This chapter provides step-by-step guides for basic configuration of SAML Extension with specific IDP products. Integration can be further configured with settings discussed in previous chapters.
ADFS 2.0 supports SAML 2.0 in IDP mode and can be easily integrated with SAML Extension for both SSO and SLO. Before starting with the configuration make sure that the following pre-requisites are satisfied:
Install AD FS 2.0 (http://www.microsoft.com/en-us/download/details.aspx?id=10909)
Run AD FS 2.0 Federation Server Configuration Wizard in the AD FS 2.0 Management Console
Make sure that DNS name of your Windows Server is available at your SP and vice-versa
Install a Java container (e.g. Tomcat) for deployment of the SAML 2 Extension
Configure your container to use HTTPS, this is required by AD FS (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html)
Download AD FS 2.0 metadata from https://server/FederationMetadata/2007-06/FederationMetadata.xml
Store the downloaded content to saml2-sample/WEB-INF/src/main/resources/security/FederationMetadata.xml
Modify bean metadata in securityContext.xml and replace classpath:security/idp.xml with classpath:security/FederationMetadata.xml and add property metadataTrustCheck to false to skip signature validation:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> <constructor-arg> <value type="java.io.File">classpath:security/FederationMetadata.xml</value> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/> </constructor-arg> <property name="metadataTrustCheck" value="false"/> </bean>
Deploy SAML 2 Extension war archive from saml2-sample/target/spring-security-saml2-sample.war
Open browser at e.g. https://server:port/spring-security-saml2-sample, make sure to use HTTPS protocol, system will automatically generate metadata document
Click Metadata information, select item with your server name in the Service providers list
Store content of the Metadata field to a document metadata.xml and upload it to the AD FS server
In AD FS 2.0 Management Console select "Add Relying Party Trust"
Select "Import data about the relying party from a file" and select file created earlier, select Next
System may complain that some content of metadata is not supported, you can safely ignore this warning
Continue with the wizard, on the "Ready to Add Trust" make sure that tab endpoints contains multiple endpoing values, if not verify that your metadata was generated with https protocol in their URLs
Leave "Open the Edit Claim Rules dialog" checkbox checked and finish the wizard
Select "Add Rule", choose "Send LDAP Attributes as Claims" and press Next
Add NameID as "Claim rule name", choose "Active Directory" as Attribute store, choose "SAM-Account-Name" as LDAP Attribute and "Name ID" as "Outgoing claim type", finish the wizard and confirm the claim rules window
Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1
Open SAML Extension at https://localhost:8443/spring-security-saml2-sample, select your AD FS server and press login. In case Artifact binding is used and SSL/TLS certificate of your AD FS is not already trusted you have to import it to your samlKeystore.jks by following instructions in the error report.