Ephesoft Transact Configuration with ADFS over SAML 2.0
This article provides details related configuring Ephesoft Transact with ADFS over SAML 2.0.
Checklist Components:
Server.xml
(http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)
- Configure connection port 8443
- Comment connection port 8080
- Restart the Ephesoft Transact service. Verify that the server is operable on https.
application-context.xml
(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2016/11/EEN-223-Support-SAML-v2.pdf&hl=en ) Refer to Section application-context.xml
- Uncomment <import resource=”classpath:/META-INF/applicationContext-security.xml” /> from application-context.xml file
web.xml
(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) Refer to section Configure ADFS Server
- Uncomment the springSecurityFilterChain filter and its filter mapping.
- Comment out the sessionTimeoutFilter and its filter mapping
- Comment out the SessionTimeoutServlet and its Servlet Mapping
- Comment out all security-constraints and
- Comment login-config nodes
- Place authentication filter and its filter mapping below springSecurityFilterChain
- Make change in logout URL to point it to correct port and URL
- select appropriate value for authenticationType bean: 1 for authentication only, 2 for authentication & authorization.
- Restart the Ephesoft Transact service after making the change
Active Directory Federation Services
(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) (Refer to section Configure ADFS Server)
- Test ADFS Sign On Link: https://<<domainname>>/adfs/ls/idpinitiatedsignon
- Download ephesoft metadata file from Ephesoft Server: Hit https:localhost:8443/dcma/saml/metadata url on your ephesoft server and copy the file to ADFS server.
- ADFS configuration:
- Go To ADFS Management -> Relying Party Trust -> Import the ephesoft metaDataURL file.
- Add Claim Rules
- Double click on relying party Trust -> Go To Advance and change security to SHA-1.
- Go to ADFS Management-> Certificates -> Export all the certificates in DER format.
applicationContext-security.xml
(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en)Refer to section Configure Ephesoft Transact Step 3 onwards
- Hit https://<<domainname>>/FederationMetadata/2007-06/FederationMetadata.xml and get the ADFS metadata file and save it in security folder.
- Change the constructor arguments for epheSamFilter bean
- Make changes in metaDataFilter Bean and metaData filter.
Import ADFS certificates into samlKeystore.jks file
(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) Follow Step 4 under section “Configure Ephesoft Transact”
- Use keytool import command to import the certificate
Tomcat-users.xml
- If you have authenticationType, set to 1 then make sure to add the username and roleName in tomcat-users.xml file with which your user will be authorized.
Important Links:
- Test ADFS login using below link: https://<<domainname>>/adfs/ls/idpinitiatedsignon, change the domain name accordingly to FQDN.
- Ephesoft metadata url: https:localhost:8443/dcma/saml/metadata
- Keytool importcert command: keytool.exe -importcert -alias adfssigning -keystore C:\Ephesoft\Application\WEB-INF\classes\security\samlKeystore.jks -file <<Location of ADFS Cert>>
- ADFS metadata xml: https://<<domainname>>/FederationMetadata/2007-06/FederationMetadata.xml where domain name is FQDN.
- You may have to modify host file to resolve the ADFS DNS Name
Some useful troubleshooting steps:
- Make sure the unique identify is same in Ephesoft and ADFS
- ADFS Rule names can be extracted from
- Click on Relying party Trust
- Edit Claim Rules
- Click the rule that you wish to configure in epheSamFilter bean in applicationContext-security.xml file
- Click Edit Rule and then view rule language.
- Get the rule language from the window open
- Ensure the signature Algorithm is set to SHA-1.
- Ensure entityId and entityBaseURL is correctly configured in metadataGeneratorFilter Bean.
- Ensure that end-points in ADFS are correctly configured.
Sample PDF Files:
The following is a list of sample files for reference: