Using SimpleSAMLphp to Authenticate against ADFS 2.0 IdP

[Florian Beer]

Hello,

I've spent hours reading docs & searching the web, but although I'm not new to SSO implementations in general, I can't figure out how to get SimpleSAMLphp to talk to an  ADFS 2.0 IdP. Can someone please fill me in on what steps need to be taken and what information exactly I need from the identity service provider, so I can at least test my configuration with the provided test site (simplesaml/module.php/core/authenticate.php)?

Did I miss any documentation on this topic, or is it really the case, that most of the docs are written with far too much knowledge about that particular framework implied, so it's utterly impossible to produce a working example for someone who isn't a contributor to SimpleSAMLphp?

Just for clarification my set up is as follows:

- PHP Application on local server

- Microsoft ADFS 2.0 Authentication on a remote server (Microsoft Active Directory)

- My Application needs to authenticate users with the remote service and be able to retrieve permissions to use for the local webapp

Or maybe someone can point me to a simple example to accomplish this without the need for a bloated framework like SimpleSAMLphp which offers far too much functionality that I don't need. Would it be advisable to just program everything myself using SOAP requests to the service? (If so, does Microsoft have a decent documentation for their protocol and how to call it without using any .Net language?)

Thanks for any possible answer, tip or encouragement ... I'm really starting to pull my hair out over this and loosing hope,

Florian

[Chrys31]

Hi Florian,

I speak French and my English is very bad but I will try to help you.
I consider simplesaml is installed and configured on your web server
Apache (www.mysite.com) and ADFS2 is installed on your federation
server (www.myadfs.com).

Open a browser and go to URL http://www.myadfs.com/Federationmetadata/2007-06/FederationMetadata.xml
Save as FederationMetadata.xml.

Open a browser and go to https://www.mysite.com/simplesaml/
Select Federation tab
Click on Convert XML Metadata to simpleSAML.php
Paste the content of the previous file (FederationMetadata.xml)
Click on Analyse
On saml20-idp-remote section, select all text and copy it
Edit the file <document_root>/simplesamlphp/metadata/saml20-idp-
remote.php (save a copy like saml20-idp-remote.bak)
Delete all text between <?php … ?> (keep "<?php" and "?>"
Paste the previous selected text between "<?php" and "?>"
Under ‘entityid’ line, add following line: ‘sign.logout’ => TRUE,
Save saml20-idp-remote.php

Edit the file
in the $config array adds an entry like
'myauth' => array(
'saml:SP',
'idp' => 'http://www.myadfs.com/adfs/services/trust',
'privatekey' => '001-mysite.key',
'certificate' => '001-mysite.crt',
),

On ADFS server, open the ADFS 2.0 consol
Go to Approbation relationship, and Relaying party approbation.
Click on Add approbation
Click on Start
Enter the following address: https://www.mysite.com/simplesaml/module.php/saml/sp/metadata.php/myauth
Click on OK.
Enter the application name.
Click on Next.
Click on Authorize user access to this relying party.
Click on Next.
Click on Next.
Click on Close.
Adds and configures all the rules you need.
Click on OK.
The new relaying party is added.
Double click on it.
On advanced tab, select algorithm hash to SHA-1.
Click on OK.

Regards,

Chrys.

[Chrys31]

Oups !
The second file to edit is <document_root>/simplesamlphp/config/
authsources.php

Chrys

On 22 mai, 16:54, Chrys31 <wilfrid.lef...@gmail.com> wrote:
> Hi Florian,
>
> I speak French and my English is very bad but I will try to help you.
> I consider simplesaml is installed and configured on your web server
> Apache (www.mysite.com) and ADFS2 is installed on your federation
> server (www.myadfs.com).
>

> Open a browser and go to URLhttp://www.myadfs.com/Federationmetadata/2007-06/FederationMetadata.xml
> Save as FederationMetadata.xml.
>
> Open a browser and go tohttps://www.mysite.com/simplesaml/

[Florian Beer]

Wow, thank you very much Chrys!

