How to add relying party (Azure AD (AFDS)) to Shib IdP V3

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Jesper
Hi

I would like to know if some one has one example for Shib Idp V3 how to
configure it to login via Azue AD (AFDS)

I have end-point definitions from Azure:
o SAML Single Sign-On Service URL:
https://login.microsoftonline.com/1d063515.../saml2
o SAML Entity ID: https://sts.windows.net/1d063515.../
o Sign-Out URL:
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
o SAML Signing Certificate - Base64 encoded o SAML Signing Certificate - Raw
o SAML XML Metadata


And I have my on premise Web server running Shibboleth SP + IdP 3 on IIS /
Jetty.
The /secure is kicking the scenario of: https://localserver.corp.com/secure

But it doesn't use the relying-party stuff:

<bean parent="RelyingPartyByName"
c:relyingPartyIds="urn:federation:MicrosoftOnline">  
     <property name="profileConfigurations">  
         <list>  
                         <bean parent="SAML2.SSO"
p:encryptAssertions="false" />                  
         </list>  
     </property>
</bean>  

I have tried everything - but the above is the ones which doesn't make it
fail. It simply doesn't call Azure.
So I must be missing some keyword to trigger the Relying party that it
should be used for my: /secure path

I simply don't know where to find the proper configuration. For a newbee it
is hard to understand if it is V2 or V3 syntax. So that's why I'm hoping
that someone could actually share the steps to get authenticated in AFDS
(Azure AD) from a IIS with Shibboleth installed.
Thanks a lot...
This is killing me - slowly...




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Peter Schober
* Jesper <[hidden email]> [2018-06-04 09:51]:
> o SAML Entity ID: https://sts.windows.net/1d063515.../
[...]
> c:relyingPartyIds="urn:federation:MicrosoftOnline">  

Note that this override will only be active for entities of that exact
entityID, i.e., not the one you mention above. So which one is it?

> I have tried everything - but the above is the ones which doesn't
> make it fail. It simply doesn't call Azure.

Without concrete warning or error messages from your IDP's logs
there's not much to suggest.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Domingues, Michael D
In reply to this post by Jesper

Hi Jesper,


It appears that you're mixing up the IdP and the SP software. In this instance, because you want to use Azure AD as your Identity Provider, you don't need to run the Shibboleth IdP software on your web server, just the Shibboleth SP component.


The configuration you pasted below (from relying-party.xml) is for the IdP not the SP, so of course it's not having any effect on the SP configuration.


Documentation on SP configuration can be found here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration


Best,

Michael


From: users <[hidden email]> on behalf of Jesper <[hidden email]>
Sent: Monday, June 4, 2018 2:50:27 AM
To: [hidden email]
Subject: How to add relying party (Azure AD (AFDS)) to Shib IdP V3
 
Hi

I would like to know if some one has one example for Shib Idp V3 how to
configure it to login via Azue AD (AFDS)

I have end-point definitions from Azure:
o SAML Single Sign-On Service URL:
https://login.microsoftonline.com/1d063515.../saml2
o SAML Entity ID: https://sts.windows.net/1d063515.../
o Sign-Out URL:
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
o SAML Signing Certificate - Base64 encoded o SAML Signing Certificate - Raw
o SAML XML Metadata


And I have my on premise Web server running Shibboleth SP + IdP 3 on IIS /
Jetty.
The /secure is kicking the scenario of: https://localserver.corp.com/secure

But it doesn't use the relying-party stuff:

<bean parent="RelyingPartyByName"
c:relyingPartyIds="urn:federation:MicrosoftOnline"> 
     <property name="profileConfigurations"> 
         <list> 
                         <bean parent="SAML2.SSO"
p:encryptAssertions="false" />                 
         </list> 
     </property>
</bean> 

I have tried everything - but the above is the ones which doesn't make it
fail. It simply doesn't call Azure.
So I must be missing some keyword to trigger the Relying party that it
should be used for my: /secure path

I simply don't know where to find the proper configuration. For a newbee it
is hard to understand if it is V2 or V3 syntax. So that's why I'm hoping
that someone could actually share the steps to get authenticated in AFDS
(Azure AD) from a IIS with Shibboleth installed.
Thanks a lot...
This is killing me - slowly...




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Peter Schober
In reply to this post by Jesper
* Jesper <[hidden email]> [2018-06-04 09:51]:
> I would like to know if some one has one example for Shib Idp V3 how
> to configure it to login via Azue AD (AFDS)

In what SAML role?

> And I have my on premise Web server running Shibboleth SP + IdP 3 on
> IIS / Jetty.

If you're both the SAML SP and the SAML IDP, what role does "Azue AD (AFDS)" play?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Domingues, Michael D
In reply to this post by Domingues, Michael D

Clarification: You'll want to look here https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPShibbolethXML in particular, once again, assuming that your organization uses Azure AD as an Identity Provider, and you just want to protect an application using the Shibboleth Service Provider.


