Categories
IT

How to install ADFS 2.0 and configure SAML for SSO (auto login/AD login integration)

I’ve recently had an experience of setting up Single Sign On (SSO) for an application that we sell in work (Oracle RightNow) which provides a SAML 2.0 interface for authentication and found that there is very little, useful instructions on how to install and especially to configure SAML – hopefully this information will help anyone else in a similar situation.

First of all it’s useful to know that Microsoft provide a product called Active Directory Federation Services which enables AD integration to third party services. The version of ADFS that comes with Windows Server 2008 R2 is actually version 1 which isn’t compatible with SAML and so for this article we will be using ADFS 2.0 – this can be downloaded from: http://www.microsoft.com/en-us/download/details.aspx?id=10909 (you must click Continue before you can see the Download button for the appropriate version) and there is additionally a hotfix available from: http://support.microsoft.com/kb/2681584.

Installation
This installation should ideally be carried out on a server that is web facing with an installed (not self-signed) SSL certificate and which has access to Active Directory.

  1. Run AdfsSetup.exe
  2. Click Next
  3. Click “I accept the terms in the License Agreement” and then click Next
  4. Click “Federation server” and then click Next (you may wish to setup a proxy and a farm but this is outside of the scope of this article)
  5. Click Next
  6. Once the installation is complete click Finish (the “Start the AD FS 2.0 Management snap-in when this wizard closes” tickbox is automatically checked)

SAML Configuration

  1. Click “AD FS 2.0 Federation Server Configuration Wizard”
  2. Click Next (“Create a new Federation Service” should be automatically selected – note that setting up a Federation server farm is out of scope of this article)
  3. Click “Stand-alone federation server” and then click Next
  4. Select your SSL certificate and the default Federation Service name and click Next (note that this SSL certificate should ideally be signed by a provider e.g. Thawte or Verisign and should be public facing or else you may experience issues further along)
  5. Click Next
  6. Click Close
  7. Click “Required: Add a trusted relying party”
  8. Click Start
  9. If you have a URL or file containing the configuration use this otherwise select “Enter data about the relying party manually” and click Next
  10. Enter a Display name and click Next
  11. Select AD FS 2.0 profile and click Next
  12. Click Browse and select the same certificate you used earlier and then click Next
  13. Select “Enable support for the SAML 2.0 WebSSO protocol”, enter the URL to the service providing the integration and then click Next
  14. Enter a “Relying party trust identifier” and click Add, then click Next (note it seems that this is sometimes used by the provider to confirm identification but isn’t always used)
  15. Click Next – “Permit all users to access this relying party” is automatically selected, you may want to change this later once testing is complete
  16. Click Next
  17. Click Close (“Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” should be automatically selected)
  18. Click “Add Rule…”
  19. Click Next (“Send LDAP Attributes as Claims” should be automatically selected – note that only Active Directory integration is in scope for this article)
  20. Enter a “Claim rule name” and then select Active Directory under “Attribute store” (note that only Active Directory integration is in scope for this article)
  21. Select an LDAP Attribute e.g. E-Mail Addresses, and a corresponding Outgoing Claim Type e.g. E-Mail Address, and click Finish
  22. Click OK

Please note that if your provider authenticates your requests using your SSL certificate Thumbprint then expand Service (in the tree on the left hand side under AD FS 2.0) and click Certificates then double click the certificate under “Token-signing”. Click Details and you will find the Thumbprint at the bottom.

You are now ready to test your SSO:

  1. Open up a browser (ideally Internet Explorer) and navigate to https://[server address]/adfs/ls/IdpInitiatedSignon.aspx
  2. Select “Sign in to this site” (so that we know it is working) and then click “Continue to Sign In”
  3. Your site should be automatically selected so just click Go – your application should now load and you should be successfully logged in!

If you aren’t able to login go back over your settings and make sure that you have gotten everything correct. They key areas for failure are the endpoint URL (step 13 of the configuration) being incorrect, the rules (step 21) not passing the correct authentication data, your Active Directory profile being out of date or lacking data, or your SSL certificate not authenticating correctly (check my note below the configuration steps).

