JOSSO 2.4. Ws-Federation Integration Tutorial



Similar documents
Microsoft Dynamics CRM Server 2011 software requirements

SAML Authentication within Secret Server

JOSSO 2.4. Internet Information Server (IIS) Tutorial

SAML v2.0 for.net Developer Guide

How to create a SP and a IDP which are visible across tenant space via Config files in IS

CA Nimsoft Service Desk

PARTNER INTEGRATION GUIDE. Edition 1.0

360 Online authentication

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Outlook Web Access (OWA) WS-Federation SSO with A10 Thunder Series

ADFS Integration Guidelines

Managing trust relationships with multiple business identity providers (basics) 55091A; 3 Days

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

HP Software as a Service

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Configuring EPM System for SAML2-based Federation Services SSO

Configuring Active Directory with AD FS and SAML for Brainloop Secure Dataroom Setup Guide

AD FS 2.0 Step-by-Step Guide: Federation with Ping Identity PingFederate

Flexible Identity Federation

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Authentication and Single Sign On

SAML-Based SSO Solution

CA CloudMinder. Getting Started with SSO 1.5

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Advanced Configuration Administration Guide

Safewhere*ADFS2Logging

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

TIB 2.0 Administration Functions Overview

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Federated Identity Management Solutions

HP Software as a Service. Federated SSO Guide

SAML 2.0 SSO Deployment with Okta

Active Directory Federation Services

SAML Single-Sign-On (SSO)

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Internet Information Services Integration Kit. Version 2.4. User Guide

Web Services Security and Federated Identity Management

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Trend of Federated Identity Management for Web Services

SAML SSO Configuration

Safewhere*Identify 3.4. Release Notes

Authentication Integration

365 Services. 1.1 Configuring Access Manager Prerequisite Adding the Office 365 Metadata. docsys (en) 2 August 2012

How To Use Saml 2.0 Single Sign On With Qualysguard

Agenda. How to configure

Getting Started with AD/LDAP SSO

OpenLogin: PTA, SAML, and OAuth/OpenID

Identity Server Guide Access Manager 4.0

Identity Providers. Technical Reference. Interactive Intelligence Customer Interaction Center (CIC) Version Last updated November 5, 2015

PHP Integration Kit. Version User Guide

SAP NetWeaver AS Java

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Single Sign On for ShareFile with NetScaler. Deployment Guide

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

CA SiteMinder. Federation Security Services Release Notes. r12.0 SP3

Enterprise Knowledge Platform

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Flexible Identity Federation

Running Multiple Shibboleth IdP Instances on a Single Host

This Working Paper provides an introduction to the web services security standards.

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Setup Guide Access Manager 3.2 SP3

Spring Security SAML module

SAML 2.0 for WIF Service Provider. Installation guideline. SAML 2.0 for WIF. Service Provider. Globeteam A/S SAML 2.0 for WIF, version 1.

Single Sign On Integration Guide. Document version:

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

SAML Federated Identity at OASIS

How To Use Netiq Access Manager (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip

Extend and Enhance AD FS

OIOSAML 2.0 Toolkits Test results May 2009

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Configuring. Moodle. Chapter 82

Copyright: WhosOnLocation Limited

ACTIVID APPLIANCE AND MICROSOFT AD FS

Single Sign-On Implementation Guide

Authentication Methods

Single Sign-On Implementation Guide

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Single Sign-On Implementation Guide

Safewhere*PasswordReset

Transcription:

JOSSO 2.4 Ws-Federation Integration Tutorial

JOSSO 2.4 : Ws-Federation Integration Tutorial

1. Introduction... 1 2. Prerequisites... 2 3. Defining Identity Appliance Elements... 3 3.1. SAML 2 Service Provider Element... 3 3.2. Ws-Federation Resource Element... 3 4. Security Token Service... 5 4.1. Deployment... 5 4.2. Web Application Configuration... 5 4.2.1. jossosts Configuration Element... 5 4.2.2. jossoagent Configuration Element... 6 4.2.3. appsettingssection id... 7 4.3. STS Federation Metadata Configuration... 8 5. Test Relaying Party... 9 iii

