 server supports natively AD FS 2.1. W2012R2 supports AD FS 3.0. The implemented SAML version remains same on v2.0 for this mentioned windows servers.
From LiquidFiles perspective the configuration of SSO works same for all AD FS ver>=2.0 and principle of configurations SAML2.0/SSO are quite similar on this Windows server releases.
1 W2008 R2 server preparation for SSO
At this point I expect you have set up Active directory domain, DNS and IIS services are running. A certificate (or self signed certificate) should be installed as well.
1.1 Installation of AD FS2.0 RTW
At first please check and if found on your server the default AD FS 1.1 role uninstall it. In Windows 2008 / W2008 R2 is available natively only AD FS1.1 which does not support SAML2.0 protocol.
We have to download and install following Active Directory Federation Services 2.0 RTW for W2008 R2 from here: http://www.microsoft.com/en-us/download/details.aspx?id=10909
When download is finished run installer AdfsSetup.exe
Pic. 1 - Installation wizard of AD FS2.0 RTW
Pic. 2 - Installation wizard of AD FS2.0 RTW
Pic. 3 - Installation wizard of AD FS2.0 RTW
Pic. 4 - Installation wizard of AD FS2.0 RTW, continue with configuration
1.2 Configuration of AD FS
In this part we provide a configuration of AD FS/SSO service as an IdP for SP which is a Liquidfiles appliance. Click AD FS 2.0 Federation Server Configuration Wizard as showed on Pic. 5.
Pic. 5 - Configuration of AD FS service for SSO
Pic. 6 - Configuration of AD FS service for SSO
Pic. 7 - Configuration of AD FS service for SSO
Pic. 8 - Configuration of AD FS service for SSO, Choice the certificate from the list or import
Pic. 9 - Configuration of AD FS service for SSO
Pic. 10 - Configuration of AD FS service for SSO done. Now continue with a Relay Party trust
1.3 Adding a Relay Party Trust
At this point you should be ready to set up the AD FS connection with your Liquidfiles appliance. The connection between ADFS and Liquidfiles is defined using a Relying Party Trust (RPT).
Choice the row Required: Add a trusted relying party. This starts the configuration wizard for a new trust. See Pic. 11 - 21
Pic. 11 - Adding a Relay Party Trust
Pic. 12 - Adding a Relay Party Trust, Wizard
Pic. 13 - Adding a Relay Party Trust. Enter data manually
Pic. 14 - Adding a Relay Party Trust. Display name
Pic. 15 - Adding a Relay Party Trust. Choice AD FS profile with SAML 2.0 protocol
Pic. 16 - Adding a Relay Party Trust
Pic. 17 – Put your LiquidFiles SAML Consumer URL. F.e. https://lf.yourdomain.net/saml/consume/
Pic. 18 - Adding a Relay Party Trust identifiers: https://lf.yourdomain.net/ NOTE: don't forget trailing slash "/" at the end
Pic. 19 - Adding a Relay Party Trust
Pic. 20 - Adding a Relay Party Trust
Pic. 21 - Adding a Relay Party Trust. Tick Open the edit claim rules
1.4 Creating claim rules
After adding the relying party trust, the wizard will ask you to configure the claim rules. You can also reconfigure later by doing right click on the relying party section and selecting the menu Edit Claim Rules. Click Add Rules and select Send LDAP Attribute as Claims and select Active Directory as Attribute store. Configure E-Mail-Addresses to map to Outgoing claim type E-Mail Address. (follow Pictures Pic. 22 – 23)
Pic. 22 – Claim Rules
Pic. 23 – Claim Rules
Next select Transform an Incoming Claim as the claim rule template to use. Give it a name such as NameID. Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID (this is requested in ServiceNow policy urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and the Outgoing name ID format is Email. Pass through all claim values and click Finish. (See Pic. 24 - 26)
Pic. 24 – Claim Rules
Pic. 25 – Claim Rules
Pic. 26 – Claim Rules
1.5 Adjusting the trust settings
You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected. In the Advanced tab, switch from SHA256 to SHA1.
Pic. 27 – Adjusting the trust settings
1.6 Active Directory test user
Create a user in Active Directory. In this example its testsso. Open Administrative tools > Active Directory User and Computers > Users > New > User (Pic. 28 – 30)
Pic. 28 – Adding Active directory user
Pic. 29 – Adding Active directory user, create password
Pic. 30 – User’s properties, fill in user's E-mail
2 LiquidFiles appliance SSO settings
This part is about configuring SSO service on Liquidfiles appliance. Essentially we will need to find out SSO login URL and fingerprint.
2.1 SSO Login URL
At first verify where your IdP’s Single Sign On login URL is. Download and open a metadata file from https://server.mydomain.local/FederationMetadata/2007-06/FederationMetadata.xml and check for SingleSignOn Location. In this example the URL is https://server.mydomain.local/adfs/ls/ (important: when copy the link take care you grab it with the slash in the end)
Pic. 31 - SSO login URL
2.2 Finger Print
Next we need to find out Fingerprint (thumbprint) of the signing certificate we are using on AD FS server. Open AD FS > Certificates. Right click on Token-signing certificate, open Details tab and look for Thumbprint. Copy/paste it to a notepad and replace spaces with colons. In this example rewritten fingerprint looks like this:
Pic 32. – Copy the signing certificate’s fingerprint
2.3 Setting up Liquidfiles
Now we open Liquidfiles appliance Configuration > Single Sign On form SSO and paste the Finerprint and SSO login url the collected information. See picture Pic. 46
- Choice Single Sign On Method: SAML2
- IdP Login URL: https://server.mydomain.local/adfs/ls/
- IdP Cert Fingerprint f.e.: c5:df:0c:49:3e:ef:0d:0f:13:5f:ec:e9:4c:f8:75:9b:1d:90:6a:23
- Optionally you can set IdP Logout URL. An URL which you will be redirected when logged out from LF
Pic. 33 - LiquidFiles SSO config
3 Testing SSO login
Connect to LF appliance and click SSO button. You will be redirected to IdP login site for log in where fill in the ActiveDirectory user. In this example its testsso user. When successfully verified you are logged to LF. Job done.
Pic. 34 – SSO testing
Pic. 35 – Redirect to IdP for authentication
Pic. 36 – Logged successfully in through SSO