Checklist: Ephesoft with ADFS over SAML 2.0 with Authentication Type 2 and Multiple group Support

Ephesoft configuration with ADFS over SAML 2.0 with Authentication Type 2 and Multiple Group Support

This wiki provides you details related to what all configuration needs to be taken care of when configuring Ephesoft with ADFS over SAML 2.0 with Authentication Type 2. Authentication Type 2 means we are authentication and authorizing using SSO when users are associated with more than one group.

 

Understanding Multiple Group Support

Single Group Support means that each user is associated with only one group and that group will by default get the super admin rights because in applicationSecurtiy-Context.xml file we define that the group that it fetches should be assigned the super admin roles. If you see constructor-arg index =”2″ we have defined the value as true which means that the group that it fetches will have super user access.

 

In Multiple Group Support a user can be associated with more than one group and therefore we need to make some additional changes in the configuration files to support this feature.

 

Pre-requisite:

  1. Active Directory Federation Services Installed
  2. Active Directory Installed.
  3. Ephesoft Transact 4.5.0.0 or onwards Installed
  4. Understanding and already configured the files as mentioned in Checklist: Ephesoft with ADFS over SAML 2.0 with Authentication Type 2 article.

 

Configuration Files Required

  1. Already listed files in wiki article Checklist: Ephesoft with ADFS over SAML 2.0 with Authentication Type 2.
  2. application.properties file

 

Checklist components:


Existing Configuration:


Additional changes:

web.xml

  • Uncomment multi-group functionality section in web.xml.
  • Add the group names in AdminGroups and OperatorGroups to the groups to which you want to provide Administrator and Operator Roles respectively.
  • If you have more than one groups than separate the groups with comma (,)
  • Make sure you are change groupNameDelimiter from semi colon (;) to comma (,)

 

Note:

  1. Admin Groups are not Super Admin Groups here. Difference between Admin and Super Admin group is that Super Admin group has access to all pages including System Configuration Page whereas Admin group doesn’t have access to SystemConfiguration Page. Make sure you only provide Admin Group names and not Super Admin Group Names.
  2. Sample configuration file can be downloaded from here.

application.properties

  • This file is used to define Super Admin Group Names.
  • If we want to provide super admin roles to more than one group then separate the two groups with double semi colon(;;)
  • Two properties that require change is  user.super_admin where we define super admin groups and update_super_admin_group where we will need to change the flag to true.
  • As you see in the below screenshot we are providing Super Admin access to users who are a part of Ephesoft-SystemAdministrator and Ephesoft-TestSuperAdmin groups

 

Note:

  1. Sample configuration file can be downloaded from here.

applicationContext-Security.xml

  • Only change required in this xml file is to set <constructor-arg index=”2″ value=”false”/> in epheSamlFilter bean to false or to keep the value blank <constructor-arg index=”2″ value=””/>

Note:

  1. Sample configuration file can be downloaded from here.

 

Once above changes are completed then all you need to do is to restart the ephesoft service and Ephesoft is now integrated with Multi Group Support.