Converting to https for ADFS

[Nick Chng]

Hi folks,

How straightforward is it to convert to https?

We've been running with "normal" http site on Windows for a few years, but I want to start using ADFS. Following the instructions, it seems like the site has to be in https mode for this to work, but simply changing the site to https is more complicated than setting the "HTTP_OR_HTTPS" flag (because that's not working for me).

Is there anything else that needs to be done?

Thanks,

Nick

[tbe...@gmail.com]

Hi,

I don't use ADFS but getting QATrack+ to use https is a webserver thing (as far as I remember, it's been some years since I set up QATrack+). If you are using IIS you have to enable https with a valid certificate ( https://docs.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis ) and I would also recommend to redirect all HTTP traffic to HTTPS ( https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httpredirect/ ).

regards

Thomas

[Nick Chng]

Thanks - appreciate the help, I think I got it working with a self-signed certificate (at least the website responds to https://myserver)

I'm probably just confused, but instructions in the documentation on ADFS seem to conflict... on the ADFS 3.0 configuration page it says use "qatrackplus" for the relying_party_id and audience, viz:

RELYING_PARTY_ID: Use the Relying Party Identifier you set above e.g. qatrackplus. To double check this setting open a PowerShell window and enter:

but back on the "Configuring QATrack+ to use ADFS" it indicates that the full server URL should be used. 

AUTHENTICATION_BACKENDS = [ 'qatrack.accounts.backends.QATrackAccountBackend', 'qatrack.accounts.backends.QATrackAdfsAuthCodeBackend', ] # AD FS settings. AUTH_ADFS = { "SERVER": "some.adfs.server.com", "CLIENT_ID": "qatrackplus", "RELYING_PARTY_ID": "https://your.qatrackserver.com", "AUDIENCE": "https://your.qatrackserver.com", "CLAIM_MAPPING": { "first_name": "given_name", "last_name": "family_name", "email": "email" }, "USERNAME_CLAIM": "winaccountname", "GROUPS_CLAIM": "group", }

I'm just going to go through the various permutations and hope for the best.  Unfortunately I can't play around on the ADFS server side because that's all controlled by hospital IT which makes this whole process a bit painful.

Cheers,

Nick

[Nick Chng]

Would also appreciate knowing if you need to install the LDAP packages and set configuration in local settings for ADFS, or if that's separate.

[Nick Chng]

Ok, got to the point where my QATrack landing page gives me the option for single sign on.  However, when I click it it just thinks for a while then does nothing.  No errors.

The auth log records this, in case this means anything to anyone.  IT department swears up and down that they followed the docs, and sent me screenshots of the powershell checks which do look like "qatrackplus" is a bona fide clientId with the correct redirectURI for my test server.

Auth log dump below, in case this means anything to anyone... I'm giving up for now, thanks folks.

-N

[11/Feb/2022 16:35:56] INFO [django_auth_adfs:234] Trying to get OpenID Connect config from https://my.adfs_server.org/adfs/.well-known/openid-configuration?appid=qatrackplus
[11/Feb/2022 16:35:56] INFO [django_auth_adfs:221] django_auth_adfs loaded settings from ADFS server.
[11/Feb/2022 16:35:56] INFO [django_auth_adfs:222] operating mode:         openid_connect
[11/Feb/2022 16:35:56] INFO [django_auth_adfs:223] authorization endpoint: https://my.adfs_server.org/adfs/oauth2/authorize/
[11/Feb/2022 16:35:56] INFO [django_auth_adfs:224] token endpoint:         https://my.adfs_server.org/adfs/oauth2/token/
[11/Feb/2022 16:35:56] INFO [django_auth_adfs:225] end session endpoint:   https://my.adfs_server.org/adfs/oauth2/logout
[11/Feb/2022 16:35:56] INFO [django_auth_adfs:226] issuer:                 http://my.adfs_server.org/adfs/services/trust

[Randle Taylor]

Hi Nick,

Sorry you're having trouble getting ADFS working.   It's definitely possible there's an issue with the docs or the backend as it has not had any attention from anyone other than the first time I wrote it/tested it.

The relying party identifiers on your ADFS server and your QATrack+ configuration do need to match, so that seems like an issue with the documentation and would definitely cause an issue with the sign on.  I don't *think* it matters whether you use a url or just "qatrackplus", as long as the identifier is unique and matches on both sides.

If you can't get that working, the more traditional Active Directory backend (https://docs.qatrackplus.com/en/stable/install/authentication_backends.html#active-directory) is in use by many departments.  It's not quite as seamless as SSO with ADFS, but at least users don't need a new password for QATrack+.

Randy

--
You received this message because you are subscribed to the Google Groups "QATrack+" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qatrack+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qatrack/16af0e79-8bb5-4b8b-bb39-88e064b41ea8n%40googlegroups.com.

[Nick Chng]

I've finally got this working, thanks to a lot of help from Randy in private emails.  I wanted to summarize what (may) be needed in addition to what's described in the documentation in case this helps others looking to do this.

Note this is specific to a windows/IIS/CherryPy stack.

1. ADFS server configuration
   1. Important that the redirect URI matches the server name exactly.  I ran into issues because the redirect URI that the host hospital IT set up used a fully qualified domain name (e.g. https:\\myserver.domain.com, and my server was just running on the hostname https:\\myserver)
   2. Note that supporting ADFS/SSO seems to require that the site be using https (at least at my institution) so be ready for this
2. The local_settings.py file needed to include the following, so the redirect URIi send to ADFS is correct
   
   1. SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
      HTTP_OR_HTTPS = 'https'  # when using https/ssl for your site
3. IIS
   
   1. The Application Request Routing had to be configured as follows
      1. ARR -> Server Proxy Settings... ->  *uncheck* Reverse rewrite host in response headers
   2. To switch to HTTPS, in the 'QATrack Static' site, set SSL settings to Require SSL.  Added a binding to the site to a self-signed certificate.  I assume you can replace this with a properly issued certificate to avoid the browser warnings, but I haven't got this far yet.
      
   3. In the server's URL Rewrite configuration, also need to add a new server variable "HTTP_X_FORWARDED_PROTO" with value "HTTPS"

Good luck, and happy to be corrected if anyone manages to do this without the steps above.

Nick

[Randle Taylor]

Thank you to Nick for many emails back and forth and persevering to get this working and writing up his findings!

Randy

[Revo Liias]

In the server's URL Rewrite configuration, also need to add a new server variable "HTTP_X_FORWARDED_PROTO" with value "HTTPS"

In the URL Rewrite rule, HTTP_X_FORWARDED_PROTO value must be with lower cases like "https" 

Otherwise, ADFS issued an error message:

Maybe it's related how local_settings.py values are defined.