About Stephen Pickett


Stephen Pickett is a programmer, IT strategist and architect, project manager and business analyst, Oracle Service Cloud and telephony expert, information security specialist, all-round geek. He is currently Technical Director at Connect Assist, a social business that helps charities and public services improve quality, efficiency and customer engagement through the provision of helpline services and CRM systems.

Stephen is based in south Wales and attended Cardiff University to study Computer Science, in which he achieved a 2:1 grading. He has previously worked for Think Consulting Solutions, a leading voice on not-for-profit fundraising, Fujitsu Services and Sony Manufacturing UK as a software developer.

Stephen is the developer of ThinkTwit, a WordPress plugin that allows you to display multiple Twitter feeds within a blog.

By Stephen Pickett

Stephen Pickett is a programmer, IT strategist and architect, project manager and business analyst, Oracle Service Cloud and telephony expert, information security specialist, all-round geek. He is currently Technical Director at Connect Assist, a social business that helps charities and public services improve quality, efficiency and customer engagement through the provision of helpline services and CRM systems.

Stephen is based in south Wales and attended Cardiff University to study Computer Science, in which he achieved a 2:1 grading. He has previously worked for Think Consulting Solutions, a leading voice on not-for-profit fundraising, Fujitsu Services and Sony Manufacturing UK as a software developer.

Stephen is the developer of ThinkTwit, a Wordpress plugin that allows you to display multiple Twitter feeds within a blog.

46 replies on “How to install ADFS 2.0 and configure SAML for SSO (auto login/AD login integration)”

Hi Anita,

I haven’t yet used Windows Server 2012 but according to Microsoft it is compatible. There is apparently a new method of installation which is by using Server Manager to add the AD FS server role which will also install any dependencies that it relies upon.

If you do try this out and learn anything from it please do add any notes you have on it here for others, and when I get around to upgrading our servers I’ll do the same.

I hope that is helpful.

Thanks.

Hi Stephen,

Thank you very much for sharing your experience.
I am setting up a similar configuration and I went through your steps to double check my approach.

One thing I noted is that in step 12 above, you are suggesting to choose the same certificate that has been used in an earlier step. However, I think those must be two different certificates.
The first certificate in step 4 is actually ID provider’s certificate, whereas the one needed in step 12 is Service Provider’s (Relying Party’s) certificate. The following is the description of this certificate you can find on the related screen on the ADFS wizard:

“Specify an optional token encryption certificate. The token encryption certificate is used to encrypt the claims that are sent to this relying party. The relying party will use the private key of this certificate to decrypt the claims that are sent to it. To specify the certificate, click Browse.”

In other words, at step 12 you need to provide the public key (certificate) of the relying party. – Of course they keep the corresponding private key to themselves.

Thank you,
Majid

Hi Majid,

That’s no problem at all, glad it was helpful. I can’t remember back to your point about step 12 but you have obviously just gone through it so I appreciate you pointing this out, hopefully it will help others.

Thanks!

Hi Kenny,

This is something that I am interested in and when I have time I will look in to how to achieve this. This should be quite possible, I believe it will at the very least be achievable with some JavaScript to mimic the submit button, but the ideal would of course be to skip the login screen so it works without needing JavaScript.

Once I have a chance to look in to it and find a solution I will add a new blog post to share with everyone and (if I remember) post an update on here.

Thanks for this nice article.
After configuration the ADFS. I register my web app as relaying party. after importing an certificate on idp and sp server.
i got a error “IDP ssl is unreachble”
can any one help me

Hi Sunil,

I don’t have any experience with OpenAM but it sounds like the error you are receiving is suggesting that ADFS (as the Identity Provider) can’t be access via SSL – first of all just make sure that the addresses that you are using correct and that the certificates are correctly configured. After that see what error reporting you have available on both systems to first of all find out if they are both connecting and if so what is causing rejection. A useful tool in this is a packet sniffer, such as Wireshark, as this can monitor the messages sent back and forth to help you evaluate where the problem is.

Sorry I can’t give you any more detailed solutions than that, but hopefully it will assist you and you can post your response or someone else with knowledge can assist.

