In this blog we will cover how to use helical insight with ADFS SSO option.
Prerequisite:
- HI-EE 4.1.18666 or higher must be installed
- ADFS should be running
Steps
1. Save your federationmetadata.xml file on the below path “..hi\apache-tomcat-9\hi-ee\WEB-INF\classes\”
It can be downloaded from online based on your ADFS domain
https://< your hostname >/FederationMetadata/2007-06/FederationMetadata.xml
2. Generate a keystore file say local_cert.jks and save on the below path “..hi\apache-tomcat-9\hi-ee\WEB-INF\classes\”
3. Go to below path and you can find spring-security.xml file “..hi\apache-tomcat-9\hi-ee\WEB-INF\classes\”
Open this file and make changes as per the steps mentioned below
a. Go to Line no:75 uncomment below tag:
< authentication-provider ref="samlAuthenticationProvider" />
b. Go to Line no:92 and replace “loginUrlAuthenticationEntryPoint” with “samlEntryPoint”
c. Go to Line no: 283 and comment below tag:
< custom-filter before="BASIC_AUTH_FILTER" ref="authenticationTokenFilterBean" />
d. Go to Line no: 285 and uncomment below tag:
< custom-filter before="FIRST" ref="metadataGeneratorFilter" />
e. Go to Line no: 288 and comment below tag:
< custom-filter before="CAS_FILTER" ref="authenticationProcessingFilter" />
f. Go to Line no: 290 and uncomment below tag:
< custom-filter before="CAS_FILTER" ref="samlProcessingFilter" />
g. Go to Line no: 294 and comment below tag:
< custom-filter position="CAS_FILTER" ref="casFilter" />
h. Go to Line no: 296 and uncomment below tag:
< custom-filter position="CAS_FILTER" ref="samlProcessingFilter" />
i. Go to Line no: 299 and uncomment below tag:
< custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
j. Go to Line no between 439 and 657 and uncomment SAML config.
k. if your jks file name is different then change the line no 480 for the below tag (local_cert.jks)
< beans:constructor-arg value="classpath:local_cert.jks” />
l. change the below tag line no 481 and provide your password for jks file instead of password! for attribute value
< beans:constructor-arg type="java.lang.String" value="passw0rd!” />
m. Go to line number 484, change the key value (put your alias name for the jks file) and also change the password for the attribute value
< beans:entry key="te-a7af2af5-a35e-45cd-acad-df9f46da7ea0” value=”passw0rd!” />
n. change the below tag at line no 487
< beans:constructor-arg type="java.lang.String" value="te-a7af2af5-a35e-45cd-acad-df9f46da7ea0” />
change the value (put your alias name of the jks file)
o. If your federationmetadata.xml file is named different then you must change the name in line no 523
4. Make sure you have the https enabled in the “..tomcat-9\hi-ee\WEB-INF\classes\”
5. Once the above changes are done then restart the HelicalInsight service
Creating xml for party trust
1. Go to admin panel and click ADFS management
2. Click on the “Generate new service provider metadata” button
3. It will go to a screen with metadata configuration.
4. You can set the values as per the adfs
The information can be obtained from https://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-metadata.html
5. Download the file created on the previous step and the place it into the location
“..hi\apache-tomcat-9\hi-ee\WEB-INF\classes\”
Modify the spring-security.xml (whose path is “..hi\apache-tomcat-9\hi-ee\WEB-INF\classes\”) and search for
< beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate" >
Below we are providing a code, copy this code and add it into the file generated at step no 5.
< beans:constructor-arg >
< beans:bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider" >
< beans:constructor-arg >
< beans:bean class="java.util.Timer" />
< /beans:constructor-arg >
< beans:constructor-arg >
< beans:bean class="org.opensaml.util.resource.ClasspathResource" >
< beans:constructor-arg value="/YOUR_MEDATA_FILE.xml" />
< /beans:bean >
< /beans:constructor-arg >
< beans:property name="parserPool" ref="parserPool" />
< /beans:bean >
< /beans:constructor-arg >
To add the IdM service as a trusted relying party to ADFS, follow these steps:
In the ADFS 3.0 Management Console, right-click Trust Relationships and then select Add Relying Party Trust.
Select Import data about the relying party from a file, and then select the IdM metadata file (metadata.xml) that you created previously at step 6. Click Next.
The wizard may display a warning, indicating that some content of the metadata is not supported. You can safely ignore this warning.
Click OK to ignore the warning.
Specify a display name for the IdM service, and add optional notes. Click Next.
Make sure the “I do not want to configure multi-factor authentication setting for this relying party trust at this time” option is selected, and then click Next.
Select the Permit all users to access this relying party issuance authorization rule.
You are now in the Ready to Add Trust step. Check that the Endpoints tab contains multiple endpoint values. If not, verify that your metadata was generated with https protocol URLs.
Open the provider by double-clicking it, select tab Advanced and change “Secure hash algorithm” to SHA-1
Leave the Open the Edit Claim Rules dialog checkbox selected, and click Close to close the wizard.
The Add Transform Claim Rule wizard opens. Perform the steps below to configure the NameID element as part of the Subject in the SAML Response message.
Select Add Rule, and then select Send LDAP Attributes as Claims. Click Next.
*Note*
Please map the key with the “samKeys.properties”
Restart the HeicalInsight and you can see the login screen of Helical Insight to use
“Login With Saml” link
You can then use the same with ADFS configuration.