Product Selector

Fusion 5.9
    Fusion 5.9

    Configure Active Directory Federation Services (AD FS) authentication for Fusion

    You can configure Active Directory Federation Services (AD FS) for SAML single sign-on (SSO) authentication in Fusion. This guide explains how to set up Spring Boot OAuth2 with AD FS.

    OAuth-based authentication against AD FS requires AD FS 3.0 or later which is available from Windows Server 2012 R2 onwards.

    Configure a Security Realm in Fusion

    In Fusion, create a Security Realm for AD FS.

    1. In the Fusion workspace, navigate to System > Access Control.

    2. Click Security Realms.

    3. Click Add Security Realm.

    4. Enter the following information for the new realm:

      • Enter a Name. The name must be unique and should be descriptive yet short.

      • Select saml from the Type pulldown menu.

        When you select a type, Fusion displays additional configuration options.

      • The default value for Enabled is true. This setting controls whether or not Fusion allows user logins for this security realm.

      • The default value for Ephemeral Users is false. When disabled, this setting prevents ephemeral users from being created in ZooKeeper during login. If enabled, this property negates Auto Create Users.

      • The default value for Auto Create Users is true. If enabled, a user account is created automatically upon initial authentication. If disabled, then a Fusion user with admin permissions must create Fusion users.

    5. Under SAML Realm, configure the following information:

      • Enter the Identity Provider URL. This URL is used by the SAML authority for single sign-on. For example: https://www.example.com/APP-PATH/adfs/ls

      • Enter the URL of the IdP Issuer. For example: http://www.example.com/adfs/services/trust.

        • IdP Issuer must match <saml:Issuer> in the SAML payload.

      • Optional: Provide the App Issuer. This field is required if there is an audienceRestriction in the SAML assertion and must match <saml:Audience> in the SAML payload.

      • In the Certificate Fingerprint, paste the contents of the SAML authority certificate, without the certificate header and footer.

      • Optional: Enter the User ID Attribute. By default, the Fusion username is the same as the login name known to the Identity Provider. When another field or attribute in the user record stored by the IdP should be used as the Fusion username, that attribute name is the value of the User ID Attribute.

      • Optional: Provide a Post Login Redirect URL. If not set, the Fusion URL is used.

      • Optional: Provide a Logout URL.

    6. Optional: Under Groups Mapping, specify the Group Name Attribute and add group mappings.

    7. Click Save.

    Set up the application (relying party trust) in AD FS

    Create a relying party trust in the AD FS Management console. For more details, refer to the Microsoft AD FS documentation.

    The following screenshots may differ from your setup depending on the version of AD FS you’re using.

    1. Launch the Add Relying Party Trust Wizard, then select Claims aware.

      adfs-relying-party-2

    2. Choose the option to enter the data manually.

      adfs-relying-party-1

    3. Set a Display name.

      adfs-relying-party-3

    4. Configure URL. Enable the option for SAML 2.0 WebSSO protocol.

      adfs-relying-party-5

    5. Set the Relying party trust identifier to the URL of the Fusion application.

      adfs-relying-party-identifier

    6. Edit the Claim Rules to pass through the User Principal Name as the NameID claim.

      adfs-principal-roles-claim-rule

    7. In a terminal, create the OAuth AD FS client for the Fusion application:

      Add-ADFSClient -Name "Fusion OAuth" -ClientId "1234567890-ABCDEF" -RedirectUri="http://localhost:8080/oauthLogin"

    The ClientId should be a GUID and the RedirectUri must point to the Fusion application URL, with /oauthLogin appended. Here, localhost is used for testing a Fusion application running on the local development machine.

    Configure the OAuth module for the application setup in AD FS

    Create a new configuration file in conf/security/oauth.conf.

    client-id: 168f3ee4-63fc-4723-a61a-6473f6cb515d
adfs-url: https://your-adfs-server/adfs
resource: http://localhost:8080
high-trust: false

    Replace the client-id, adfs-url and resource parameters for your environment.

    • The client-id is the ID that was set up against AD FS using the Add-ADFSClient PowerShell command.

    • The adfs-url is the URL of the AD FS server with the /adfs context appended.

    • The resource is the relying party trust identifier set up in AD FS management.

    • The high-trust parameter is only required when integrating the AD FS and SharePoint modules. This article is only concerned with authentication against AD FS.

    Test the authentication

    When a user goes to the Fusion login page, they will be redirected to the AD FS OAuth login page. After the user logs in, the user will be returned to Fusion as an authenticated user. The Fusion user’s details will also be populated with any basic information available from the decoded OAuth token such as roles and the user principal name.