Hi Kenny,

Yes , there is way to bypass the sign in to site page you can directly configure the desire site name in idp meta data file in sso login service tag..

after https://[server address]/adfs/ls/IdpInitiatedSignon.aspx you add logintoRP .. Below is the output should be

https://[server address]/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.hostname.com

Hi, Would you please suggest the steps to implement single sign-on for a shrepoint site in a scenario that a remote AD server users can access the sharepoint site while the sharepoint farm has its own DNS server. So its a case in which one DNS server is attached with Sharepoint farm and another DNS server join it.
many thanks in advance.

Hi Atiq,

Sorry to disappoint but that’s a fair bit outside of my area of knowledge. I’d suggest you try some of the Microsoft forums to find your answer or speak to an MCSE qualified engineer or Sharepoint expert (maybe both). You’ll probably need to give more details too, for instance if they are not on the same domain you would (I imagine) need to setup a trust between them otherwise you may want to go through the steps of ensuring the servers can access each other and have the right permissions etc.

Good luck with solving your issue!

I have configured my Application to authenticate using ADFS and defined Relying Party trust. BUT by default ADFS returning SAML1.0 token format? How can we change the settining in ADFS so that it returns SAML 2.0 for existing configured RP trust?

Yes Stephen issue is almost same.
I have working implementation of ADFS authentication of my Web application using wsFederationPassive control to ADFS 2.0.

When client authenticate and send a request to ADSF server for token, Response token always comes with SAML1.0 format. I wanted to test my application using SAML2.0 format.

Question:
1) Can I use my same setup and make the some changes at ADFS level so that ADFS will return me SAML2.0 token format?
2) Do I have to make some changes in my application to request SAML2.0 token?

Hi Vaibhav,

Unfortunately it’s been a while since I worked with ADFS so I can’t give you an exact answer, but it does seem like you can’t get a SAML 2.0 token. I have seen a suggestion, however that it might be possible using a custom STS (Security Token Service):

http://social.msdn.microsoft.com/Forums/vstudio/en-US/8d03aa29-addd-4a86-a860-c8ba3fb5e154/send-passive-federation-request-to-adfs-20-for-saml-20-token?forum=Geneva

I’ve had a quick Google around and I can see some articles relating to this but nothing specific so you may need to cannibalise a few different resources to achieve what you need.

Good luck – sorry I could help you more!

Hi Stephen,

We have already setup OAM sso for our Fusion Applications. Now the requirement is to enable SSO integration with Active Directory.
AsI understand to Install OIF and ADFS 2.0 but don’t know how to integrate. Any help would be highly appreciable.

Thanks
Sanjay
Thanjs

Hi Stephen,

I am trying to setup SAML 2.0 using AD FS 2.0 for achieving SSO using AD. Can you pls provide some more detailed steps, i mean with examples for each step wherever its required. I have configured AD FS and tried to access the application through SSO, but its asking for authentication details. When i provide machine credentials or active directory user credentials its not accepting and showing error message as “Server Error in Application “DEFAULT WEB SITE/ADFS/LS””.

Please provide clarifications for below:
1) Where we are providing AD server URL for connectivity, if the ADFS and AD are installed on different servers?
2) While trying to access the application using SSO, which credentials we need to provide? The system credentials on which we are accessing the application or the AD user who is eligible to access the application?

Please provide your views as soon as possible.

Thanks in advance.

Regards,
Chandrashaker

Hi Chandrashaker,

I don’t currently have access to a live setup or a test server where I can re-do the process to give you detailed steps, I am afraid. Regarding your questions:

1) If the ADFS server is on a different one to AD then you need to make sure that the ADFS server has privileges to access and authenticate against AD – I think for this you may need to implement “AD delegation” (a quick Google will reveal more about this)

2) When trying to access the application via SSO you should be using your Windows login credentials – if you go through Internet Explorer (which I recommend) then it should authenticate you automatically, if I recall correctly. If the Windows user does not have the correct permissions to access the application then I would recommend enabling this; I couldn’t answer how you could have a different Windows user accessing using different credentials, that’s not really what SSO is about

I hope that is helpful.

Hi Stephen,

Can you please help me to understand on the configuration setups created at the SP (i.e. RightNow tool here ). I was not able to find the detailed explanation of this in the RightNow document. Thank you in advance.

