Skip to main content

SAML Authenticator Web 8.5 with ADFS

This post continues the setup of Single Sign-On for Web 8.5 with ADFS presented in an earlier blog post.

This SAML Authenticator is a .NET HTTP Module that is configured to intercept all requests going into the SDL Web website (the CME) and do the following:
  • if request is post-back from ADFS
    • decrypt SAML token
    • extract user name
    • set cookie with user name
    • set user name in request SSO header
  • else
    • if cookie exists
      • extract user name from cookie
      • set user name in request SSO header
    • else
      • redirect browser to ADFS form-login
The cookie is encrypted, in order to prevent the user name from being spoofed.

In more detail, the code is as follows:

public void BeginRequest()
{
    string user = GetUserData();
    if (user == null)
    {
        Request.Headers.Remove(Configuration.HeaderUser);
    }
    else
    {
        Request.Headers[Configuration.HeaderUser] = user;
    }
}

The method executes when a request is intercepted. The configuration HeaderUser is the name of the SSO header that the SDL Web SsoAgentHttpModule is expecting to be set, in order to impersonate that user.

The method GetUserData:

private string GetUserData()
{
    string result = null;
    SamlResponse samlResponse;

    if ((samlResponse = new SamlResponse()).IsValid)
    {
        UserData user = samlResponse.ExtractUser();

        if (user == null)
        {
            new SamlRequest().ForceLogin();
        }
        else
        {
            Response.SetCookie(new HttpCookie(Configuration.CookieName, Util.RsaEncrypt(user.UserId)));

            if (string.IsNullOrEmpty(user.OriginalUrl))
            {
                result = user.UserId;
            }
            else
            {
                Response.Redirect(user.OriginalUrl);
            }
        }
    }
    else
    {
        HttpCookie cookie = Request.Cookies[Configuration.CookieName];

        if (cookie == null)
        {
            new SamlRequest().ForceLogin();
        }
        else
        {
            result = Util.RsaDecrypt(cookie.Value);
            if (result == null)
            {
                new SamlRequest().ForceLogin();
            }
        }
    }

    return result;
}

The classes SamlRequest and SamlResponse handle the request redirect to ADFS login, and response token handling respectively.

SamleResponse.ExtractUser method is presented below:

public UserData ExtractUser()
{
    UserData user = new UserData();

    AdfsClient adfsClient = new AdfsClient();
    Saml2SecurityToken token = adfsClient.DecryptSaml2Token(SamlResponseXml);
    IPrincipal principal = adfsClient.GetPrincipal(token);

    ExtractClaims(principal, user);

    return user;
}

The code above makes use of the custom AdfsClient class, which handles communication and token handling with the ADFS server.

The code first decodes the SAML encrypted XML and converts the string representation of the token into a .NET System.IdentityModel.Tokens.Sam2SecurityToken object.

public Saml2SecurityToken DecryptSaml2Token(string tokenXml)
{
    using (StringReader stringReader = new StringReader(tokenXml))
    using (XmlReader reader = XmlReader.Create(stringReader))
    {
        reader.ReadToFollowing("EncryptedAssertion", SAML2_ASSERTION);
        return (Saml2SecurityToken)SecurityTokenHandlers.ReadToken(reader);
    }
}

public ClaimsPrincipal GetPrincipal(SecurityToken decryptedToken)
{
    ReadOnlyCollection<ClaimsIdentity> identities = SecurityTokenHandlers.ValidateToken(decryptedToken);
    return new ClaimsPrincipal(identities[0]);
}

The latter method, GetPrincipal, validates the decrypted token and by doing so, it creates a collection of ClaimsIdentity objects contained in that token. We then return a new ClaimsPrincipal instance based on the first identity in the token.

Lastly, the SamlRequest.ForceLogin method simply outputs an HTML document that automatically performs a JavaScript POST to the ADFS passive-authentication login-form. It also passes in the Relying Party identifier for this application (without such an identifier, the ADFS won't show the form-login screen).

We must also configure the HTTP Module in file web.config of the SDL Web website, located in folder [SDLWebHome]\web.


Comments

Popular posts from this blog

Running sp_updatestats on AWS RDS database

Part of the maintenance tasks that I perform on a MSSQL Content Manager database is to run stored procedure sp_updatestats . exec sp_updatestats However, that is not supported on an AWS RDS instance. The error message below indicates that only the sa  account can perform this: Msg 15247 , Level 16 , State 1 , Procedure sp_updatestats, Line 15 [Batch Start Line 0 ] User does not have permission to perform this action. Instead there are several posts that suggest using UPDATE STATISTICS instead: https://dba.stackexchange.com/questions/145982/sp-updatestats-vs-update-statistics I stumbled upon the following post from 2008 (!!!), https://social.msdn.microsoft.com/Forums/sqlserver/en-US/186e3db0-fe37-4c31-b017-8e7c24d19697/spupdatestats-fails-to-run-with-permission-error-under-dbopriveleged-user , which describes a way to wrap the call to sp_updatestats and execute it under a different user: create procedure dbo.sp_updstats with execute as 'dbo' as

Scaling Policies

This post is part of a bigger topic Autoscaling Publishers in AWS . In a previous post we talked about the Auto Scaling Groups , but we didn't go into details on the Scaling Policies. This is the purpose of this blog post. As defined earlier, the Scaling Policies define the rules according to which the group size is increased or decreased. These rules are based on instance metrics (e.g. CPU), CloudWatch custom metrics, or even CloudWatch alarms and their states and values. We defined a Scaling Policy with Steps, called 'increase_group_size', which is triggered first by the CloudWatch Alarm 'Publish_Alarm' defined earlier. Also depending on the size of the monitored CloudWatch custom metric 'Waiting for Publish', the Scaling Policy with Steps can add a difference number of instances to the group. The scaling policy sets the number of instances in group to 1 if there are between 1000 and 2000 items Waiting for Publish in the queue. It also sets the

I Have Gone Dark

Maybe it's the Holidays, but my mood has gone pretty dark. That is, regarding the look and feel of my computer and Tridion CME, of course. What I did was to dim the lights on the operating system, so I installed Placebo themes for Windows 7 . I went for the Ashtray look -- great name :) My VM looks now like this: But, once you change the theme on Windows, you should 'match' the theme of your applications. Some skin easily, some not. The Office suite has an in-built scheme, which can be set to Black , but it doesn't actually dim the ribbon tool bars -- it looks quite weird. Yahoo Messenger is skinnable, but you can't change the big white panels where you actually 'chat'. Skype is not skinnable at all. For Chrome, there are plenty of grey themes. Now i'm using Pro Grey . But then I got into changing the theme of websites. While very few offer skinnable interfaces (as GMail does), I had to find a way to darken the websites... Enter Stylish -- a pl