Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Document how to enable with SSP2 + markdown
- Loading branch information
Showing
2 changed files
with
75 additions
and
52 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,30 +1,42 @@ | ||
| # ADFS Module | ||
|
|
||
|  | ||
| [](https://scrutinizer-ci.com/g/simplesamlphp/simplesamlphp-module-adfs/?branch=master) | ||
| [](https://codecov.io/gh/simplesamlphp/simplesamlphp-module-adfs) | ||
| [](https://shepherd.dev/github/simplesamlphp/simplesamlphp-module-adfs) | ||
|
|
||
| # Usage | ||
|
|
||
| ## Install | ||
|
|
||
| Install with composer | ||
|
|
||
| ```bash | ||
| composer require simplesamlphp/simplesamlphp-module-adfs | ||
|
|
||
| ``` | ||
|
|
||
| ## Configuration | ||
|
|
||
| View samples in `metadata-templates` for defining your idp and any relying parties/sps. | ||
| Next thing you need to do is to enable the module: in | ||
| `config.php`, search for the `module.enable` key and set `adfs` to true: | ||
|
|
||
| In `config.php` you'll need to set `'enable.adfs-idp' => true` and enabled the module. | ||
| ```php | ||
| 'module.enable' => [ | ||
| 'adfs' => true, | ||
| … | ||
| ], | ||
| ``` | ||
|
|
||
| View samples in `metadata-templates` for defining your idp and any relying | ||
| parties/sps. | ||
|
|
||
| ### Tips for admins new to WS-Fed | ||
|
|
||
| * A `realm` is similar to an entityId from SAML. `adfs-sp-remote.php` metadata | ||
| array is based on `realm`. An IP STS is similar to an IdP. | ||
| * Some WS-Fed Relying Party applications want the assertion lifetime to be longer | ||
| than the application's session lifetime. If not, the application will send the user to | ||
| the IdP to login again, hoping for a longer lived assertion. | ||
| SSP's default assertion lifetime is 5 minutes while SharePoint, by default, wants 10 minutes. | ||
| Use the `assertion.lifetime` in `adfs-sp-remote.php` to set the time greater than that set in SharePoint | ||
| (which can be configured by adjusting `LogonTokenCacheExpirationWindow`) | ||
| * A `realm` is similar to an entityId from SAML. `adfs-sp-remote.php` metadata | ||
| array is based on `realm`. An IP STS is similar to an IdP. | ||
|
|
||
| * Some WS-Fed Relying Party applications want the assertion lifetime to be | ||
| longer than the application's session lifetime. If not, the application will | ||
| send the user to the IdP to login again, hoping for a longer lived assertion. | ||
| SSP's default assertion lifetime is 5 minutes while SharePoint, by default, | ||
| wants 10 minutes. Use the `assertion.lifetime` in `adfs-sp-remote.php` to set | ||
| the time greater than that set in SharePoint (which can be configured by | ||
| adjusting `LogonTokenCacheExpirationWindow`) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,83 +1,94 @@ | ||
| # ADFS Module | ||
|
|
||
| Enables AD FS IdP | ||
| Compatible with VS 2012 Identity and Access | ||
|
|
||
| Basic Setup Companion based on: | ||
| http://simplesamlphp.org/docs/stable/simplesamlphp-idp | ||
| Basic Setup Companion based on [SimpleSAMLphp IDP configuration][docs] | ||
| [docs]: http://simplesamlphp.org/docs/stable/simplesamlphp-idp | ||
|
|
||
| 1. Enabling the Identity Provider functionality | ||
|
|
||
| In config/config.php, the option will be: | ||
| 'enable.adfs-idp' => true | ||
| In config/config.php, the option will be: | ||
| 'enable.adfs-idp' => true | ||
|
|
||
| 2. Authentication module | ||
|
|
||
| Follow as is. | ||
| Follow as is. | ||
|
|
||
| 3. Configuring the authentication module | ||
|
|
||
| In addition to enabling authentication module, enable adfs module by creating a file named 'enable' in modules/adfs | ||
| Next thing you need to do is to enable the module: in `config.php`, | ||
| search for the `module.enable` key and set `subjectidattrs` to true: | ||
|
|
||
| In unix from installation directory: | ||
| touch modules/adfs/enable | ||
| ```php | ||