Regards,
VK

Hi Stephen,

Thanks for your help and response.

You are right on your assumptions. SP (i.e. Service Provider) here is the RightNow Tool (which could be an Agent Desktop or a Customer Portal based on the business context). And since you were able to establish SSO on RightNow, can you please help me to know the required configuration setup done on the RightNow tool.

Thanks a lot.
~VK

Hi Stephen,
It will be very helpful, if you please give an example of a SAML assertion generated by ADFS 2.0.

I have configured SalesForce.com as my Service Provider. For some reasons ( I am debugging the same) , my ADFS 2.0 server is not able to process the SAML Auth request from Sales Force.

BR,
Dip

Hi VK,

Sorry for the delay in getting back to you, I’ve been extremely busy lately. Your best bet is to follow the instructions in the user manual, select the right version from here:

https://cx.rightnow.com/app/answers/detail/a_id/5168

And then navigate to Core Features > SAML 2.0 Open Login > Logging in to Oracle RightNow CX using external identity providers > Agent login. I followed these instructions and it worked almost first time. The only real catch is around the SSL certificate – make sure that you upload the correct certificate that represents your server (publicly accessible) to the correct location in File Manager.

Best of luck.

Hi Dip,

I wish I could help but unfortunately I don’t have any experience with SalesForce and I don’t currently have access to a server to grab an example of the SAML assertion that is generated – maybe another reader could provide this?

Good luck with resolving your issue.

Hi Stephen,
is it possible to integrate Rightnow CX with Oracle Identity Federation for sso, if so can you please provide the steps…

Thanks
CR

Hi CR,

Looking at the product description for Oracle Identity Federation it looks as though it supports SAML 2.0 – therefore it should be possible to achieve this.

I can’t give you the exact steps as I don’t have access to OIF but here is some a link to OIF help that might assist you: http://docs.oracle.com/cd/E15523_01/oim.1111/e13400/intro.htm#autoId0.

Good luck, and if you manage to resolve your issue don’t forget to share the solution 🙂

Hey Stephen,
Thanks for quick Reply..is there any way to get the SAML Metadata from RightNow?

Thanks
CR

Hi Sekhar,

No problem. Haha, funny you should ask that! I’ve been working on that today – we’ve struggled to find this, we’re currently working on getting the SAML Assertion output when RightNow is the Service Provider but the only way that we can really do this (we think) is to use Fiddler to scrape the output from the request.

My suggestion is that you try this also but given RightNow is the Endpoint rather than the Service Provider I’m not sure how easy that will be – it may just be easier to setup two test sites and just try it out.

Let me know how you get on.

Hi Stephen,
Good article there. I’ve seen that this setup is for a .NET application. I am doing the same thing for a java/j2ee web application running on Weblogic. Is there an easy setup like this for java/j2ee apps or does this setup works equally with java applications? I can’t seem to find one on the Internet.

Thanks
Bashiru

Hi Bashiru, this article isn’t technology specific with regard to the Relying Party (the application which the user is signing into via SSO) – as long as it implements SAML 2.0 it should work.

It looks like Weblogic supports SAML 2.0, I don’t know whether the developer needs to do something to make use of it but it may be that it simply works with a bit of configuration. This article may help: https://blogs.oracle.com/blogbypuneeth/entry/steps_to_configure_saml_2

Hi Stephen,
thanks for the article.

I am trying to understand how the Oracle RightNow SSO work with ADFS 2. The requirement is to seamlessly open the Service Console without having to go through any username/password since the agent is already logged onto the network and obviously AD.
the steps above suggest that the agent will firstly go to https://[server address]/adfs/ls/IdpInitiatedSignon.asp, login “again” with the agent’s network credentials.

I am confused where is the Single Sign-On functionality then if the user has to still firstly login to the IdP ? I would have thought that the Oracle RightNow CX Console (on launch) automatically communicates with ADFS requesting for an SSO token and then automatically the agent is logged on. Am I missing anything?

thanks for your help ..