That cleared a bunch of things up for me. I guess with your explanation my local part is configured correctly, now all I have to do is get the IdP to accept my requests. At the moment their service tells me: "An error occurred during the return of an error to the SAML Service Provider", but I'll let the guys on the other end figure that one out.

May I ask how you happened to come across this knowledge?

I combed through the SimpleSAMLphp documentation for hours but couldn't figure all this stuff out. Did I miss anything or is there maybe a better documentation/HOWTO somewhere else?

Thanks,

Flo

[Thijs Kinkhorst]

Hi Gabriel,

On Wed, 3 Oct 2012 02:25:56 -0700 (PDT), Gabriel Bider
<enda...@gmail.com>
wrote:
> I appreciate your help Chrys!
>
> Followed your guide and now I'm stuck on the certificates part. How do I

> generate 001-mysite.key and crt files?

An example of how to generate the certificates is in the manual:
http://simplesamlphp.org/docs/1.10/simplesamlphp-sp#section_1_1


Cheers,
Thijs

--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236

[adam_j_bradley]

Hope you got this to work! Ping me if you have any questions.

//Adam

[Djazz]

Hi guys,

I'm trying to make a SSP authentication with ADFS2.0 IDP work.

I've followed Chris tutorial, and it almost works fine but I've an issue with the NameIDPolicy.

When I set the NameIDPolicy to any URI in the authsources.php configuration file, I get an error in the SAML POST request (Error 500) as the URI seems to be incorrect. I tried every URL mentioned here : http://social.technet.microsoft.com/wiki/contents/articles/4038.ad-fs-2-0-how-to-request-a-specific-name-id-format-from-a-claims-provider-cp-during-saml-2-0-single-sign-on-sso.aspx

And when I set the NameIDPolicy to NULL in the authsources.php, I also get an error in the SAML POST (Error 303) as ADFS 2.0 waits for a NameIDPolicy.

Does anyone have any information on this ?

Thanks

Kind regards

Djazz

[oli laurel]

hi,

did you find any solution for the issue with the NameIDPolicy?
We drive into the same problem.

thx oli

[oli laurel]

hi,

did you find any solution for your issue with NameIDPolicy?
We got same problem.

[Sebastien B.]

Hello,

In my current setup (bidirectional trust  with ADFS 2.0) i declared the ADFS IDP in the authsources.php file likewise:

// example ADFS auth source

'ADFS_IDP' => array( 

'saml:SP', 

'entityID' => 'https://ssp.mydomain.com',

'idp' => 'http://adfs.mydomain.com/adfs/services/trust', 

'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

'privatekey' => 'mykey.pem', 

'certificate' => 'mycertificate.crt', 

'authproc' => array(

59 => array('class' => 'saml:NameIDAttribute', 'format' => '%V', 'attribute' => 'uid'),

93 => array('class' => 'core:AttributeMap', 'name2oid') // to convert all attributes to oid notation (works better with oiosaml like filters)

),

),

On ADFS side, make sure that you add at least 2 claim rules for the SSP relying party, 

1) send ldap attributes as claims ( there is a claims rule template for that and you just select the attributes you want to send to SSP from the AD) in example PPID and/or samAccountName

2) transform PPID to UID (select the transform an incoming claims rule template and Transform one of the attributes you fetch from the AD (for example PPID) and make sure you transform it to the Name ID type and specifiy the type (persistent, transient, etc)

 

This is what i had to do in order to make sure ADFS includes a subject/nameID in the SAML assertion.

HTH

Sébastien

[trekd...@gmail.com]

Would anyone be able to explain how the certs should look in this case? I noticed that authsources.php doesn't seem to provide the ability to define the certificate that your ADFS server uses for token signing and encryption. I still receive:

Encountered error during federation passive sign-in using SSO token.
Exception details:
Microsoft.IdentityServer.Web.SingleSignOnTokenException: MSIS7006: The single sign on token is not valid.
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

and

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'http://sp.domain.local/simplesaml/module.php/saml/sp/metadata.php/ADFS-SP' could not be located.
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ValidateSignatureRequirements(SamlMessage samlMessage)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

Thanks!