Chapter 1. Introduction Ws-Federation is an Identity Federation protocol supported by Windows Identity Foundation infrastructure, similar to SAML. It externalizes user access services, allowing applications integration with external authentication providers. JOSSO EE provides a Ws-Federation bridge that can be used to connect Relaying Parties (the equivalent to a SAML Service Provider in WS-Federation) with JOSSO SAML Identity Providers by adapting messages from one protocol to the other. The bridge acts as a WS Security Token Service and relies on Windows Identity Foundation to provide the necessary services. Implemented as a.net application, the bridge is deployed as an IIS application. In this example we will go through the STS Bridge install and configuration process, and we will learn how to model the corresponding elements on the Identity Appliance. Although the relaying party application is outside the scope of this tutorial, we will provide an example as reference. 1

Chapter 2. Prerequisites Before starting, make sure that the following prerequisites are meet. JOSSO 2.4.x instance: JOSSO 2 Server hosting a SAML 2 IdP. JOSSO 2.4.x STS Application distribution Working SSO environment: an already working Identity Appliance, including an Identity Provider. Windows Server 2003+: With Internet Information Server,.Net framework 3 or above and Windows Identity Foundation Certificate/Key pair to be used by the Ws-Federation services to sign messages. 2

Chapter 3. Defining Identity Appliance Elements The first step is to modify our SSO configuration, adding the required elements to enable the necessary identity services. Remember that the STS bridge will translate WS-Federation messages into SAML 2 messages, so you can connect it to any SAML IdP. For this to work, we need to define a SAML SP backed by a Ws-Federation resource (application). The two elements we need to include are: SAML Service Provider (Providers drawer) Ws-Federation Resource (Resources drawer) The SP will be connected using a Federated Connection to one or more IdPs, in our case we re using a single IdP. The Ws-Fed resource will be connected using a Service Connection to the new SAML SP. 3.1. SAML 2 Service Provider Element The SAML SP definition does not require any particular option, just configure it based on your SAML federation requirements. (i.e. bindings, profiles, certificates etc.) 3.2. Ws-Federation Resource Element The Ws-Federation resource represents the STS bridge component. SSO services running on the JOSSO side will be created to handle incoming messages from the STS side of the bridge deployed on the IIS server. We must specify the STS base URL and the Relaying Party resource URLs. Let s take a look at the element properties: Property Name Description Security Token Service Relaying Party Description The resource name, something representative of the application involved. A brief description of the resource. This is the URL that points to the STS component on the IIS server, normally https://<server>/sts This is the URL that points to the Relaying Party application, in this example https://<server>/testrp 3

Defining Identity Appliance Elements Property Signing Certificate Encryption Certificate Description Not used at the moment. Reserved for future user. The STS signing certificate Subject name (i.e. CN=My- Cert,OU=Secyrity,DC=mycompany,DC=com), Not used at the moment. Reserved for future user. The STS encryption certificate Subject name (i.e. CN=My- Cert,OU=Secyrity,DC=mycompany,DC=com), 4

Chapter 4. Security Token Service Now that we have updated our Identity Appliance, it is time to install the IIS application that works as STS bridge. The process consists of two activities: STS IIS site and application deployment: you can create a specific site for the STS application, or you can use an existing one. STS Application configuration: This step consist setting up the components that are part of the STS application. 4.1. Deployment The Ws-Federation bridge distribution file contains the STS Web Application. Create a josso folder where you want the application to be deployed, and extract the contents of the file in that location. In our example, we re using the following path: C:\inetpub\wwwroot\josso. The relaying party test application is also provided within the distribution, you can define a web application for it as well. STS Web Application Folder Now we re going to define a new application on our existing IIS site (www.mycompany.com). We re using the following base URL for: https://www.mycompany.com/sts. Make sure to configure the proper options when defining your own web application, specially the alias. In our case we will set it to STS and configure the physical path to C:\inetpub\wwwroot\josso\apps\STS. STS Web Application Definition 4.2. Web Application Configuration Now that we have the application in place, we need to configure the STS web application properties based on our current SSO deployment. First need to edit the application s configuration file: C:\inetpub\wwwroot\josso\apps\STS\Web.config and look for the following elements jossosts, and jossoagent: 4.2.1. jossosts Configuration Element The jossosts configuration element represents the component that exchanges messages with the relaying party. The following sub-elements must be configured: Element Attribute Description identityprovider partnerapplicationid The SAML SP name associated to this Ws-Federation resource jossospbindingbaseuri The SSO binding endpoint for the SP. The URL can be build using the following pattern: http[s]:// 5

