Set up authentication via SAML2 with ADFS

Procedure:

(1) Set start parameters in Aeneis

(2) Configure SAML2 in Aeneis

(3) Configure SAML settings in ADFS Management

Note: SAML2 only works with SHA-256. SHA-1 or others are not currently supported.

Note: Authentication via SAML2 only works if the link to the IDP has been added in config.yml.

Instruction:

  1. Set the following start parameters in the vmoptions in the Aeneis application directory:

    • -Daeneis.hostname=

    • -Daeneis.webserver.ssl.enabled=true

    • -Daeneis.webserver.ssl.keystore.password=aeneis

    • -Daeneis.webserver.ssl.cipher.suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

    • -Daeneis.webserver.ssl.keystore.key-alias=[KEY-ALIAS]

Note: The -Daeneis.webserver.ssl.keystore.key-alias= start parameter sets the alias name of the key pair from the aeneis-server-keystore.jks file.

  1. Configure authentication via SAML2 in the Aeneis ServerAdministration under Authentication | Token-based authentication. The Aeneis metadata file is required for the configuration. If the metadata file already exists, it can be stored in the Metadata File property. If there is no metadata file yet, it can be generated as follows:

    1. Enter the following URL in the Metadata URL property: https://[ADFS_SERVER]/FederationMetadata/2007-06/FederationMetadata.xml

    2. Optional: If your own SSL certificate is available, add the certificate under Certificates (Beta)

    3. Restart the Aeneis server

    4. Download the metadata file in one of the following ways:

      • Download the metadata file in the ServerAdministration under Authentication | Token-based Authentication via the Download file button

      • Use the following link to download the metadata file: https://[HOST:PORT]/saml/metadata/SSO

  2. Configure the following settings in ADFS Management:

    1. Under Control Panel | Administrative Tools, select Add Relying Party Trust.

      Note: It may be necessary to install Active Directory Federation Services.

    2. Select the option Import data about the relying party from a file and attach the metadata file

      Note: When clicking Next, a message appears that some metadata contents are not supported. Ignore this message.

    3. Enter a Display name (*) and click Next

    4. Enable the I do not want to configure multi-factor authentication settings for this relying party trust at this time option and click Next

    5. Enable the Permit all users to access this relying party option and click Next

    6. In the Ready to Add Trust entry in the Endpoint tab, check if multiple endpoint values are set. If not, check if the metadata file was generated over HTTPS

    7. Activate the Open the Edit Claim Rules dialog option and finish

    8. Add a new rule via Add Rule

    9. Select the Send LDAP Attributes as Claims rule type and click Next

    10. Enter a claim rule name

    11. Select Active Directory as the attribute store

    12. Create the following rules:

      LDAP attribute

      Outgoing claim type

      Description

      Email addresses

      Email address

       

      Display name

      Specified name

      The display name is used to set the name of the user, if it is created during login

      Token groups - unqualified names

      Group

      This attribute is only configured if external groups with the names from ADFS exist in Aeneis and are to be synchronized with the users. This will add or remove users from the groups when they log in, if they are also in the groups in ADFS or have been removed.

      User-Principal-Name

      Name ID

      Must be configured! The user principal name defines with which attribute as ID the user is logged in

    13. Exit the wizard via OK

  3. Add the following to the ADFS server:
    Set-AdfsRelyingPartyTrust -SamlResponseSignature "MessageAndAssertion" -TargetName "Display-Name".
    (*) Enter the previously specified display name from step 3.c as the "Display name". an.

Electronic signature:

If you use electronic signature in Aeneis (Show login dialog in transitions property) and have set up authentication via SAML2 ADFS, add the following entry to the very end of the application.yml file in the Aeneis application directory:

urls: {adfs: '[URL of ADFS]'}