The quick summary (documentation covers all of this) is that you need to:


1) Configure your web server software to work with the Shibboleth SP (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPIISConfig or https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig)

2) Make the Shibboleth SP aware of your Azure AD IdP by loading its metadata (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider)

3) Map incoming requests to protect URLs that you care about (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper)

4) Configure the Shibboleth SP to extract attributes (claims, in ADFS-speak) and pass them to your application (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeExtractor and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute)


Once again, this isn't a comprehensive list of what you'll need to do, but I'm hopeful it'll serve as a good starting point. To date, the Shibboleth SP is still on version 2.X, so if you're looking at version 3.X configuration, you're either looking at the IdP documentation pages (which won't help at all) or pre-release Shibboleth SP 3.X documentation (also not what you want).


Michael


From: users <[hidden email]> on behalf of Domingues, Michael D <[hidden email]>
Sent: Monday, June 4, 2018 6:58:01 AM
To: [hidden email]
Subject: Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3
 

Hi Jesper,


It appears that you're mixing up the IdP and the SP software. In this instance, because you want to use Azure AD as your Identity Provider, you don't need to run the Shibboleth IdP software on your web server, just the Shibboleth SP component.


The configuration you pasted below (from relying-party.xml) is for the IdP not the SP, so of course it's not having any effect on the SP configuration.


Documentation on SP configuration can be found here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration


Best,

Michael


From: users <[hidden email]> on behalf of Jesper <[hidden email]>
Sent: Monday, June 4, 2018 2:50:27 AM
To: [hidden email]
Subject: How to add relying party (Azure AD (AFDS)) to Shib IdP V3
 
Hi

I would like to know if some one has one example for Shib Idp V3 how to
configure it to login via Azue AD (AFDS)

I have end-point definitions from Azure:
o SAML Single Sign-On Service URL:
https://login.microsoftonline.com/1d063515.../saml2
o SAML Entity ID: https://sts.windows.net/1d063515.../
o Sign-Out URL:
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
o SAML Signing Certificate - Base64 encoded o SAML Signing Certificate - Raw
o SAML XML Metadata


And I have my on premise Web server running Shibboleth SP + IdP 3 on IIS /
Jetty.
The /secure is kicking the scenario of: https://localserver.corp.com/secure

But it doesn't use the relying-party stuff:

<bean parent="RelyingPartyByName"
c:relyingPartyIds="urn:federation:MicrosoftOnline"> 
     <property name="profileConfigurations"> 
         <list> 
                         <bean parent="SAML2.SSO"
p:encryptAssertions="false" />                 
         </list> 
     </property>
</bean> 

I have tried everything - but the above is the ones which doesn't make it
fail. It simply doesn't call Azure.
So I must be missing some keyword to trigger the Relying party that it
should be used for my: /secure path

I simply don't know where to find the proper configuration. For a newbee it
is hard to understand if it is V2 or V3 syntax. So that's why I'm hoping
that someone could actually share the steps to get authenticated in AFDS
(Azure AD) from a IIS with Shibboleth installed.
Thanks a lot...
This is killing me - slowly...




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Jesper
Thanks a lot for your reply.
It was also strange for me that we should have SP + IdP in play for our
scenario.

I can follow that I need to add the metadataprovider to the shibboleth2.xml
file.
But I really don't understand the SSO entity in ApplicationDefaults.
Because it should point to something else I guess.

           
                       
            <SSO entityID="https://dkatec-ts1.corp.lego.com/idp/shibboleth"
                 discoveryProtocol="SAMLDS"
discoveryURL="https://dkatec-ts1.corp.lego.com:543/DS/WAYF">
              SAML2 SAML1
            </SSO>




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Peter Schober
* Jesper <[hidden email]> [2018-06-06 14:10]:
> I can follow that I need to add the metadataprovider to the shibboleth2.xml
> file.

https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration
-> "Talk to a New Identity Provider" and from there, e.g.
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider

> But I really don't understand the SSO entity in ApplicationDefaults.

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO

> Because it should point to something else I guess.
>
>             <SSO entityID="https://dkatec-ts1.corp.lego.com/idp/shibboleth"
>                  discoveryProtocol="SAMLDS"
> discoveryURL="https://dkatec-ts1.corp.lego.com:543/DS/WAYF">
>               SAML2 SAML1
>             </SSO>

You don't say what your intention is. The above will always send all
subjects to the IDP with the given entityID whenever SSO should be
initiated and the IDP is not selected/provided any other way.
I.e., the IDP Discovery Service you configured with the discoveryURL
parameter will never be used.

None of this has anything to do with adding SAML metadata (describing
the IDP) to the SP.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Peter Schober
In reply to this post by Jesper
* Jesper <[hidden email]> [2018-06-06 14:10]:
> But I really don't understand the SSO entity in ApplicationDefaults.

Whatever the intention is, forget that for now. Instead add metadata
for the IDP. e.g. in the simplest case using a local metadata file
containing the IDP's SAML 2.0 metadata:
  <MetadataProvider type="XML" validate="true" path="some-idp-metadata.xml"/>
(The path will be relative to your SP's config directory.)

