Configure SP using Apache to access ADFS IdP

Goldberg, Arthur P arthur.p.goldberg at mssm.edu
Mon May 17 13:19:48 UTC 2021 

Thanks you Nate. Will do.

Arthur

On 5/16/21, 11:24 PM, "users on behalf of Nate Klingenstein" <users-bounces at shibboleth.net on behalf of ndk at signet.id> wrote:

    USE CAUTION: External Message.

    Arthur,

    Azure Active Directory(AAD), ADFS/AAD hybrid, and ADFS are each different in subtle and mysterious ways.  Regardless, they shouldn't affect you or the process I outlined substantially.  Let us know if you need any further assistance, and I'm glad the brief overview was enough to ensure your compass was pointing north.

    Take care,
    Nate.

    --------
    Signet, Inc.
    The Art of Access ®

    https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=THevScUyhUNbk8r2v-MoX8XidiNsDoOPwbcptAZAsDo&e=

    -----Original message-----
    From: Goldberg, Arthur P
    Sent: Sunday, May 16 2021, 8:34 pm
    To: users at shibboleth.net
    Subject: Re: Configure SP using Apache to access ADFS IdP

    Thanks for your informative and quick reply Nate. It’s reassuring and helpful to have a short summary of steps.

    In the meantime, I’ve learned that our security team would prefer that I authenticate with our MSFT Azure IdP. However, based on your description of the steps and the metadata our security team sent me, I suspect that the process will be
     the same.

    Regards, Arthur

    Nate Klingenstein ndk
     at https://urldefense.proofpoint.com/v2/url?u=http-3A__signet.id&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=yVcQGBtA4M3ADReu7cYuFYyXO3eYxqMQToh3jtkjoa0&e=  <mailto:users%40shibboleth.net?Subject=Re:%20Re%3A%20Configure%20SP%20using%20Apache%20to%20access%20ADFS%20IdP&In-Reply-To=%3C0101017971ac1a18-7e347f76-25fc-4a36-856f-10f978423e89-000000%40us-west-2.amazonses.com%3E>

    Arthur,

    This should be relatively straightforward integration.  You need to load the ADFS instance's metadata in the SP, ensure that ADFS trusts the SP, tell ADFS to release the proper attributes, ensure the proper attributes
     are mapped to environment variables by the SP, and since this is a bilateral integration, add ADFS' entityID as the default in the SSO element in shibboleth2.xml.  That last step or the enforcement of protection may be what you're missing in terms of how to
     redirect the user directly to ADFS when authentication is required.

    https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_GettingStarted&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=_-VqSpV3Z6Xoz9WZfmRn3B2CF1uWdDVGdTJ3NN1aVhs&e=  <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_GettingStarted&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=_-VqSpV3Z6Xoz9WZfmRn3B2CF1uWdDVGdTJ3NN1aVhs&e= >

    https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_ProtectContent&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=kP7x--8IueTmq19L1zYd-zdFptHq0sFO9Mjw6X63YOY&e=  <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_ProtectContent&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=kP7x--8IueTmq19L1zYd-zdFptHq0sFO9Mjw6X63YOY&e= >

    I'm not entirely sure what else to point you to.  I hope this helps.

    Best wishes,

    Nate.

    --------

    Signet, Inc.

    The Art of Access ®

    https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=THevScUyhUNbk8r2v-MoX8XidiNsDoOPwbcptAZAsDo&e=  <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id_&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=XuQG-SSDlQJ3p-4aiTAqiTCQLg4Vhu4o5wQFGnBr5Ps&e= >

    From:
    "Goldberg, Arthur P" <arthur.p.goldberg at mssm.edu>

    Date: Saturday, May 15, 2021 at 2:26 PM

    To: "users at shibboleth.net" <users at shibboleth.net>

    Subject: Configure SP using Apache to access ADFS IdP

    Hello Shibboleth community

    I’m a newcomer to Shibboleth, SAML2 and ADFS.

    I’m configuring a web app’s Service Provider. The web app runs on CentOS 7.9 and uses Apache 2.4 to handle authentication. Authentication will be provided by an ADFS service, which Mount Sinai operates as a cloud-based
     Azure AD.

    I’ve read much of the great
    Shibboleth Service Provider documentation <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_SP3_Home&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=WcHNmL-ZdEpHVswS8nvyVNaI7WODHT_15QnQ1bpJDaA&e= >, but remain confused about how to properly reference the ADFS service as a SAML 2 IdP.

    I’d greatly appreciate assistance if you have expertise in this combination of technologies.

    Thanks

    Arthur

    --

    Arthur Goldberg, PhD

    Research Data Services

    Scientific Computing

    Associate Professor of Genetics and Genomic Sciences

    Institute for Data Science and Genomic Technology

    Mount Sinai School of Medicine

    Arthur.Goldberg at mssm.edu <mailto:Arthur.Goldberg at mssm.edu>

    646 526 5020

    Zoom:  https://urldefense.proofpoint.com/v2/url?u=https-3A__mssm.zoom.us_my_arthur.goldberg-3Fpwd-3DLzByMGJOZC9wM3A2aHV6OU94eUtSQT09&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=x5vt8KXXfUoRdwZrMO0Rqk4ADJzLl_xQ71N3MaQfkeQ&e=  <https://urldefense.proofpoint.com/v2/url?u=https-3A__mssm.zoom.us_my_arthur.goldberg-3Fpwd-3DLzByMGJOZC9wM3A2aHV6OU94eUtSQT09&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=x5vt8KXXfUoRdwZrMO0Rqk4ADJzLl_xQ71N3MaQfkeQ&e= >

    --

    For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=aNEcfx9VuPpBY3GHTH5hMIC1K-LAgPDUMoFZzRwVfYI&e=

    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


    --
    For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=shNJtf5dKgNcPZ6Yh64b-A&r=ZCkl1RSA6OLXGMeLhWIeG8wvWwYPCSABQEpGFXsWEJg&m=bwYBD_EscmaIuIXWc6rCsNIWZwgOvuRfLeB96Xk2olw&s=aNEcfx9VuPpBY3GHTH5hMIC1K-LAgPDUMoFZzRwVfYI&e=
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list