I have been learning ADFS/SAML on the fly. If you come across this, and you see that I am doing it all wrong, then let me know!
I wanted to use my existing ADFS infrastructure to authenticate an apache resource on CentOS 6. Below is what I figured out
(There are alot of steps).
First, your site has to have HTTPS enabled.
Second, install Shibboleth: add it to your repos, yum install it, enable it, and start it.
wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_CentOS-6/security:shibboleth.repo -P /etc/yum.repos.d
yum install shibboleth
chkconfig shibd on
service shibd start
This will include the “/etc/httpd/conf.d/shib.conf” file that defines the apache paths to the shibd service (and enables the module).
Next, I needed to edit the /etc/shibboleth/shibboleth2.xml file
Change:
<ApplicationDefaults entityID="https://sp.example.org/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">
To:
<ApplicationDefaults entityID="https://www.SiteYouWantToProtect.com/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">
And
Change:
<SSO entityID="https://idp.example.org/idp/shibboleth" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
To:
<SSO entityID="http://your.sitename.com/adfs/services/trust" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
At this point, I ran into trouble. Normally, it looks like you continue editing /etc/shibboleth/shibboleth2.xml config file and you setup the metadata provider to point to your site like this:
<MetadataProvider type="XML" uri="https://your.sitename.com/FederationMetadata/2007-06/FederationMetadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200">
But I kept getting errors when I re-started shibd (service shibd restart). Seems that shibboleth and ADFS don’t speak the same language.
This site talks about it, and the solution is to download the metadata document, modify it, store it locally, and finally point the /etc/shibboleth/shibboleth2.xml config file to the “pre processed” local metadata file.
I processed the metadata file in PowerShell with a script here. I put the PowerShell code in a file ADFS2Fed.ps1 file, changed the top variables to look like this:
$idpUrl="https://your.sitename.com";
$scope = "sitename.com";
Downloaded the xml file from “https://your.sitename.com/FederationMetadata/2007-06/FederationMetadata.xml” and saved it as federationmetadata.xml (in the same directory as ADFS2Fed.ps1) .
I ran the script ADFS2Fed.ps1, it found the downloaded metadata file “federationmetadata.xml”, pre-processed it, and spit out “federationmetadata.xmlForShibboleth.xml”
I uploaded this file to my /etc/shibboleth/ folder and named it “partner-metadata.xml”
I then uncommented the following line in the /etc/shibboleth/shibboleth2.xml
<MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
That took care of the metadata provider.
Next. I needed to add this to the bottom of the atribute-map.xml file. The UPN that ADFS was sending was being ignored by shibd.
<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="upn" />
Next, I needed to allow Shibboleth to work with SELinux (source):
Create a file named mod_shib-to-shibd.tewith :
module mod_shib-to-shibd 1.0;
require {
type var_run_t;
type httpd_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;
Compile, package and load the module with the following 3 commands:
checkmodule -m -M -o mod_shib-to-shibd.mod mod_shib-to-shibd.te
semodule_package -o mod_shib-to-shibd.pp -m mod_shib-to-shibd.mod
semodule -i mod_shib-to-shibd.pp
Finally the last step on the apache/linux side is the set the apache virtual host to use shibboleth to authenticate.
<Directory /var/www/dir/to/site>
AllowOverride All
AuthType Shibboleth
ShibRequireSession On
require valid-user
ShibUseEnvironment On
Order allow,deny
Allow from all
</Directory>
On the Windows/ADFS side:
- In the ADFS Management Console, choose Add Relying Party Trust.
- Select Import data about the relying party published online or on a local network and enter the URL for the SP Metadata (https://your.sitename.com/Shibboleth.sso/Metadata)
- Continuing the wizard, select Permit all users to access this relying party.
- In the Add Transform Claim Rule Wizard, select Pass Through or Filter an IncomingClaim.
- Name the rule (for example, Pass Through UPN) and select the UPN Incoming claim type.
- Click OK to apply the rule and finalize the setup.
I hope this helped someone. It took me a while to figure this out.
In summary,
- Use SSL
- Install shibd
- Edit /etc/shibboleth/shibboleth2.xml
- Process the metadata file
- edit /etc/shibboleth/shibboleth2.xml to point to the local processed metadata file
- modify atribute-map.xml
- Allow shidb to work with SELinux
- Tell Apache to use shibboleth
- Setup ADFS using the wizard