Embed Size (px)
Citation preview
BELNET
FederationDocumentationADFS3.0IDPforwindows2012R2serverandtheBelnetFederation
Belnet8/11/2015
Belnet
1
TableofContents1 Preparingtheserver........................................................................................................................2
1.1 Domainmembership...............................................................................................................2
1.2 DNS..........................................................................................................................................2
1.3 NTP..........................................................................................................................................2
1.4 IIS(optional)............................................................................................................................2
1.5 Serviceaccount.......................................................................................................................2
2 InstallADFS3.0...............................................................................................................................3
3 BeforeConfiguringADFS3.0..........................................................................................................6
3.1 Certificate................................................................................................................................6
4 ConfigureADFS3.0.........................................................................................................................7
4.1 GeneralconfigurationoftheADFSserver..............................................................................7
4.2 UploadyourMetadata..........................................................................................................13
4.3 ConfiguretheServiceprovider..............................................................................................14
4.4 Configuretheattributerelease.............................................................................................18
5 Some“claimrules”forBelnetSP:...........................................................................................24
5.1 sptest.belnet.be:................................................................................................................24
5.2 filesender.belnet.be..........................................................................................................24
5.3 mconf.belnet.be.................................................................................................................24
6 Interestingdocs:............................................................................................................................25
Belnet
2
1 Preparingtheserver
1.1 DomainmembershipTheserveronwhichwewillinstallshibbolethIDPneedstobeamemberofthedomain.Thiswillnotbecoveredbythisdocument.
1.2 DNSDNSresolutionshouldbeproperlyconfiguredforinternalandexternaladdresses.Alsonotcoveredinthisdocument.
1.3 NTPYouhavetomakesurethatyourserverissynchronizedwithNTP.WeadviseusingtheNTPserverofBelnet(ntp.belnet.be)
1.4 IIS(optional)WesupposethatIISRolehasalreadybeeninstalledontheserver.TherearenomoredependenciesbetweenADFSandIISsincethe2012R2release,butwewilluseittocreateaself-signedcertificate.Ifyoualreadyhaveacertificate,youcanusethisone.
1.5 ServiceaccountYouwillneedaserviceaccountinordertolaunchtheservice.
Belnet
3
2 InstallADFS3.0
Inthisdocument,wewillonlycoverthecreationofafederationserver,inanewfederationwithastandaloneserver.Ifyoualreadyhaveafederationserveractive,youprobablycanskipthispartandgodirectlytotheconfiguration.
YouwillhavetoaddtheADFSroletoyourserver.
Thenfollowtheinstructions:
Belnet
4
Noadditionalfeatureisneeded.
Belnet
5
Belnet
6
3 BeforeConfiguringADFS3.0
3.1 CertificateYouwillneedacertificatefortheADFSimplementationtowork.Inthisdocumentwewillcreateaself-signedcertificatethatwewillgeneratefromIIS8
ThiscertificatewillbeusedforaccessingtheADFSserver.YoucanalsodownloadyourowncertificatecreatedspecificallyfortheADFSimplementation.
Othercertificatewillbeautomaticallygeneratedtosignthesendingoftheattributes.
Belnet
7
4 ConfigureADFS3.0
4.1 GeneralconfigurationoftheADFSserverInordertoconfigureADFS3.0youwillneedDomainAdminrights
YoucannowgointheADFSmanagementsnap-in
YoucanstartconfiguringyourADFSserverbyclickingontheconfigurationwizard
WewillnowcreateanewfederationwithonestandaloneADFSserver
Belnet
8
Belnet
9
YoushouldseeheretheSelfSignedcertificatethatyoucreated.PleasenotethatthenameofyourserverMUSTmatchthenameinyourcertificate(actually,youcan’tchangeitanyway)
IfyouplantouseagroupManagedServiceaccount,youwillneedawin2012serverAD.Inthisdocumentwewillbeusingawindows2008R2serversowewillsimplyuseaserviceaccount.
Belnet
10
Belnet
11
Youcantesttheinstallationbyfollowingtheurlhttps://hostname/adfs/ls/idpinitiatesignon.htm
Belnet
12
Youcantestheretheauthentication.
Belnet
13
4.2 UploadyourMetadataIftheinstallationhasbeencompletedsuccessfully,togetyourmetadata,followthisURL:
https://hostname/federationmetadata/2007-06/federationmetadata.xmlwherehostnameshouldbereplacedbythenameofyourserver.
