Tuesday, 23 October 2018

Single Sign-On - Tinkering with Microsoft Active Directory Federation Services, SAML and WebSphere Application Server

A brief bit of context ….

A colleague was asking some questions about WAS and ADFS and SAML, so I wanted to create a basic test environment to get my head around some of the new ( to me ) concepts.

I already had a Windows Server 2012 VM and another Red Hat Enterprise Linux (RHEL) VM.

The latter was already configured / installed with: -
  • IBM WebSphere Application Server (WAS) Network Deployment (ND) 8.5.5.14
  • IBM Business Automation Workflow (BAW) 18.0.0.1
so I was mostly good to go in the WAS/application world.

On the Windows 2012 VM, I installed / configured: -
  • Active Directory Domain Services (AD)
  • Active Directory Federation Services (ADFS)
  • Internet Information Server
So I had a wee bit of effort to setup AD and ADFS, and also to configure IIS.

For the record, IIS isn't required for the SAML setup etc. BUT it's a useful way to generate a self-signed certificate, which can be exported, with public AND private key, as a PFX file, ready to be be imported into ADFS.

As ever, this is an ongoing work-in-progress.

Having got the AD and ADFS stuff mainly setup, I then ran through the following: -

Test ADFS Login

https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx

This allowed me to verify that I could authenticate to ADFS using Windows credentials.

Start Deployment Manager

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

Start Node Agent

/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh

Add AD Signer to WAS

To allow WAS and AD to communicate via LDAPS ( LDAP over an SSL/TLS connection )

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /mnt/Scripts/addADSignerToWAS.jy

Federate AD into WAS

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /mnt/Scripts/federateAD.jy

Stop Deployment Manager

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh -username wasadmin -password passw0rd

Stop Node Agent

/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/stopNode.sh -username wasadmin -password passw0rd

Start Deployment Manager

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

Start Node Agent

/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh

Retrieve MetaData

This pulls the ADFS info from the AD box

wget --no-check-certificate https://windows2012.uk.ibm.com/FederationMetadata/2007-06/FederationMetadata.xml

Install ACS Sample App into SupCluster

This app is used to perform the SAML token decryption / extraction
Note that I'm installing this into the BAW (BPM) SupCluster, which does NOT run the main BAW workload - Process Server, SCA BPEL etc.

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /opt/ibm/WebSphere/AppServer/bin/installSamlACS.py install SupCluster

Start WSAdmin Client

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd

Add SAML TAI

This creates the SAML TAI configuration - we'll populate this further shortly

AdminTask.addSAMLTAISSO('-enable true -acsUrl https://workflow.uk.ibm.com:9445/samlsps/acs')

Save and Sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()


Export SP Metadata from WAS

We need this metadata to complete the ADFS configuration

AdminTask.exportSAMLSpMetadata('-spMetadataFileName /home/wasadmin/WASSAMLMetadata.xml -ssoId 1')

Import IdP Metadata into WAS

This is what we previously pulled from the ADFS box

AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /home/wasadmin/FederationMetadata.xml -idpId 1 -ssoId 1 -signingCertAlias idp1')

Save and Sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()


Quit

exit

Set TAI Properties

I'm doing this manually, but will script it later

Name: sso_1.sp.acsUrl
Value: https://workflow.uk.ibm.com:9445/samlsps/acs

Name: sso_1.sp.idMap
Value: idAssertion

Name: sso_1.idp_1.EntityID
Value: http://windows2012.uk.ibm.com/adfs/services/trust

Name: sso_1.idp_1.SingleSignOnUrl
Value: https://windows2012.uk.ibm.com/adfs/ls/

Name: sso_1.sp.login.error.page
Value: https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx

Name: sso_1.sp.targetUrl
Value: https://workflow.uk.ibm.com:9445/bpc

Name: sso_1.sp.useRealm
Value: defaultWIMFileBasedRealm

Start Clusters
  • MECluster
  • SupCluster
  • AppCluster
Functional Test

Access BPC: -

https://workflow.uk.ibm.com:9445/bpc

Should redirect to: -

https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx

and be prompted to log on with AD acount e.g. UK\Administrator

Need to click on Sign-in button again; I don't yet know why this is the case :-(

Should then be redirected to BPC

Repeat for Process Portal: -

https://workflow.uk.ibm.com:9444/ProcessPortal

and Process Center: -

https://workflow.uk.ibm.com:9444/ProcessCenter

Sources

How to setup Microsoft Active Directory Federation Services [AD FS]

Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)

Enabling your system to use the SAML web single sign-on (SSO) feature


No comments:

GoLang - weirdness with "panic: assignment to entry in nil map"

I kept seeing this: - --- FAIL: TestClient (0.00s) panic: assignment to entry in nil map [recovered] panic: assignment to entry in nil ...