[trekd...@gmail.com]

Resolved this by addressing the SP with https. I now receive:

Unable to validate Signature

0: /usr/share/simplesamlphp/lib/SAML2/Utils.php:104 (SAML2_Utils::validateSignature)
1: /usr/share/simplesamlphp/lib/SAML2/Assertion.php:507 (SAML2_Assertion::validate)
2: /usr/share/simplesamlphp/modules/saml2/lib/Message.php:190 (sspmod_saml2_Message::checkSign)
3: /usr/share/simplesamlphp/modules/saml2/lib/Message.php:708 (sspmod_saml2_Message::processResponse)
4: /usr/share/simplesamlphp/modules/saml/www/sp/saml2-acs.php:50 (require)
5: /usr/share/simplesamlphp/www/module.php:135 (N/A)

A bit more informative but still not understanding where I should be defining this. I see mentions of modifying saml20-idp-remote.php but I though this file was to be maintained as simply the metadata contents of my IDP..

[Sebastien B.]

Hello,

First of all, which scenario are you trying to achieve ? ADFS IdP for Simplesamlphp (SSP) or the other way round ?

ADFS IdP:  you have to declare the remote idp in the saml20-idp-remote.php  file. 

ADFS SP: you have to declare the remote SP in the saml20-sp-remote.php file.

Be aware of the fact that, ADFS metadata are not only "SAML-centric" (they contain ws-fed metadata, etc. which sometimes, do not do well with the metadata parser). 

Also, in ADFS, you have to declare either a relying party (ADFS IdP or claims provider ( ADFS SP) by importing SSP's metadata.

Hope this helps,

Sébastien

[Janeil Williams]

Most of the documentation here is using ADFS as the IDP and SimpleSAML and the Service Provider. How does one configure for the reverse. What I currently have is:

 

1. SimpleSAML configured as a Claims Provider  in ADFS using its metadata xml.

2.  The ADFS converted metadata (Service Provider meta)  added to the saml2-sp-remote file.

 

 

I presume this configuration should give me what I hope to achieve. However, on being redirected to the SimpleSAML authentication page and logging in, i'm then redirected to : https://hostname/adfs/ls/ which has an error. It seems the claims are not being passed back to ADFS after authentication. Has anyone tried using ADFS as the service provider in this set up?

[Sebastien B.]

Hello,

in my lab, i achieved bidirectional trust. It means that SSP and ADFS are Service provider and Id providers at the same time (to cover different use cases). Therefore it is possible.

You should check the Event viewer logs for ADFS in order to understand what the problem is. Every error should be logged there and usually the messages are quite clear. 

Hope this helps,

Sébastien

[Janeil Williams]

Hello,

 

Thanks for your response. Did you used the converted xml as is? Additionally, did you also pass through the claims in ADFS management?

 

Regards.

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.

[Sebastien B.]

Hello,

If i recall correctly, i did not need to change the ADFS's XML. It might need a little cleaning because ADFS metadata contains also the WS-Fed metadata.

SSP's XML should be imported in ADFS without any problem through the wizards. 

To solve the Name ID problem sent by ADFS, yes, i had to pass through all claim values.

Regards,

Sébastien

[Yugandhar Bandi]

Hi Chrys,

Thank you very much for this useful post. I followed your steps and was able to setup SAML - ADFS connectivity. But I have a custom requirement. I am using saml in my moodle application. Once I enable simplesaml, I am getting an SSO login button. Once the user clicks on it, it redirects to the ADFS login screen, where the user enters is credentials and on validation, the user is redirected back to moodle application. But my requirement is that the login should happen in my moodle login screen itself, instead of redirecting the user. Please share your thoughts on this as where i should begin ... any info will be of great help. 

Thank you in advance,

Yugandhar Bandi.

[Peter Schober]

* Yugandhar Bandi <yrb...@paexskin.com> [2013-11-06 15:26]:

> But my requirement is that the login should happen in my moodle
> login screen itself, instead of redirecting the user.

