Configure SP using Apache to access ADFS IdP
Goldberg, Arthur P
arthur.p.goldberg at mssm.edu
Mon May 17 13:19:48 UTC 2021
Thanks you Nate. Will do.
Arthur
On 5/16/21, 11:24 PM, "users on behalf of Nate Klingenstein" <users-bounces at shibboleth.net on behalf of ndk at signet.id> wrote:
USE CAUTION: External Message.
Arthur,
Azure Active Directory(AAD), ADFS/AAD hybrid, and ADFS are each different in subtle and mysterious ways. Regardless, they shouldn't affect you or the process I outlined substantially. Let us know if you need any further assistance, and I'm glad the brief overview was enough to ensure your compass was pointing north.
Take care,
Nate.
--------
Signet, Inc.
The Art of Access ®
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=THevScUyhUNbk8r2v-MoX8XidiNsDoOPwbcptAZAsDo&e=
-----Original message-----
From: Goldberg, Arthur P
Sent: Sunday, May 16 2021, 8:34 pm
To: users at shibboleth.net
Subject: Re: Configure SP using Apache to access ADFS IdP
Thanks for your informative and quick reply Nate. It’s reassuring and helpful to have a short summary of steps.
In the meantime, I’ve learned that our security team would prefer that I authenticate with our MSFT Azure IdP. However, based on your description of the steps and the metadata our security team sent me, I suspect that the process will be
the same.
Regards, Arthur
Nate Klingenstein ndk
at https://urldefense.proofpoint.com/v2/url?u=http-3A__signet.id&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=yVcQGBtA4M3ADReu7cYuFYyXO3eYxqMQToh3jtkjoa0&e= <mailto:users%40shibboleth.net?Subject=Re:%20Re%3A%20Configure%20SP%20using%20Apache%20to%20access%20ADFS%20IdP&In-Reply-To=%3C0101017971ac1a18-7e347f76-25fc-4a36-856f-10f978423e89-000000%40us-west-2.amazonses.com%3E>
Arthur,
This should be relatively straightforward integration. You need to load the ADFS instance's metadata in the SP, ensure that ADFS trusts the SP, tell ADFS to release the proper attributes, ensure the proper attributes
are mapped to environment variables by the SP, and since this is a bilateral integration, add ADFS' entityID as the default in the SSO element in shibboleth2.xml. That last step or the enforcement of protection may be what you're missing in terms of how to
redirect the user directly to ADFS when authentication is required.
https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_GettingStarted&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=_-VqSpV3Z6Xoz9WZfmRn3B2CF1uWdDVGdTJ3NN1aVhs&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_GettingStarted&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=_-VqSpV3Z6Xoz9WZfmRn3B2CF1uWdDVGdTJ3NN1aVhs&e= >
https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_ProtectContent&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=kP7x--8IueTmq19L1zYd-zdFptHq0sFO9Mjw6X63YOY&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_ProtectContent&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=kP7x--8IueTmq19L1zYd-zdFptHq0sFO9Mjw6X63YOY&e= >
I'm not entirely sure what else to point you to. I hope this helps.
Best wishes,
Nate.
--------
Signet, Inc.
The Art of Access ®
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=THevScUyhUNbk8r2v-MoX8XidiNsDoOPwbcptAZAsDo&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id_&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=XuQG-SSDlQJ3p-4aiTAqiTCQLg4Vhu4o5wQFGnBr5Ps&e= >
From:
"Goldberg, Arthur P" <arthur.p.goldberg at mssm.edu>
Date: Saturday, May 15, 2021 at 2:26 PM
To: "users at shibboleth.net" <users at shibboleth.net>
Subject: Configure SP using Apache to access ADFS IdP
Hello Shibboleth community
I’m a newcomer to Shibboleth, SAML2 and ADFS.
I’m configuring a web app’s Service Provider. The web app runs on CentOS 7.9 and uses Apache 2.4 to handle authentication. Authentication will be provided by an ADFS service, which Mount Sinai operates as a cloud-based
Azure AD.
I’ve read much of the great
Shibboleth Service Provider documentation <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_Home&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=WcHNmL-ZdEpHVswS8nvyVNaI7WODHT_15QnQ1bpJDaA&e= >, but remain confused about how to properly reference the ADFS service as a SAML 2 IdP.
I’d greatly appreciate assistance if you have expertise in this combination of technologies.
Thanks
Arthur
--
Arthur Goldberg, PhD
Research Data Services
Scientific Computing
Associate Professor of Genetics and Genomic Sciences
Institute for Data Science and Genomic Technology
Mount Sinai School of Medicine
Arthur.Goldberg at mssm.edu <mailto:Arthur.Goldberg at mssm.edu>
646 526 5020
Zoom: https://urldefense.proofpoint.com/v2/url?u=https-3A__mssm.zoom.us_my_arthur.goldberg-3Fpwd-3DLzByMGJOZC9wM3A2aHV6OU94eUtSQT09&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=x5vt8KXXfUoRdwZrMO0Rqk4ADJzLl_xQ71N3MaQfkeQ&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__mssm.zoom.us_my_arthur.goldberg-3Fpwd-3DLzByMGJOZC9wM3A2aHV6OU94eUtSQT09&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=x5vt8KXXfUoRdwZrMO0Rqk4ADJzLl_xQ71N3MaQfkeQ&e= >
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=aNEcfx9VuPpBY3GHTH5hMIC1K-LAgPDUMoFZzRwVfYI&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=aNEcfx9VuPpBY3GHTH5hMIC1K-LAgPDUMoFZzRwVfYI&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list