Security Token Service Element Attribute Description <josso.server>[:<josso-port]/idbus/<id-appliance>/ <ws-resource-name>-ee identifierclaim type The Ws-Federation claim that will be used as user identifier roleclaim type The Ws-Federation claim that will be used as role identifier claimmapping (*) from to The reported SAML 2 claim The Ws-Federation claim used to identify the value associted with the from SAML claim basedclaimsawarewebapp validate (*) uri (*) You can have multiple entries of these elements. Let s take a look at the configuration for our current example: Set to true If you want the STS to validate the origin for Ws- Federation requests agaist this URI. Only registered URISs will be served A valid relying party URI, to be used when verifying incoming Ws-Federation messages <jossosts> <identityprovider partnerapplicationid="wsfed-app-sp" jossospbindingbaseuri="https://sso.mycompany.com/idbus/ida-wsf/wsfed- STS-BRIDGE-EE"/> <identifierclaim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ emailaddress"/> <roleclaim type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"/> <claimmapping from="email" to="http://schemas.atricore.org/2011/11/identity/claims/emailurl"/> <basedclaimsawarewebapp validate="true" uri="https://www.mycompany.com/testrp/"/> </jossosts> 4.2.2. jossoagent Configuration Element The jossosts configuration element represents the component that exchanges messages with the SSO server. Element Attribute Description identityprovider partnerapplicationid The SAML SP name associated to this Ws-Federation resource 6

Security Token Service Element Attribute Description endpoint sloendpoint The SSO binding SOAP endpoint for the SP. The URL can be build using the following pattern: http[s]:// <josso.server>[:<josso-port]/idbus/<id-appliance>/ <ws-resource-name>-ee/josso/sso/redir The SSO single logout endpoint for the SP. The URL can be build using the following pattern: http[s]:// <josso.server>[:<josso-port]/idbus/<id-appliance>/ <ws-resource-name>-ee/josso/slo/redir jossospbindingbaseuri The SSO binding endpoint for the SP. The URL can be build using the following pattern: http[s]:// <josso.server>[:<josso-port]/idbus/<id-appliance>/ <ws-resource-name>-ee defaultresourceuri The default relaying party URL. Useful when using IdP initiated processes. (*) You can have multiple entries of these elements. Let s take a look at the configuration for our current example: <jossoagent> <identityprovider partnerapplicationid="testrp-sp" endpoint="https://sso.mycompany.com/idbus/ida-wsf/wsfed-sts-bridge-ee/ JOSSO/SSO/REDIR" sloendpoint="https://sso.mycompany.com/idbus/ida-wsf/wsfed-sts-bridge- EE/JOSSO/SLO/REDIR" jossospbindingbaseuri="https://sso.mycompany.com/idbus/ida-wsf/wsfed- STS-BRIDGE-EE" defaultresourceuri="https://www.mycompany.com/testrp"/> </jossoagent> 4.2.3. appsettingssection id In the application settings element, we need to configure the certificates that the STS will use to sign and encrypt Ws-Federation messages. Normally encryption is not used because all messages are exchanged using a secure channel (HTTPS/SSL). Make sure that the referred certificate and key are available in the local computer s Personal certificates store, and that the identity running the application pool for the STS application has the proper permissions over the private key (IIS Service accounts). <appsettings> <add key="issuername" value="jossosts"/> <add key="signingcertificatename" value="cn=www.mycompany.com, OU=IT, O=Atricore, L=San Francisco, S=California, C=US"/> 7

Security Token Service <add key="encryptingcertificatename" value=""/> </appsettings> Certificate Subject value Private Key permissions for IIS service user 4.3. STS Federation Metadata Configuration The final step requires the configuration of the STS metadata file. Similar to SAML, WS-Federation services also rely on metadata descriptors to exchange information among parties. To create the Metadata file, you can use an MD generator, or you can edit the file provided within the distrubution and modify the necessary elements. The file is located at josso\apps\sts\federationmetadata \2007-06, in our case the full path is C:\inetpub\wwwroot\josso\apps\STS\FederationMetadata \2007-06 When updating the provided file, you can go through the elements and update the different values according to your environment and organization details. They key elements to consider are: X509Certificate: make sure to replace the default value with the certificate you re using on your deployment. ClaimTypesOffered: list of claims you want to expose to the relaying party. SecurityTokenServiceEndpoint: in particular the Address sub-element. It must point to the STS location, in our example https://www.mycompany.com/sts PassiveRequestorEndpoint: same as SecurityTokenServiceEndpoint 8

Chapter 5. Test Relaying Party The relaying party test application (TestRP) is provided for debugging/testing purposes. You will have to go through the application s configuration files: Web.config and FederationMetadata.xml and the modify the different values based on the STS configuration. The steps are similar to those used during the STS bridge setup. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information