That's not possible (or sensible) with SAML WebSSO, independently from
the SP or IdP implementation.
SAML was created to avoid the resource (Moodle in this case) ever
seeing your credentials, not to provide Yet Another Way to do that
(i.e., LDAP, RADIUS, etc.).

So you cannot sensibly require both SAML at the same time.
You can have people choose one or the other, though. But if they chose
something that initiates a SAML protocol exchange that will be a HTTP
redirect or POST somewhere else, not a local forms-based login,
-peter

[Tom Scavo]

On Wed, Nov 6, 2013 at 9:25 AM, Yugandhar Bandi <yrb...@paexskin.com> wrote:
>
> ... my requirement is that

> the login should happen in my moodle login screen itself, instead of
> redirecting the user.

If I'm understanding you correctly, that's not a reasonable
requirement is *any* environment. The whole point of SAML Web Browser
SSO is that redirect to the user's familiar IdP login interface. If
you replicate (or actually try to present that login interface using
cutting edge client-side browser technology), it reduces the
application to phishing. I don't think you want to do that :-)

Tom

[JDS]

Hi. This reply is a bit late, so sorry if you've worked this out already.

"my requirement is that the login should happen in my moodle login screen itself"

As others have stated, SSO won't work for this. If this truly is your requirement, use the Moodle LDAP authentication plugin.

Thanks,

JDS

[Manuel Roldan-Vega]

I'm pretty new to SimpleSAMLPHP. I'm working on configuring SimpleSAMLPHP as the SP and authenticating against ADFS (IdP), but I don't know where do I configure the claims map in the SimpleSAMLPHP side.  Any help would be appreciated. 

thanks, 

M. 

[Richard Cesar]

Hey Manuel,

I am rather new to simpleSAML (and SAML altogether) myself, and had to put together a similar situation the other day. That is, SP-Init SSO with simpleSAML
being the sP, and the iDP being an ADFS (LDAP backed I believe). I may be a dummy, but It took me a while to deduce that "Claims" and the claim language has nothing
to do with SAML really, and that SAML uses no such language formally. SimpleSAML simply refers to these as the more formal SAML Specific "Attributes",
and what your looking for is PROBABLY what they call "Auth Proc Filters" (https://simplesamlphp.org/docs/stable/simplesamlphp-authproc)

Hopefully this helps,
Richard

--

You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.

For more options, visit https://groups.google.com/d/optout.

[Manuel Roldan-Vega]

thank you Richard. I'll review the documentation relevant to AuthProcs. 

[Jude Felix]

Hi All,

I am all new to saml and simplesamlphp, I have been trying to setup simplesamlphp as SP with ADFS (Idp) but not successful yet

I have upadated authsources.php file as shown below
    'default-sp' => array(
        'saml:SP',   
        'entityID' => null,

    //I created certificates using openssl and stored in simplesamlphp/cert folder
     'privatekey' => 'saml.key',
        'certificate' => 'saml.pem',

    'idp' => 'http://domain/adfs/services/trust',//No https
        'discoURL' => null,
    'sign.logout' => TRUE,
    'redirect.sign' => TRUE,
    'assertion.encryption' => TRUE,     
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',       
        'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',       
    ),

In simplesaml I went to the Federation tab converted FederationMetadata.xml received from ADFS admin and included that in metadata/saml20-idp-remote.php and I also shared SP metadata with ADFS admin (Configured in ADFS)...
ADFS admin also sent me token-Signing Certificate.cer, what do i need to do with this, how do i use this in simplesamlphp

Now i am getting below exception. I am currenly not doing anything with self signed token sent by adfs admin
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/simplesamlphp/www/module.php:179 (N/A)
Caused by: sspmod_saml_Error: Responder

Kindly help, I am stuck with this for quite sometime not able to close

[Lewis Roberts]

Hi Jude (I resisted the urge to say Hey Jude, oh wait, damnit!)

It's tough to say what's causing your problem but I wanted to post back to you to clarify your question about the token signing certificate provided to you by the ADFS admin. Typically this information is already made available to you from the FederationMetadata.xml file. If you open the .cer file they provided in a text editor and compare its content with your saml20-idp-remote.php file, you'll see the certificate is already there under 'signing' => true, so you don't need to do anything specific with it.

