Set up authentication via SAML2 with ADFS

Procedure:

(1) Set start parameters in Aeneis

(2) Configure SAML2 in Aeneis

(3) Configure SAML settings in ADFS Management

Instruction:

1. Set the following start parameters in the vmoptions in the Aeneis application directory:

   • -Daeneis.hostname=

   • -Daeneis.webserver.ssl.enabled=true

   • -Daeneis.webserver.ssl.keystore.password=aeneis

   • -Daeneis.webserver.ssl.cipher.suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

   • -Daeneis.webserver.ssl.keystore.key-alias=[KEY-ALIAS]

2. Configure authentication via SAML2 in the Aeneis ServerAdministration under Authentication | Token-based authentication. The Aeneis metadata file is required for the configuration. If the metadata file already exists, it can be stored in the Metadata File property. If there is no metadata file yet, it can be generated as follows:

   1. Enter the following URL in the Metadata URL property: https://[ADFS_SERVER]/FederationMetadata/2007-06/FederationMetadata.xml

   2. Optional: If your own SSL certificate is available, add the certificate under Certificates (Beta)

   3. Restart the Aeneis server

   4. Download the metadata file in one of the following ways:

      

      • Download the metadata file in the ServerAdministration under Authentication | Token-based Authentication via the Download file button

      • Use the following link to download the metadata file: https://[HOST:PORT]/saml/metadata/SSO

3. Configure the following settings in ADFS Management:

   1. Under Control Panel | Administrative Tools, select Add Relying Party Trust.

      Note: It may be necessary to install Active Directory Federation Services.

   2. Select the option Import data about the relying party from a file and attach the metadata file

      Note: When clicking Next, a message appears that some metadata contents are not supported. Ignore this message.

   3. Enter a Display name (*) and click Next

   4. Enable the I do not want to configure multi-factor authentication settings for this relying party trust at this time option and click Next

   5. Enable the Permit all users to access this relying party option and click Next

   6. In the Ready to Add Trust entry in the Endpoint tab, check if multiple endpoint values are set. If not, check if the metadata file was generated over HTTPS

   7. Activate the Open the Edit Claim Rules dialog option and finish

   8. Add a new rule via Add Rule

   9. Select the Send LDAP Attributes as Claims rule type and click Next

   10. Enter a claim rule name

   11. Select Active Directory as the attribute store

   12. Create the following rules:

       

       LDAP attribute	Outgoing claim type	Description
       Email addresses	Email address
       Display name	Specified name	The display name is used to set the name of the user, if it is created during login
       Token groups - unqualified names	Group	This attribute is only configured if external groups with the names from ADFS exist in Aeneis and are to be synchronized with the users. This will add or remove users from the groups when they log in, if they are also in the groups in ADFS or have been removed.
       User-Principal-Name	Name ID	Must be configured! The user principal name defines with which attribute as ID the user is logged in

   13. Exit the wizard via OK

4. Add the following to the ADFS server:
   Set-AdfsRelyingPartyTrust -SamlResponseSignature "MessageAndAssertion" -TargetName "Display-Name".
   (*) Enter the previously specified display name from step 3.c as the "Display name". an.

Electronic signature:

If you use electronic signature in Aeneis (Show login dialog in transitions property) and have set up authentication via SAML2 ADFS, add the following entry to the very end of the application.yml file in the Aeneis application directory:

urls: {adfs: '[URL of ADFS]'}