Checklist : Ephesoft with ADFS over SAML 2.0

Ephesoft configuration with ADFS over SAML 2.0

This wiki provides you details related to what all configuration needs to be taken care of when configuring Ephesoft with ADFS over SAML 2.0

Checklist components:

Server.xml

(http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)

  • Configure connection port 8443
  • Comment connection port 8080
  • Restart the ephesoft service and verify if it works fine over https.

application-context.xml

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/sites/11/2016/11/EEN-223-Support-SAML-v2.pdf&hl=en ) Refer to Section application-context.xml

  • Uncomment <import resource=”classpath:/META-INF/applicationContext-security.xml” />  from application-context.xml file

web.xml

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/sites/11/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) Refer to section Configure ADFS Server

  • Uncomment the springSecurityFilterChain filter and its filter mapping.
  • Comment out the sessionTimeoutFilter and its filter mapping
  • Comment out the SessionTimeoutServlet and its Servlet Mapping
  • Comment out all security-constraints and
  • Comment login-config nodes
  • Place authentication filter and its filter mapping below springSecurityFilterChain
  • Make change in logout URL  to point it to correct port and URL
  • select approriate value for authenticationType bean:  1 for authentication only, 2 for authentication & authorization.
  • Restart the ephesoft service after making the change

 

Active Directory Federation Services

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/sites/11/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) (Refer to section Configure ADFS Server)

  • Test ADFS Sign On Link: https://<<domainname>>/adfs/ls/idpinitiatedsignon
  • Download ephesoft metadata file from Ephesoft Server: Hit https:localhost:8443/dcma/saml/metadata url on your ephesoft server and copy the file to ADFS server.
  • ADFS configuration:
  •  Go To ADFS Management -> Relying Party Trust -> Import the ephesoft metaDataURL file.
  •  Add Claim Rules
  •  Double click on relying party Trust -> Go To Advance and change security to SHA-1.
  •  Go to ADFS Management-> Certificates -> Export all the certificates in DER format.

 

applicationContext-security.xml

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/sites/11/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en)Refer to section Configure Ephesoft Transact Step 3 onwards

  • Hit https://<<domainname>>/FederationMetadata/2007-06/FederationMetadata.xml and get the ADFS metadata file and save it in security folder.
  • Change the constructor arguments for epheSamFilter bean
  • Make changes in metaDataFilter Bean and metaData filter.

 

Import ADFS certificates into samlKeystore.jks file

(https://docs.google.com/viewerng/viewer?url=https://ephesoft.com/docs/wp-content/uploads/sites/11/2017/06/ADFS_SAML_SSO_Configuration_Document.pdf&hl=en) Follow Step 4 under section “Configure Ephesoft Transact”

  • Use keytool import command to import the certificate

 

Tomcat-users.xml

  • If you have authenticationType set to 1 then make sure to add the username and roleName in tomcat-users.xml file with which your user will be authorized.

 

Important Links:

 

Some useful troubleshooting steps:

 

  • Make sure the unique identify is same in Ephesoft and ADFS
  • ADFS Rule names can be extracted from
    • Click on Relying party Trust
    • Edit Claim Rules
    • Click on the rule that you wish to configure in epheSamFilter bean in applicationContext-security.xml file
    • Click on Edit Rule and then view rule language.
    • Get the rule language from the window open    
  • Make sure the signature Algorithm is set to SHA-1.
  • Make sure entityId and entityBaseURL is coorectly configured in metadataGeneratorFilter Bean
  • Make sure that end-points in ADFS are correctly configured:

Sample Files:

Attached you will find sample files for reference purpose