That said, to be compatible with SimpleSAMLphp, the ADFS server needs to send specific claims to SimpleSAMLphp for it to process the authentication.

The claim rule language is:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

I've also attached an image which you can share with the ADFS admin. I tried to attach it in-line but I've no idea what has happened to it.

As a little further help, I've written up an article for integrating SimpleSAMLphp with ADFS 2012R2 which is likely to be of interest to both you and the ADFS admin.

http://www.lewisroberts.com/2015/09/06/integrating-simplesamlphp-with-adfs-2012r2/

Hope it's helpful

Lewis

[Alejandro Decchi]

Hi Chrys,

I am trying to configure media wiki with Microsoft ADFS.

Here in your explain you said "Enter the following address: https://www.mysite.com/simplesaml/module.php/saml/sp/metadata.php/myauth "

Can you explain me what is that url  ? because i put "https://www.mediawikiserver.com/simplesaml/module.php/saml/sp/metadata.php/myauth " and simplesaml web page inform "Page not found"

Thank you

El martes, 22 de mayo de 2012, 11:59:18 (UTC-3), Chrys31 escribió:

Oups !
The second file to edit is <document_root>/simplesamlphp/config/
authsources.php

Chrys

On 22 mai, 16:54, Chrys31 <wilfrid.lef...@gmail.com> wrote:
> Hi Florian,
>
> I speak French and my English is very bad but I will try to help you.
> I consider simplesaml is installed and configured on your web server
> Apache (www.mysite.com) and ADFS2 is installed on your federation
> server (www.myadfs.com).
>

> Open a browser and go to URLhttp://www.myadfs.com/Federationmetadata/2007-06/FederationMetadata.xml
> Save as FederationMetadata.xml.
>
> Open a browser and go tohttps://www.mysite.com/simplesaml/

> Select Federation tab
> Click on Convert XML Metadata to simpleSAML.php
> Paste the content of the previous file (FederationMetadata.xml)
> Click on Analyse
> On saml20-idp-remote section, select all text and copy it
> Edit the file <document_root>/simplesamlphp/metadata/saml20-idp-
> remote.php (save a copy like saml20-idp-remote.bak)
> Delete all text between <?php … ?> (keep "<?php" and "?>"
> Paste the previous selected text between "<?php" and "?>"
> Under ‘entityid’ line, add following line: ‘sign.logout’ => TRUE,
> Save saml20-idp-remote.php
>
> Edit the file
> in the $config array adds an entry like

> 'myauth' => array(
>     'saml:SP',

>     'idp' => 'http://www.myadfs.com/adfs/services/trust',
>     'privatekey' => '001-mysite.key',
>     'certificate' => '001-mysite.crt',
> ),
>
> On ADFS server, open the ADFS 2.0 consol
> Go to Approbation relationship, and Relaying party approbation.
> Click on Add approbation
> Click on Start
> Enter the following address:https://www.mysite.com/simplesaml/module.php/saml/sp/metadata.php/myauth
> Click on OK.
> Enter the application name.
> Click on Next.
> Click on Authorize user access to this relying party.
> Click on Next.
> Click on Next.
> Click on Close.
> Adds and configures all the rules you need.
> Click on OK.
> The new relaying party is added.
> Double click on it.
> On advanced tab, select algorithm hash to SHA-1.
> Click on OK.
>
> Regards,
>
> Chrys.
>

[Peter Schober]

Alejandro,

* Alejandro Decchi <ade...@gmail.com> [2016-11-17 09:26]:

> Can you explain me what is that url ? because i put "

> https://www.mysite.com/simplesaml/module.php/saml/sp/metadata.php/myauth "

> and simplesaml web page inform "Page not found"

You're replying to a 4 year old thread and nothing in your question
has any relation to MS-ADFS.
If you want to know where to get SAML 2.0 metadata for your
installation use the documentation or just go to the admin web ui (at
the SSP base URL) and you'll find a URL to your metadatat in the
"federation" tab.
-peter