| 'module.enable' => [ | ||
| 'subjectidattrs' => true, | ||
| … | ||
| ], | ||
| ``` | ||
|
|
||
| 4. Configuring the IdP | ||
|
|
||
| ADFS IdP is configured by metadata stored in /metadata/adfs-idp-hosted.php and metadata/adfs-sp-remote.php | ||
| ADFS IdP is configured by metadata stored in /metadata/adfs-idp-hosted.php and metadata/adfs-sp-remote.php | ||
|
|
||
| If they are not present, copy them from /metadata-templates to the metadata | ||
| directory. | ||
| If they are not present, copy them from /metadata-templates to the metadata | ||
| directory. | ||
|
|
||
| 5. Using the uri NameFormat on attributes | ||
|
|
||
| WS-FED likes a few parameters to be very specifically named. This is | ||
| especially true if .net clients will be treating this as a Microsoft ADFS | ||
| IdP. | ||
| WS-FED likes a few parameters to be very specifically named. This is | ||
| especially true if .net clients will be treating this as a Microsoft ADFS | ||
| IdP. | ||
|
|
||
| The recommended settings for /metadata/adfs-idp-hosted.php is: | ||
| The recommended settings for /metadata/adfs-idp-hosted.php is: | ||
|
|
||
| 'authproc' => array( | ||
| // Convert LDAP names to WS-Fed Claims. | ||
| 100 => array('class' => 'core:AttributeMap', 'name2claim'), | ||
| ), | ||
| ```php | ||
| 'authproc' => [ | ||
| // Convert LDAP names to WS-Fed Claims. | ||
| 100 => ['class' => 'core:AttributeMap', 'name2claim'], | ||
| ], | ||
| ``` | ||
|
|
||
| 6. Adding SPs to the IdP | ||
|
|
||
| The minimal configuration for /metadata/adfs-sp-remote.php is: | ||
| The minimal configuration for /metadata/adfs-sp-remote.php is: | ||
|
|
||
| $metadata['urn:federation:localhost'] = array( | ||
| 'prp' => 'https://localhost/adfs/ls/', | ||
| ); | ||
| ```php | ||
| $metadata['urn:federation:localhost'] = [ | ||
| 'prp' => 'https://localhost/adfs/ls/', | ||
| ]; | ||
| ``` | ||
|
|
||
| 7. Creating a SSL self signed certificate | ||
|
|
||
| Follow as is. | ||
| Follow as is. | ||
|
|
||
| 8. Adding this IdP to other SPs | ||
|
|
||
| Metadata should be available from /module.php/adfs/idp/metadata.php | ||
| Metadata should be available from /module.php/adfs/idp/metadata.php | ||
|
|
||
| 9. This module tries its best to emulate a Microsoft ADFS endpoint, and as | ||
| such, it is simplest to test using a .net client. | ||
| such, it is simplest to test using a .net client. | ||
|
|
||
| To build the test client, follow the tutorial at: | ||
| http://code.msdn.microsoft.com/Claims-Aware-Web-d94a89ca | ||
| To build the test client, follow the tutorial from [Microsoft][ms_docs]. | ||
| [ms_docs]: http://code.msdn.microsoft.com/Claims-Aware-Web-d94a89ca | ||
|
|
||
| This will build a .net app that uses a dev machine running STS (their name for | ||
| an IdP). | ||
| This will build a .net app that uses a dev machine running STS (their name for | ||
| an IdP). | ||
|
|
||
| To point to your SimpleSamlPHP ADFS IdP, in VS 2012: | ||
| To point to your SimpleSamlPHP ADFS IdP, in VS 2012: | ||
|
|
||
| a. Right-click the project in Solution Explorer and select the Identity and | ||
| Access option. | ||
| a. Right-click the project in Solution Explorer and select the Identity and | ||
| Access option. | ||
|
|
||
| b. In the Identity and Access Window, Select Use a business identity | ||
| provider. | ||
| b. In the Identity and Access Window, Select Use a business identity | ||
| provider. | ||
|
|
||
| c. Under “Enter the path to the STS metadata document” enter the url you have | ||
| c. Under “Enter the path to the STS metadata document” enter the url you have | ||
|
|
||
| from step 8. Something like | ||
| https://.../module.php/adfs/idp/metadata.php | ||
| from step 8. Something like | ||
| https://.../module.php/adfs/idp/metadata.php | ||
|
|
||
| d. Click Ok | ||
| d. Click Ok | ||
|
|
||
| For more information in regards to .NET: http://msdn.microsoft.com/en-us/library/hh377151.aspx |