Tuesday, 23 October 2018

Single Sign-On - Tinkering with Microsoft Active Directory Federation Services, SAML and WebSphere Application Server

A brief bit of context ….

A colleague was asking some questions about WAS and ADFS and SAML, so I wanted to create a basic test environment to get my head around some of the new ( to me ) concepts.

I already had a Windows Server 2012 VM and another Red Hat Enterprise Linux (RHEL) VM.

The latter was already configured / installed with: -
  • IBM WebSphere Application Server (WAS) Network Deployment (ND) 8.5.5.14
  • IBM Business Automation Workflow (BAW) 18.0.0.1
so I was mostly good to go in the WAS/application world.

On the Windows 2012 VM, I installed / configured: -
  • Active Directory Domain Services (AD)
  • Active Directory Federation Services (ADFS)
  • Internet Information Server
So I had a wee bit of effort to setup AD and ADFS, and also to configure IIS.

For the record, IIS isn't required for the SAML setup etc. BUT it's a useful way to generate a self-signed certificate, which can be exported, with public AND private key, as a PFX file, ready to be be imported into ADFS.

As ever, this is an ongoing work-in-progress.

Having got the AD and ADFS stuff mainly setup, I then ran through the following: -

Test ADFS Login

https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx

This allowed me to verify that I could authenticate to ADFS using Windows credentials.

Start Deployment Manager

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

Start Node Agent

/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh

Add AD Signer to WAS

To allow WAS and AD to communicate via LDAPS ( LDAP over an SSL/TLS connection )

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /mnt/Scripts/addADSignerToWAS.jy

Federate AD into WAS

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /mnt/Scripts/federateAD.jy

Stop Deployment Manager

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/stopManager.sh -username wasadmin -password passw0rd

Stop Node Agent

/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/stopNode.sh -username wasadmin -password passw0rd

Start Deployment Manager

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/startManager.sh

Start Node Agent

/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh

Retrieve MetaData

This pulls the ADFS info from the AD box

wget --no-check-certificate https://windows2012.uk.ibm.com/FederationMetadata/2007-06/FederationMetadata.xml

Install ACS Sample App into SupCluster

This app is used to perform the SAML token decryption / extraction
Note that I'm installing this into the BAW (BPM) SupCluster, which does NOT run the main BAW workload - Process Server, SCA BPEL etc.

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /opt/ibm/WebSphere/AppServer/bin/installSamlACS.py install SupCluster

Start WSAdmin Client

/opt/ibm/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd

Add SAML TAI

This creates the SAML TAI configuration - we'll populate this further shortly

AdminTask.addSAMLTAISSO('-enable true -acsUrl https://workflow.uk.ibm.com:9445/samlsps/acs')

Save and Sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()


Export SP Metadata from WAS

We need this metadata to complete the ADFS configuration

AdminTask.exportSAMLSpMetadata('-spMetadataFileName /home/wasadmin/WASSAMLMetadata.xml -ssoId 1')

Import IdP Metadata into WAS

This is what we previously pulled from the ADFS box

AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /home/wasadmin/FederationMetadata.xml -idpId 1 -ssoId 1 -signingCertAlias idp1')

Save and Sync

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()


Quit

exit

Set TAI Properties

I'm doing this manually, but will script it later

Name: sso_1.sp.acsUrl
Value: https://workflow.uk.ibm.com:9445/samlsps/acs

Name: sso_1.sp.idMap
Value: idAssertion

Name: sso_1.idp_1.EntityID
Value: http://windows2012.uk.ibm.com/adfs/services/trust

Name: sso_1.idp_1.SingleSignOnUrl
Value: https://windows2012.uk.ibm.com/adfs/ls/

Name: sso_1.sp.login.error.page
Value: https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx

Name: sso_1.sp.targetUrl
Value: https://workflow.uk.ibm.com:9445/bpc

Name: sso_1.sp.useRealm
Value: defaultWIMFileBasedRealm

Start Clusters
  • MECluster
  • SupCluster
  • AppCluster
Functional Test

Access BPC: -

https://workflow.uk.ibm.com:9445/bpc

Should redirect to: -

https://windows2012.uk.ibm.com/adfs/ls/idpinitiatedSignOn.aspx

and be prompted to log on with AD acount e.g. UK\Administrator

Need to click on Sign-in button again; I don't yet know why this is the case :-(

Should then be redirected to BPC

Repeat for Process Portal: -

https://workflow.uk.ibm.com:9444/ProcessPortal

and Process Center: -

https://workflow.uk.ibm.com:9444/ProcessCenter

Sources

How to setup Microsoft Active Directory Federation Services [AD FS]

Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)

Enabling your system to use the SAML web single sign-on (SSO) feature


1 comment:

Dave Hay said...

I received some very useful feedback from a colleague, Captain Bob, thusly: -


I don't know if you tested running some processes? From my understanding your configuration may not have worked as the SAML set up protects all URLs including the webservices ones, therefore you need to exclude some of them from protection using a TAI custom property filter like this:

Name: sso_1.sp.filter
Value: request-url!=/bpmjaxws;request-url!=/fncmis;request-url!=/RemoteALWeb;request-url!=/teamworks/webservices

Reference:
https://www.ibm.com/support/knowledgecenter/en/SSV2LR/com.ibm.wbpm.imuc.sbpm.doc/topics/tsec_thirdpartyauthentication.html

Thanks and regards, Bob

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...