Layer 7 API Management

Integrate ADFS login form for authentication 

08-25-2016 01:58 AM

API Gateway can use ADFS as ID provider, so that gateway doesn’t have to store the user info.

Prerequisites

  1. Windows 2008 R2 sp1
  2. AD, IIS and ADFS 2.0 are installed
  3. API Gateway is added to the domain

Sample environment

Domain: APJTEAM.LOCAL

DC: omega.apjteam.local

API Gateway: mark_gw91_node1.apjteam.local

We are going to use the same service /adfs on gateway to launch ADFS login form, and parse the SAML response after authentication

Configure ADFS

1.     Modify /adfs/ls/web.config

By default, ADFS uses windows integrated authentication, sometimes it’s not working well if the windows is not configured properly.

We will use Form login here.

The /adfs/ls/web.config files locates at C:\inetpub\adfs\ls by default, this can be confirmed on IIS Configuration Editor,

 

 

  • Use a text editor to change the order of authentication types, put FormsSignin as the first one, then ADFS will show a login form, rather then popup login prompt.

From

         <microsoft.identityServer.web>

         <localAuthenticationTypes>    

            <add name="Integrated" page="auth/integrated/" />

            <add name="Forms" page="FormsSignIn.aspx" />      

            <add name="TlsClient" page="auth/sslclient/" />

            <add name="Basic" page="auth/basic/" />

      </localAuthenticationTypes>

To

<microsoft.identityServer.web>

    <localAuthenticationTypes>    

      <add name="Forms" page="FormsSignIn.aspx" />      

      <add name="Integrated" page="auth/integrated/" />

      <add name="TlsClient" page="auth/sslclient/" />

      <add name="Basic" page="auth/basic/" />

</localAuthenticationTypes>

 

  • Restart the IIS

 

2.     Configure Relying Party Trust

Export public key from gateway

Select any private key installed in gateway (for example, the default ssl key) to export the certificate.

Copy the certificate to ADFS server.

This certificate will be used to encrypt the SAML response from ADFS

Add relying party

In this case, the sample service /adfs on gateway is the relying party.

Open ADFS Management console, right click on "Relying Party Trusts", and select "Add Relying Party Trust... " to open the wizard,

 

 

  • Select "Enter data about the relying party manually",

 

  • Specify the Display name
  • Select ADFS 2.0 profile
  • Configure Certificate: click Browse button and select the certificate we exported from gateway
  • Configure URL: input the endpoint of the gateway service, this is the callback url after authentication.

  • Configure Identifier: a unique string to identify the relying party, you can just use the callback url

         (eg. https://mark_gw91_node1.apjteam.local:8443/adfs)    

  • Choose Issuance Authorization Rules: Permit all users
  • Click Next button till finish.

Properties

Right click on the specific relying party, and select "Properties" to edit the properties set by Add relying party wizard.

Claim rules

After Add relying party wizard finish, it should popup the Claim rules edit window.

Or you can right click on the specific relying party, and select "Edit Claim Rules...".

Click Add Rule button to add a new rule.

 

The claim rule will map the AD/LDAP attributes to claims in the SAML response.

The sample policy will get the Name ID from SAML response, so need to at least map the Name ID.

Here is an example,

 

Sample policy

The sample policy "adfs samlresponse encrypt.xml" attached to this document.

 

  • Line 12 to set the host of ADFS
  • Line 14 to set the endpoint of login form

The format of login form endpoint is,

/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=<relying party identifier>

The <relying party identifier> is set on the properties of ADFS Relying Party Trust

In this example, the identifier is https://mark_gw91_node1.apjteam.local:8443/adfs, so the endpoint of login form is,

/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=https://mark_gw91_node1.apjteam.local:8443/adfs

  • Line 34 is the branch to call ADFS login form. Note that it’s a 2 phases authentication, so the Route via HTTPS assertion need to set as Never fail as long as target returns an answer. Otherwise the policy would fail at the first time of connection.

  • Line 16 is the branch to decrypt the SAML response and get the user info.

 

Screenshots for running results

  • Redirect to login form

  • Go back to gateway after authentication

Statistics
0 Favorited
10 Views
1 Files
0 Shares
1 Downloads
Attachment(s)
zip file
adfs samlresponse encrypt.xml.zip   2K   1 version
Uploaded - 05-29-2019

Tags and Keywords

Comments

10-11-2018 10:44 AM

very helpful article

11-03-2016 02:24 PM

First of all, that's a great article! Thanks for writing it up!

 

For those using ADFS 3.0, please note that Microsoft has changed it and this version no longer uses IIS, so you will not find the /adfs/ folder under the IIS web root: Active Directory Federation Services Overview . And now the form is the default credential request method.

 

--

Alan

08-25-2016 10:32 AM

Great write up and sample Mark, thank you.

 

Regards,

Joe   

Related Entries and Links

No Related Resource entered.