Ephesoft Transact Configuration with ADFS over SAML 2.0

Ephesoft Transact Configuration with ADFS over SAML 2.0

This article provides details related configuring Ephesoft Transact with ADFS over SAML 2.0.

Checklist Components:

Server.xml

(http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)

  • Configure connection port 8443
  • Comment connection port 8080
  • Restart the Ephesoft Transact service. Verify that the server is operable on https.

application-context.xml

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2016/11/EEN-223-Support-SAML-v2.pdf&hl=en ) Refer to Section application-context.xml

  • Uncomment <import resource=”classpath:/META-INF/applicationContext-security.xml” /> from application-context.xml file

web.xml

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) Refer to section Configure ADFS Server

  • Uncomment the springSecurityFilterChain filter and its filter mapping.
  • Comment out the sessionTimeoutFilter and its filter mapping
  • Comment out the SessionTimeoutServlet and its Servlet Mapping
  • Comment out all security-constraints and
  • Comment login-config nodes
  • Place authentication filter and its filter mapping below springSecurityFilterChain
  • Make change in logout URL  to point it to correct port and URL
  • select appropriate value for authenticationType bean:  1 for authentication only, 2 for authentication & authorization.
  • Restart the Ephesoft Transact service after making the change

Active Directory Federation Services

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) (Refer to section Configure ADFS Server)

  • Test ADFS Sign On Link: https://<<domainname>>/adfs/ls/idpinitiatedsignon
  • Download ephesoft metadata file from Ephesoft Server: Hit https:localhost:8443/dcma/saml/metadata url on your ephesoft server and copy the file to ADFS server.
  • ADFS configuration:
  •  Go To ADFS Management -> Relying Party Trust -> Import the ephesoft metaDataURL file.
  •  Add Claim Rules
  •  Double click on relying party Trust -> Go To Advance and change security to SHA-1.
  •  Go to ADFS Management-> Certificates -> Export all the certificates in DER format.

applicationContext-security.xml

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en)Refer to section Configure Ephesoft Transact Step 3 onwards

  • Hit https://<<domainname>>/FederationMetadata/2007-06/FederationMetadata.xml and get the ADFS metadata file and save it in security folder.
  • Change the constructor arguments for epheSamFilter bean
  • Make changes in metaDataFilter Bean and metaData filter.

Import ADFS certificates into samlKeystore.jks file

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) Follow Step 4 under section “Configure Ephesoft Transact”

  • Use keytool import command to import the certificate

Tomcat-users.xml

  • If you have authenticationType, set to 1 then make sure to add the username and roleName in tomcat-users.xml file with which your user will be authorized.

Important Links:

Some useful troubleshooting steps:

  • Make sure the unique identify is same in Ephesoft and ADFS
  • ADFS Rule names can be extracted from
    • Click on Relying party Trust
    • Edit Claim Rules
    • Click the rule that you wish to configure in epheSamFilter bean in applicationContext-security.xml file
    • Click Edit Rule and then view rule language.
    • Get the rule language from the window open    
  • Ensure the signature Algorithm is set to SHA-1.
  • Ensure entityId and entityBaseURL is correctly configured in metadataGeneratorFilter Bean.
  • Ensure that end-points in ADFS are correctly configured.

Sample Files:

The following is a list of sample files for reference: