DC 4.10.0 - ADFS with SAML 2.0 Protocol Quick Setup Guide
In order to use ADFS SAML 2.0 Protocl with the DAM Center (DC), some extra configuration is required.
1 Overview
ADFS is designed to handle situations where you want to use SSO, but your server is not in the same hosting environment as the domain the user is in.
One big difference between ADFS and a normal AD is that AD is a user database you are able to query for different information. ADFS is not a user database and normally you don't have access to query it for information. It delivers its information via clams that are configured beforehand.
- Active
- The server is able to communicate directly with the ADFS server. This gives the possibility to make logins without http redirects to the ADFS server. (Not implemented at the moment.)
- Passive
- The server is not able to communicate with the ADFS server. So the only way to do logins is via http redirects to the ADFS server (on the client) and reading the security token the ADFS server returns when it redirects back.
You can find more information here:Ā https://blogs.technet.microsoft.com/askpfeplat/2014/08/24/ADFS-deep-dive-primer/
At the moment we only support ADFS with SAML 2.0 Protocol in the following products:
- Media manager
- Digizuite DAM center
Note
This is a quick guide for ADFS configuration of Digizuite products. There is some more information and some scripts in the ADFSHelper directory.
1.1 Prerequisites
In order to set up ADFS on DC, you need to have a running ADFS server. Instructions on installation can be found in the Configure ADFS on Windows Server 2012 R2 document.
Currently, users will automatically be created when redirected from ADFS.
2 Webserver config
The Token-Decrypting certificate needs to be installed in the following place:
- Cert:\\LocalMachine\My Certificate store
The Token-Signing certificate needs to be installed in the following places:
- Cert:\\LocalMachine\My Certificate store
- Cert:\\LocalMachine\TrustedPeople Certificate store
3.1 Digizuite DAM center config
In the supplied web.config (from the root of the website) there are some ADFS SAML 2.0 Protocol configs that need to be changed.
Add to <configSections>:
<section name="sustainsys.saml2" type="Sustainsys.Saml2.Configuration.SustainsysSaml2Section, Sustainsys.Saml2, Version=0.24.0.0, Culture=neutral, PublicKeyToken=f3f81a9c4b80e2ec" />
Make sure the following is commented out in <modules>:
<!--add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" /-->
After the following under <configuration>:
<system.identityModel> <identityConfiguration saveBootstrapContext="true"/> </system.identityModel>
The SAML 2.0 Protocol specific stuff can be added with the following (this is a sample but you can see all configuration options here https://github.com/Sustainsys/Saml2/blob/master/docs/Configuration.md):
<sustainsys.saml2 entityId="https://local.dev.digizuite.com/DAMUI/Saml2/Acs" returnUrl="https://local.dev.digizuite.com/DAMUI/" minIncomingSigningAlgorithm="SHA256" authenticateRequestSigningBehavior="Never"> <metadata cacheDuration="0:0:42" validDuration="7.12:00:00" wantAssertionsSigned="false"> <organization name="Digizuite" displayName="Sustainsys" url="http://www.digizuite.com" language="da" /> <contactPerson type="Other" email="bbl@digizuite.com" /> <requestedAttributes> <add name="Minimal" /> </requestedAttributes> </metadata> <identityProviders> <add entityId="http://adfs.digidom.dk/adfs/services/trust" signOnUrl="https://adfs.digidom.dk/adfs/ls/" allowUnsolicitedAuthnResponse="false" binding="HttpRedirect" loadMetadata="true" metadataLocation="https://adfs.digidom.dk/FederationMetadata/2007-06/FederationMetadata.xml"> <signingCertificate storeName="My" storeLocation="LocalMachine" findValue="bcb69b53ff55993b14d8b7891251c5db6eb94542" x509FindType="FindByThumbprint" /> </add> </identityProviders> <serviceCertificates> <add fileName="~/App_Data/Sustainsys.Saml2.Tests.pfx" /> </serviceCertificates> </sustainsys.saml2>
In some instances it can be necessary to increase the maxQueryStringLength to accommodate for the SAML token being returned as a parameter from ADFS
<requestFiltering> <requestLimits maxAllowedContentLength="2000000000" maxUrl="1638400" maxQueryString="1638400" /> </requestFiltering> ... ... <httpRuntime maxRequestLength="2048000" executionTimeout="120000" requestValidationMode="2.0" maxUrlLength="16384" maxQueryStringLength="2048000" />
If you wish to create a user based on a template user then add the following to <appSettings>:
<add key="Saml2TemplateUserId" value="1" />