Then try to initiate SSO with that IDP using the SP's handlers, e.g.:
https://sp.example.com/Shibboleth.sso/Login?entityID=THE_IDP_YOU_ADDED&target=https://sp.example.com/Shibboleth.sso/Session

That should generate an authn request to the provided IDP (the IDP's
entityID should be passed as value of the entityID parameter,
urlencoded, if you want to be correct) and should ultimately return
you to /Shibboleth.sso/Session showing your newly created Shib session
and any recieved and correctly mapped attributes.

For that to work the IDP will also need your SP's metadata, of course.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Jesper
In reply to this post by Peter Schober
That's a good question...
I actually also thought that I only need the SP and then make it use the IdP
on Azure (AFDS).
But all examples so far I have found indicates that the relying-party.xml
for the IdP must be altered.
And for me the examples are also not quite right because they indicate setup
for LDAP as well - and that is totally hidden when we use AFDS.





--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Gernot Hassenpflug-2
Jesper <[hidden email]> writes:

> That's a good question...
> I actually also thought that I only need the SP and then make it use the IdP
> on Azure (AFDS).
> But all examples so far I have found indicates that the relying-party.xml
> for the IdP must be altered.
> And for me the examples are also not quite right because they indicate setup
> for LDAP as well - and that is totally hidden when we use AFDS.

From my experience, just need three things:
1. entityID of the IdP, which is some nasty URL maybe looking like
   https://<somedomain>/<somerandomstring>
   
2. metadata set up for the IdP, which should be simply via their URL,
   which probably looks along the lines of
   https://login.windows.net/<somerandomstring>/federationmetadata/2007-06/federationmetadata.xml

3. the definition of the thingie used to specify the user.

Azure by default sends an attribute that has a URL as its name, nothing
short like eppn. According to the documentation the admins can set up
SAML2 properly and map whatever is in their AD server to become a
standard SAML2 attribute like eppn, but if they don't, can't or won't,
then they end up sending a whole lot of crap to the SP (terrible
security), one of which is what you need. LOL

So then figure out which of those attributes is the correct one, define
that thingie in attribute-map.xml with a friendly name, and then use it
in shibboleth2.xml (we use it in REMOTE_USER).

 <Attribute
        name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
        id="<choosefriendlynameforthisattribute>">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
 </Attribute>

That seems to be the standard NameID for Azure.

Hope that helps,
Gernot Hassenpflug
--
Asahi Net, Inc.
Tokyo, Japan

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Peter Schober
In reply to this post by Jesper
* Jesper <[hidden email]> [2018-06-07 08:02]:
> I actually also thought that I only need the SP and then make it use
> the IdP on Azure (AFDS).

Only you can know what's required for your use-case.
The SP is the resource owner.
The IDP has the identities.
Most orgs will be both, some will only be SPs.

> But all examples so far I have found indicates that the
> relying-party.xml for the IdP must be altered.

Then you're looking at the wrong examples.
The Shibboleth consortium makes implamentations for both the SP and IDP.
And MS-ADFS works in both roles simultaneously by default, IIRC.
So there's plenty of potential of confusion if you don't know what
exactly you're looking for. Certainly searching the web for generic
things like "Shibboleth" and "ADFS" will cover other cases, too.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add relying party (Azure AD (AFDS)) to Shib IdP V3

Jesper
In reply to this post by Jesper
Thanks for all your inputs.
It is now working.
It was simply the wrong path to go with the Shibboleth IdP +
relying-party.xml in my scenario.
So all configurations were done in the SP only.

shibboleth2.xml:

    <ApplicationDefaults
entityID="https://dkatec-ts1.corp.com/idp/shibboleth"
                                                 REMOTE_USER="persistent-id"
                       
cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">

            <SSO entityID="https://sts.windows.net/1d06......./">SAML2
SAML1</SSO>
                       
                <MetadataProvider type="XML"
uri="https://login.microsoftonline.com/1...-.../federationmetadata/2007-06/federationmetadata.xml?appid=e0943c34-70bc-4045-a7b4-1f3649f4c644"
              backingFilePath="azure_metadata.xml" reloadInterval="7200">
        </MetadataProvider>

attribute-map.xml:

    <Attribute
name="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"
id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$Name" defaultQualifiers="true"/>
    </Attribute>
   
    <Attribute
name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="sn"/>
    <Attribute
name="http://schemas.microsoft.com/identity/claims/displayname"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="displayname"/>
       
        <Attribute
name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="givenname"/>
        <Attribute
name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="email"/>
        <Attribute
name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="name"/>


Result from /secure page:

HTTP_DISPLAYNAME Jesper Laursen
HTTP_EMAIL [hidden email]
HTTP_GIVENNAME Jesper
HTTP_NAME [hidden email]
HTTP_PERSISTENTID dkJesLau
HTTP_SN Laursen
HTTP_REMOTEUSER dkJesLau



Helper for virtual directory (classic ASP) IIS 7.0
Please this as default.asp in virtual dir named "secure"


<HTML>
  <BODY>
  This page was last refreshed on <%= Now() %>.

<%
for each x in Request.ServerVariables
  if x <> "ALL_HTTP" and x <> "ALL_RAW" then
  response.write("
" & x & " " & Request.ServerVariables(x) & "")
end if

next
%>

  </BODY>
</HTML>



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]