SAML Single Signon with Active Directory ADFS

Xibo can be setup to authenticate against any SAML 2.0 IdP.

Microsoft Active Directory Federation Services can be configured to act as such an IdP.

Firstly, install the ADFS role on your server. You will need a valid SSL certificate for the URL you intend to publish your IdP on. In this example, I’m publishing an IdP at https://fs.test.alexharrington.co.uk. This IdP won’t exist by the time this article is published. Similarly, your Xibo CMS will need to be hosted on a server protected by a valid SSL certificate.

Once the IdP is installed, ensure you can access the IdP webpage at the URL you have configured from both your Xibo CMS Server, and from the Client computers that your users will use to authenticate against.

Visiting, for example, https://fs.test.alexharrington.co.uk/adfs/ls/ should bring up a webpage served by ADFS with an error. That’s normal. We’re just checking connectivity here.

First we need to export the signing certificate from ADFS.

Open the ADFS console, go to Service -> Certificates and find the Token-signing certificate.

image
image.png1201×746 33 KB

Right click on it, and choose View Certificate. Move to the Details tab, and click Copy to File...

image
image.png418×522 9 KB

Choose Base-64 encoded X.509 format, and save the file somewhere convenient

image
image.png549×530 13.2 KB

Now on your Xibo CMS, edit your settings.php or settings-custom.php file, and add in the example SAML configuration below:

$authentication = new \Xibo\Middleware\SAMLAuthentication();

$samlSettings = array (
   'workflow' => array(
        // Enable/Disable Just-In-Time provisioning
        'jit' => true,
        // Attribute to identify the user 
        'field_to_identify' => 'email',   // Alternatives: UserID, UserName or email
        // Default libraryQuota assigned to the created user by JIT
        'libraryQuota' => 1000,
        // Initial User Group
        'group' => 'Users',
        // Home Page
        'homePage' => 'icondashboard',
        // Enable/Disable Single Logout
        'slo' => false,
        // Attribute mapping between XIBO-CMS and the IdP
        'mapping' => array (
            'UserID' => '',
            'usertypeid' => '',
            'UserName' => 'uid',
            'email' => 'mail',
        )
    ),
   // Settings for the PHP-SAML toolkit. 
   // See documentation: https://github.com/onelogin/php-saml#settings 
   'strict' => false,
   'debug' => true,
   'idp' => array (
            'entityId' => 'https://<yourcms>/saml/acs',
            'singleSignOnService' => array (
                'url' => 'https://<yourIdP>/adfs/ls',
            ),
            'singleLogoutService' => array (
                'url' => 'http://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php',
            ),
            'x509cert' => '<yourCert>',
        ),
   'sp' => array (
        'entityId' => 'https://<yourCMS>/saml/acs',
        'assertionConsumerService' => array (
            'url' => 'https://<yourCMS>/saml/acs',
        ),
        'singleLogoutService' => array (
            'url' => 'https://<yourCMS>/saml/sls',
        ),
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'x509cert' => '',
        'privateKey' > '',
    ),
    'security' => array (
        'nameIdEncrypted' => false,
        'authnRequestsSigned' => false,
        'logoutRequestSigned' => false,
        'logoutResponseSigned' => false,
        'signMetadata' => false,
        'wantMessagesSigned' => false,
        'wantAssertionsSigned' => false,
        'wantAssertionsEncrypted' => false,
        'wantNameIdEncrypted' => false,
    )
);

Be sure to replace:

  • <yourIdP> with the URL of your ADFS server
  • <yourCMS> with the URL of your Xibo CMS
  • <yourCert> with the text contents of the certificate you exported from ADFS, all on one line, excluding the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines

Save the file, and now your CMS will redirect to your SAML IdP when you go to login.

Back in the ADFS console, go to Trust Relationships -> Relaying Party Trusts

Select Add Relaying Party Trust to start the Wizard.

At the Select Data Source step, enter the SAML metadata URL for your CMS - so for example https://<yourCMS/saml/metadata

image
image.png730×592 21.8 KB

There are various advanced options presented, most of which are out of the scope of this guide. Please select the options you require. In my case, I choose I do not want to configure multi-factor authentication settings for this relaying party trust at this time and Permit all users to access this relaying party when prompted.

Finally a summary is presented

image
image.png725×589 19.5 KB

Leave the box ticked to Edit Claim Rules and finish the wizard.

We need to add three claim rules.

Click Add Rule, and choose Send Claims Using a Custom Rule

image
image.png730×591 16 KB

Name the rule Create Persistent Identifier 1, and enter the following custom rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => add(store = "_OpaqueIdStore", types = ("http://xibo/internal/persistentId"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);

Add a second rule, and choose the type Transform an Incoming Claim. Call this rule Create Persistent Identifier 2, and configure as follows:

image
image.png564×598 14.6 KB

Finally add a third rule, of type Send LDAP Attributes as Claims. Name it User Info, and set it up as follows:

image
image.png562×599 10.8 KB

You should now be able to log in to your Xibo CMS as any user inside Active Directory. Please ensure all users have a valid email address set on their Active Directory User account. Users will be created in Xibo using the Active Directory SAM-Account-Name as the username, and E-Mail address from the E-Mail Addresses field.