Thanks,
Sam

Hi Stephen,

I am currently configuring ADFS as “New Federation Server Farm”. After installing ADFS2.0 on windows 2008 R2 machine when I run to configure ADFS, after selecting SSL (Self-signed) need to provide Service Account which should be SPN.

I have created a service account on AD, and ran below command to make it as SPN for ADFS.

setspn -s http/.chi.ncr.com chand123

but still it is not accepting and throwing below error.

—————————
AD FS 2.0 Federation Server Configuration Wizard
—————————
The service account’s identity could not be mapped. Try using another account.
—————————
OK
—————————

Can you please help me, this task is on high priority for me and i am stuck on this from 2 weeks.

I have referred the below website also.
http://cd.centraldesktop.com/adn/doc/13243242/

Thanks in advance.

Regards,
Chandrashaker G

Hi Sam,

If you’re using Internet Explorer then your Windows login should automatically log you in at this stage and give you access to the button that lets you load RightNow. You can actually modify this process so that the user simply loads a page and it opens up RightNow – it will take some developer capability to do this, but it’s not too complex. Unfortunately I haven’t looked at this yet so I don’t have anything to give you to tell you how to do this.

Hi Chandrashaker,

Have you tried taking it back to basics and simply doing a fresh install and then testing it first? Once you have that working then you can try mapping to the Service Account. Also not sure if this is a live or a test environment – if the latter please check here:

https://social.msdn.microsoft.com/Forums/vstudio/en-US/933e8215-0a0d-4804-8e31-99e63561a468/unable-to-map-service-account-identity

Hopefully this helps, it’s now quite some time since I have done any server configuration so apologies if it’s no use to you. Good luck!

Hi Stephen,

I am bit new to this ADFS concept and sorry if i am asking basic stuffs.
Mine is a .Net MVC based web application. My client is having ADFS set up (SAML2.0 based protocol). We dont have access to there servers.
Now I need to integrate the ADFS into our application for authentication.
I am bit confused about relying party trust and SAML2.0 protocol.
what i have to configure in my application to have that relying party trust.
I dont have ADFS installed in my local system or Dev box.
Please can you brief me about how this relying party to be added in Client ADFS server and how i can access the ADFS URL from the Client and any pointers about my MVC application accessing the ADFS URL would be really helpfull.

Appreciate your help on this.

– Guru Prasad

Hi Guru Prasad,

Sorry for the delay in approving your comment and getting back to you, I’ve been extremely busy of late.

It’s been quite some time now since I worked with ADFS and additionally I only worked on it from the configuration point of view and not development, so I can’t give you an exact answer. What I can say is that the majority of the configuration will be on your client’s end on the ADFS server – the main thing is to ensure that you have implemented SAML correctly and to the standard. There are many guides to do this but it does depend on what environment you are using – if you’re on C# and your application is web-based or always Internet connected then I would suggest that you look at integrating with Azure Active Directory and getting the client to setup a sync between their local Active Directory and Azure as a lot of the work will have been done for you.

All the best.

Steve

Hi Stephen,
Many thanks for your reply. Somehow we managed to get the relying party added and we could able to get the authentication working with the claims based. We used WS-Federation passive protocol for adding relying party.
Currently relying party is configured without any token signing certificate. So, now want to know what is this token signing certificate is all about. Can we send our website SSL certificate only to add as token signing certificate or anything else we need to do here? your responses are much appreciated.

Hi Guru,
In ADFS server you need to add Token signing certificate and store same certificate in DB or in application. when you receive SAML token in application, extract signing certificate and compare it with signing certificate store in DB/application. This way you are making sure no one has manipulated SAML token.

Let me know if you need any help.

Hi Vaibhav,
Thanks for the reply. ADFS is configured with WS-federation passive protocol where the data will be sent through ClaimsIdentity. No SAML here.
just to brief, currently my application is using self signed certificate for testing purpose and it is working. So, Now we are planning to get the proper trusted certificate.
so, what i want to understand is, the certificate i will get and make my application communicate over SSL. But for the token signing certificate setup, can I use the same certificate to configure in ADFS and once its configured in Relying party in ADFS, does my application IIS automaticalle decrypt the data so that i no need to do anything or anything i need to do here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: