This document presents a series of pages that enable the configuration of OpenAM 12 and ADFS 3. ADFS 3 is formally known as 'ADFS 2012 R2' as it is part of the Windows 2012 R2 package. The articles will explore two common scenarios:
- OpenAM as IDP
- ADFS as IDP
OpenAM as IDP
In this scenario we will look at a Windows ASP.net application that is configured for Integrated Windows Authentication (IWA). The aim is to federate with OpenAM that will issue assertions to ADFS about the identity of the user. ADFS will translate this into claims that Windows Identity Framework 4.5 (also included as part of Windows 2012 R2) will translate into a user context suitable for IWA. Some might wonder why I don't use the IIS Policy Agent. A Policy Agent requires that the OpenAM DataStore is configured as the Active Directory in order to be able to do the necessary impersonation for IWA. In my scenario, OpenAM was not installed in the same location as the AD and therefore could not use the AD as the DataStore. Instead, we rely on WIF doing the impersonation.
The steps start right at the very beginning - downloading Windows 2012 R2, but as it is a series of articles you should be able to dip in and out depending on your config. It assumes you have basic administrative skills and can use both Windows and Linux.
We will install a Windows IWA App running on a Windows Server. The App runs in IIS. The App simply shows the user name of the currently logged as well as the authentication context. We'll start with the IIS authentication scheme set to Windows and/or Basic. This will be changed so that initial request to App is intercepted so that user is redirected to OpenAM where they sign on. This redirection occurs via ADFS. IIS will need to be configured for ‘passive redirects’ which means an IIS HTTP module intercepts the initial request and redirects the user to the ADFS logon page. The ADFS login page presents the user with the option of signing in with OpenAM (in this example it will also present the option to sign in directly to Active Directory). When user signs in the IdP (either OpenAM or AD) will pass back an attribute over SAML. This attribute is mapped to the UPN (User Principal Name) of the user in Active Directory. The UPN attribute is then used by WIF to convert the SAML claim (containing the UPN) to a Windows token. This Windows token is then included in the security context of the thread executing within IIS and passed through to the App. As far as the App is concerned it simply relies on the Windows token being present on the thread. It doesn’t care whether IIS acquired the token directly, or through the ADFS/WIF route.
As the App is an ASP.net application we require IIS to be installed. In this setup we will also require ADFS which requires SSL so we will also install Certificate Services. As we are trying to impersonate AD users we will also install AD which requires DNS. Therefore on one machine we will install AD, DNS, AD CS, AD FS, IIS and the App. This is not a recommended production deployment scenario! It's also worth bearing in mind that ADFS includes web based Applications for its functionality…these applications will be hosted in the same IIS default website as the App we are trying to protect. AD CS also provides web based functionality for enrolment services which will also be installed into the same default IIS web site.
I used Virtual Box running on a Mac OSX to host 2 machines: Windows 2012 R2 and CentOS 7. They must be able to communicate with each. I use Bridged networking in Virtual Box to allow this. Each machine had two network cards defined: 1 Bridged, 1 NAT.
- Windows/IIS/Sample App : ADFS3 and OpenAM 12 - Part 1: Windows/IIS/Sample App
- Certificate Services : ADFS3 and OpenAM 12 - Part 2: Certificate Services
- ADFS : ADFS3 and OpenAM 12 - Part 3: ADFS Install
- WIF/ADFS/Sample App : ADFS3 and OpenAM 12 - Part 4: ADFS/WIF/Sample App
- Centos/OpenAM : ADFS3 and OpenAM 12 - Part 5: CentOS/OpenAM install
- And, finally, OpenAM/ADFS : ADFS3 and OpenAM 12 - Part 6: OpenAM/ADFS configuration
ADFS as IDP
In this scenario we will look at things the other way around. OpenAM will be protecting as simple web application but will be configured to rely on ADFS as the Identity Provider. Many of the steps in the first scenario are relevant (such as installing Windows/ADFS etc) so this article only defines the steps necessary to configure ADFS and OpenAM.