ADFS configure LDAP Attributes for SSO

[patrick...@gmail.com]

Hello Frentix,

I've configured the LDAPS-User-Sync for Openolat on the latest version(12.1.3) and it works fine. My goal is to implement a SSO, for that I've to get the authorisation right with oauth2 on my ADFS (Windows Server 2016, ADFS stands). At the Moment i get the following ERROR from OpenOLAT:
error=invalid_resource&error_description=MSIS9602: The received 'resource' parameter is invalid. The authorization server can not find a registered resource with the specified identifier.&client-request-id=1da88fb5-5ed2-49f1-cc00-0080010000ca
There are 3 questions for me to answer:

1. My openOLAT has no SSL(HTTPS) so far (I will do that later), is it possible to do an oauth autorisation without it? I would say yes but I'm not sure...
2. Which LDAP Attributes are required and what are their outgoing claims? (In the attachement: the attributes and claims i tried)
3. Do I need to configure a Rule "Transform an Incoming Claim"?

I would be very pleased hearing from you..

Best Regards

Patrick Würmli

[patrick...@gmail.com]

Meanwhile i configured a selfsigned HTTPS for my Server, but the error still occurs. I don't know what the client-request-id=1da88fb5-5ed2-49f1-cc00-0080010000ca is and where it comes from.

I didn't find any helpful Information for the error-code=MSIS9602.

In the olat.local.properties i found these lines which must specify the outgoing claims:

 

ldap.attributename.useridentifyer=sAMAccountName

ldap.attributename.email=mail

ldap.attributename.firstName=givenName

ldap.attributename.lastName=sn

 

so i guess the following has to be the right configuration?

LDAP Attribute	outgoing Claim
SAM-Account-Name	sAMAccountName
Given-Name	givenName
Surname	sn
E-Mail-Addresses	email

For helpful comments i would be very thankful.

Patrick Würmli 

[Florian Gnägi]

Hi Patrick

oAuth SSO is something that does not work out of the box, there are many configs and options that need to fit. Best is to use the debugger to see what exactly OpenOLAT gets from the server to see what is wrong. 

In the OpenOLAT code the resource is constructed from: 

String resource = Settings.getServerContextPathURI();

So, when on your side the resource is garbage, then you probably have an invalid configuration for your server name and port in the olat.local.properties. Make sure you have 

server.domainname=a.valid.domain.with.proper.ssl.certificate

server.port.ssl=443

Make also sure you have OpenOLAT deployed in the root context of your app server.

Cheers

Florian

--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org

---
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<ATTRIBUTES.png>

--------------------------------------------------------------------

professional services for the e-learning system OpenOLAT

hosting - operating - support - development - mobile - consulting

--------------------------------------------------------------------

www.frentix.com | www.openolat.com 

frentix  GmbH

Florian Gnägi, Geschäftsführer

Hardturmstrasse 76

CH-8005 Zürich, Switzerland

tel://+41-43-544-9000

dir://+41-43-544-9001

fax://+41-43-544-9009

Find me on skype  twitter xing linkedin 

--------------------------------------------------------------------

[Florian Gnägi]

For the ADFS user mapping please have  a look at the code in ADFSProvider.java. 

ADFS oAuth is something that we normally configure for our clients and that always involves specific adjustments because it depends on the clients infrastructure. 

The general LDAP setup can be configured easily in the olat.local.properties, the ADFS setup is not that flexible, there is not configuration to adjust the user properties mapping. You can not simply apply the LDAP config to ADFS. In your infrastructure, the LDAP and ADFS are probably the same, however for OpenOLAT the LDAP module and the ADFS module have nothing in common. We have many setups where we use ADFS but not LDAP at all because users are either generated on the fly or are generated using the REST API. 

It is totally separate. Thus, the assumption that the LDAP configuration could be applied to ADFS is wrong, it is independent. 

Have a look at ADFSProvider.java, look at the getUser() method on line 102:

http://hg.openolat.org/openolat/file/tip/src/main/java/org/olat/login/oauth/spi/ADFSProvider.java

Cheers

Florian

--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org

---
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.