API Gateway can use ADFS as ID provider, so that gateway doesn’t have to store the user info.
Prerequisites
- Windows 2008 R2 sp1
- AD, IIS and ADFS 2.0 are installed
- API Gateway is added to the domain
Sample environment
Domain: APJTEAM.LOCAL
DC: omega.apjteam.local
API Gateway: mark_gw91_node1.apjteam.local
We are going to use the same service /adfs on gateway to launch ADFS login form, and parse the SAML response after authentication
Configure ADFS
1. Modify /adfs/ls/web.config
By default, ADFS uses windows integrated authentication, sometimes it’s not working well if the windows is not configured properly.
We will use Form login here.
The /adfs/ls/web.config files locates at C:\inetpub\adfs\ls by default, this can be confirmed on IIS Configuration Editor,
- Use a text editor to change the order of authentication types, put FormsSignin as the first one, then ADFS will show a login form, rather then popup login prompt.
From
<microsoft.identityServer.web>
<localAuthenticationTypes>
<add name="Integrated" page="auth/integrated/" />
<add name="Forms" page="FormsSignIn.aspx" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
</localAuthenticationTypes>
To
<microsoft.identityServer.web>
<localAuthenticationTypes>
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
</localAuthenticationTypes>
2. Configure Relying Party Trust
Export public key from gateway
Select any private key installed in gateway (for example, the default ssl key) to export the certificate.
Copy the certificate to ADFS server.
This certificate will be used to encrypt the SAML response from ADFS
Add relying party
In this case, the sample service /adfs on gateway is the relying party.
Open ADFS Management console, right click on "Relying Party Trusts", and select "Add Relying Party Trust... " to open the wizard,
- Select "Enter data about the relying party manually",
- Specify the Display name
- Select ADFS 2.0 profile
- Configure Certificate: click Browse button and select the certificate we exported from gateway
- Configure URL: input the endpoint of the gateway service, this is the callback url after authentication.
- Configure Identifier: a unique string to identify the relying party, you can just use the callback url
(eg. https://mark_gw91_node1.apjteam.local:8443/adfs)
- Choose Issuance Authorization Rules: Permit all users
- Click Next button till finish.
Properties
Right click on the specific relying party, and select "Properties" to edit the properties set by Add relying party wizard.
Claim rules
After Add relying party wizard finish, it should popup the Claim rules edit window.
Or you can right click on the specific relying party, and select "Edit Claim Rules...".
Click Add Rule button to add a new rule.
The claim rule will map the AD/LDAP attributes to claims in the SAML response.
The sample policy will get the Name ID from SAML response, so need to at least map the Name ID.
Here is an example,
Sample policy
The sample policy "adfs samlresponse encrypt.xml" attached to this document.
- Line 12 to set the host of ADFS
- Line 14 to set the endpoint of login form
The format of login form endpoint is,
/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=<relying party identifier>
The <relying party identifier> is set on the properties of ADFS Relying Party Trust
In this example, the identifier is https://mark_gw91_node1.apjteam.local:8443/adfs, so the endpoint of login form is,
/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=https://mark_gw91_node1.apjteam.local:8443/adfs
- Line 34 is the branch to call ADFS login form. Note that it’s a 2 phases authentication, so the Route via HTTPS assertion need to set as Never fail as long as target returns an answer. Otherwise the policy would fail at the first time of connection.
- Line 16 is the branch to decrypt the SAML response and get the user info.
Screenshots for running results
- Go back to gateway after authentication