Youshouldsee:
PriortouploadyourmetadatatotheBelnetfederation,youmustcleanitupasitcontainsalotofinformationdedicatedtoMicrosoftfederation:
• Removealltagsbetween<ds:Signature…></ds:Signature>• Removealltagsbetween:<RoleDescriptorxmlns:fed….></RoleDescriptor>x2• Addscopedelement:
o <EntityDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata"xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"entityID="…>
o o Justafter<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">o <Extensions><shibmd:Scope
regexp="false">ta.belnet.be</shibmd:Scope></Extensions>• Keeptherest
Youcanuploadthistohttps://federation.belnet.be
Belnet
14
4.3 ConfiguretheServiceprovider
OpentheADFSmanagementconsole:
Theserviceproviderisconfiguredunder“RelayingPartyTrust”
Inourcase,wewilladdarelayingpartytrustcalledsp.ta.belnet.be:
Belnet
15
ThebiggestproblemwithADFSisthatitcan’treadthefederatedmetadata.SoyouwillhavetogetthemetadatarelatedtoyourSP.YouwillhavetodothisforeverysingleSPyouwanttoworkwith.
Inthenextstepyoucandownloadthemetadata(eitherfromaURLorfromafile).Iwouldavoidthe“manual”part:
GiveyourSPanameandsomeinformation:
Belnet
16
YoucanconfigureMulti-FactorAuthentication.Thisisnotconveredinthisdocument.
Permitallusersbydefault:
Belnet
17
Andyou’redone(well,todefinetheSP).
Youcannowtesttheauthentication.YoushouldbeabletologinwithnoattributesbeingsenttotheSP.
Belnet
18
4.4 ConfiguretheattributereleaseNow,goandeditthe“ClaimsRules”(that’sthewayattributereleasepolicyiscalled)
Andthisiswherethefunbegins.
Clickonaddrulesinthe“IssuanceTransformRules”
Belnet
19
Thegoalistorelease3attributes:EPPN,CNandemail.Ofcourse,EPPNdoesn’texistinwindowsADFSbysotemporarilywewillusetheUPN(userprincipalname)instead.
Andofcourse,outofthebox,thoseattributeswillnotbeunderstoodbyshibbolethsowehavetoplayabit.Wewillcreate“transformrules”inordertotranslateanattributefromtheADintoanattributeknownbyShibboleth.
Belnet
20
FirstUPNtoEPPN:
Here,wetranslatetheclaimUPNintoSAMLattributewithOID1.3.6.1.4.1.5923.1.1.1.6.(Normally,yourserviceprovidershouldbeabletoprovideyouthisinformationasthoseattributemappingsaredefinedintheShibbolethSP(attribute-map.xml).“c.Value”isthevaluethatwastakenfromtheAD.
Belnet
21
Wewilldothesameformail:
Here,wetranslatetheclaimemailaddressintoSAMLattributewithOID0.9.2342.19200300.100.1.3.
Belnet
22
Andfinallythecn:
Here,wetranslatetheclaimCommonNameintoSAMLattributewithOID2.5.4.3.
FYI,someextractoftheSP“attribute-map.xml”
**************************************************************
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"> <AttributeDecoder xsi:type="StringAttributeDecoder"/> </Attribute> <Attribute name="urn:oid:2.5.4.3" id="cn"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
***************************************************************
Belnet
23
Youcannowtrytologinagainandyoushouldseeyourattributes:
Belnet
24
5 Some“claimrules”forBelnetSP:
5.1 sptest.belnet.be:1) Getattribute(UPN,E-mail-Address,CommonName)2) TransformUPNtoEPPN:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
3) Transformemail
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "urn:oid:0.9.2342.19200300.100.1.3", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
4) Transformcn
c:[Type == "http://schemas.xmlsoap.org/claims/CommonName"] => issue(Type = "urn:oid:2.5.4.3", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
5.2 filesender.belnet.be
1) Getattribute(UPN,E-mail-Address,CommonName)2) TransformnamedID
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
3) TransformUPNtoEPPN: c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
4) Transformemail
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] issue(Type = "urn:oid:0.9.2342.19200300.100.1.3", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
5) Transformcn
c:[Type == "http://schemas.xmlsoap.org/claims/CommonName"] issue(Type = "urn:oid:2.5.4.3", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
5.3 mconf.belnet.be1) Getattribute(UPN,E-mail-Address,CommonName)2) TransformUPNtoEPPN:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = c.Value + “@yourdomain.be”, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] =
Belnet
25
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
3) Transformemail
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "urn:oid:0.9.2342.19200300.100.1.3", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
4) Transformcn
c:[Type == "http://schemas.xmlsoap.org/claims/CommonName"] => issue(Type = "urn:oid:2.5.4.3", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
6 Interestingdocs:
• https://technet.microsoft.com/en-us/library/hh831502.aspx• http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-
office-365.aspx•
