SAML Single Signon with Active Directory ADFS
Xibo can be setup to authenticate against any SAML 2.0 IdP.
Microsoft Active Directory Federation Services can be configured to act as such an IdP.
Firstly, install the ADFS role on your server. You will need a valid SSL certificate for the URL you intend to publish your IdP on. In this example, I’m publishing an IdP at https://fs.test.alexharrington.co.uk
. This IdP won’t exist by the time this article is published. Similarly, your Xibo CMS will need to be hosted on a server protected by a valid SSL certificate.
Once the IdP is installed, ensure you can access the IdP webpage at the URL you have configured from both your Xibo CMS Server, and from the Client computers that your users will use to authenticate against.
Visiting, for example, https://fs.test.alexharrington.co.uk/adfs/ls/
should bring up a webpage served by ADFS with an error. That’s normal. We’re just checking connectivity here.
First we need to export the signing certificate from ADFS.
Open the ADFS console, go to Service -> Certificates
and find the Token-signing
certificate.
Right click on it, and choose View Certificate
. Move to the Details
tab, and click Copy to File...
Choose Base-64 encoded X.509
format, and save the file somewhere convenient
Now on your Xibo CMS, edit your settings.php
or settings-custom.php
file, and add in the example SAML configuration below:
$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = array (
'workflow' => array(
// Enable/Disable Just-In-Time provisioning
'jit' => true,
// Attribute to identify the user
'field_to_identify' => 'email', // Alternatives: UserID, UserName or email
// Default libraryQuota assigned to the created user by JIT
'libraryQuota' => 1000,
// Initial User Group
'group' => 'Users',
// Home Page
'homePage' => 'icondashboard.view',
// Enable/Disable Single Logout
'slo' => false,
// Attribute mapping between XIBO-CMS and the IdP
'mapping' => array (
'UserID' => '',
'usertypeid' => '',
'UserName' => 'uid',
'email' => 'mail',
)
),
// Settings for the PHP-SAML toolkit.
// See documentation: https://github.com/onelogin/php-saml#settings
'strict' => false,
'debug' => true,
'idp' => array (
'entityId' => 'https://<yourcms>/saml/acs',
'singleSignOnService' => array (
'url' => 'https://<yourIdP>/adfs/ls',
),
'singleLogoutService' => array (
'url' => 'http://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php',
),
'x509cert' => '<yourCert>',
),
'sp' => array (
'entityId' => 'https://<yourCMS>/saml/acs',
'assertionConsumerService' => array (
'url' => 'https://<yourCMS>/saml/acs',
),
'singleLogoutService' => array (
'url' => 'https://<yourCMS>/saml/sls',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'x509cert' => '',
'privateKey' > '',
),
'security' => array (
'nameIdEncrypted' => false,
'authnRequestsSigned' => false,
'logoutRequestSigned' => false,
'logoutResponseSigned' => false,
'signMetadata' => false,
'wantMessagesSigned' => false,
'wantAssertionsSigned' => false,
'wantAssertionsEncrypted' => false,
'wantNameIdEncrypted' => false,
)
);
Be sure to replace:
-
<yourIdP>
with the URL of your ADFS server -
<yourCMS>
with the URL of your Xibo CMS -
<yourCert>
with the text contents of the certificate you exported from ADFS, all on one line, excluding the-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
lines
Please note:
homePage
=>icondashboard.view
needs to be replaced if you are using a CMS earlier than v3:
- Earlier than v3 - replace
icondashboard.view
withicondashboard
- Earlier than v2.0.3 - replace
icondashboard.view
withdashboard
Save the file, and now your CMS will redirect to your SAML IdP when you go to login.
Back in the ADFS console, go to Trust Relationships -> Relaying Party Trusts
Select Add Relaying Party Trust
to start the Wizard.
At the Select Data Source
step, enter the SAML metadata URL for your CMS - so for example https://<yourCMS/saml/metadata
There are various advanced options presented, most of which are out of the scope of this guide. Please select the options you require. In my case, I choose I do not want to configure multi-factor authentication settings for this relaying party trust at this time
and Permit all users to access this relaying party
when prompted.
Finally a summary is presented
Leave the box ticked to Edit Claim Rules
and finish the wizard.
We need to add three claim rules.
Click Add Rule
, and choose Send Claims Using a Custom Rule
Name the rule Create Persistent Identifier 1
, and enter the following custom rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(store = "_OpaqueIdStore", types = ("http://xibo/internal/persistentId"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);
Add a second rule, and choose the type Transform an Incoming Claim
. Call this rule Create Persistent Identifier 2
, and configure as follows:
Finally add a third rule, of type Send LDAP Attributes as Claims
. Name it User Info
, and set it up as follows:
You should now be able to log in to your Xibo CMS as any user inside Active Directory. Please ensure all users have a valid email address set on their Active Directory User account. Users will be created in Xibo using the Active Directory SAM-Account-Name as the username, and E-Mail address from the E-Mail Addresses field.