...
SAML EntityIDs and Assertion Consumer Endpoints (ACS) for the Proxy
There are two instances of the CCC SSO Proxy that you must configure attribute release to, a Pilot and a Production instance. The entityID for each is:
...
Proxy Production:
see Attributes for CCC SSO Federated Access for discriptions of required attribues.
ADFS 3.0+ Custom Claim Creation (custom attribute fields) & Metadata Updates
Note: The CCCProxy uses SimpleSAMLPHP, the first section below is for your reference when connecting to a Shibboleth SP. SimpleSAMLPHP has the same attribute requirements as Shibboleth and the Technet article covers mostly this topic. You can send us your Metadata and we will convert it to the necessary formatnecessary format. You can safely skip the section covering metadata conversion for the CCCProxy integration.
Microsoft has posted this guide for ADFS 2.0, InCommon & Shibboleth integrations. I've modified some of what is listed here to match the requirements for the CCC Proxy. This documentation covers custom claim creation and modifications to AD FS metadata to be compatible with Shibboleth SP. This guide tested with AD FS 3.0 & an early release version of AD FS 4.0. Please read the below linked documentation if you have questions outside what is covered. Use the information provided at your own risk and make sure the steps meet with your security requirements.
https://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx
...
| Expand |
|---|
| title | AD FS & Shibboleth Metadata |
|---|
|
In order to for AD FS to be operable with a Shibboleth SP(Service Provider) there are some changes that are required. AD FS and SimpleSAMLPHP/Shibboleth have metadata incompatibilities. SimpleSAMLphp/Shibboleth expect inbound SAML attributes names to use a different name format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) than AD FS publishes by default (urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified) Custom claims need to be mapped which is time consuming.
AD FS Metadata can be modified using https://github.com/rohe/pysfemma The below is an example of the output. You can use the below for testing by modifying. (In production change to meet your needs) but it might be easiest to use adfs2fed.py in the tools directory in pysfemma. In the first line add the ID="Your ID" and entityID="Match your ADFS server" Modify both X509Certificate entries with your certificate information. Replace all references to YourAdfsServer.test.edu with your information.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" ID="_65f54c67-86fe-453b-830f-273b53cc3aca" entityID:metadata:1.0" ID="_65f54c67-86fe-453b-830f-273b53cc3aca" entityID="http://YourAdfsServer.test.edu/adfs/services/trust">
<Extensions>
<shibmd:Scope regexp="false">test.edu</shibmd:Scope>
</Extensions>
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://YourAdfsServerwww.testw3.eduorg/adfs2000/services09/trustxmldsig#">
<X509Data>
<Extensions> <shibmd:Scope regexp="false">test.edu</shibmd:Scope> <X509Certificate>eV1oA6cWOlRGSlCAr2XixPLVpqRA4FS8IViGxSLdGKxsQLQdiFzIZyxf6heZ7pJ2JN/aZdxlOD0YzQPG0cvz/c5mEE2kZc0GWn9/ofLS3ZmYlu/nnoBgygaJgjd/mRd4cS0PVnhFiBtyi13dRE9DqcGMtaSxuSHuUungfu0mF0zcciRvaNr96yrNO585CZiljGGFfp1prlJVAGhQdMGHqtuHibrqxhqPKzIxyRD5rlB5GXTes0hnqz9dnPfY6cRAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANsXE1lTVIDcdnIPRJVxSmKadHzMbDThlKWYJh3m84qUfiDfjt20YHwojtT41Irysr8IKko5goYx7kpBXAWG1zk02FSmoYgrKFl4atbEJVOv+qVs6s32ZrEjvz7CKNCK2slzi1wgyMfvJgDxcVDbgLNnwh5IBpSnrqkHJy86IlqkwsDUCH7lYQvj3dLtF7oFi2KpbW3O2DpwuJANgIoeATq0wRx88DUVBpdS6Sg6ZfTHVOXOkTkFQgN4JmZJhIkM7e/lkdz9ZoVvFjqCbELHiOPaB04UQRNA6JKFKUKCxhlCl6ouAAp4iPzn4Nr1KVK3me7/pK3ZdyQDgDLcPNzuw0E=</X509Certificate>
</X509Data>
</Extensions>KeyInfo>
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> </KeyDescriptor>
<KeyDescriptor use="encryptionsigning">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>eV1oA6cWOlRGSlCAr2XixPLVpqRA4FS8IViGxSLdGKxsQLQdiFzIZyxf6heZ7pJ2JN/aZdxlOD0YzQPG0cvz/c5mEE2kZc0GWn9/ofLS3ZmYlu/nnoBgygaJgjd/mRd4cS0PVnhFiBtyi13dRE9DqcGMtaSxuSHuUungfu0mF0zcciRvaNr96yrNO585CZiljGGFfp1prlJVAGhQdMGHqtuHibrqxhqPKzIxyRD5rlB5GXTes0hnqz9dnPfY6cRAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANsXE1lTVIDcdnIPRJVxSmKadHzMbDThlKWYJh3m84qUfiDfjt20YHwojtT41Irysr8IKko5goYx7kpBXAWG1zk02FSmoYgrKFl4atbEJVOv+qVs6s32ZrEjvz7CKNCK2slzi1wgyMfvJgDxcVDbgLNnwh5IBpSnrqkHJy86IlqkwsDUCH7lYQvj3dLtF7oFi2KpbW3O2DpwuJANgIoeATq0wRx88DUVBpdS6Sg6ZfTHVOXOkTkFQgN4JmZJhIkM7e/lkdz9ZoVvFjqCbELHiOPaB04UQRNA6JKFKUKCxhlCl6ouAAp4iPzn4Nr1KVK3me7/pK3ZdyQDgDLcPNzuw0E<X509Certificate>EBAQUAA4IBDwAwggEKAoIBAQCvWpfMCOsjYgkuOwOzCGLjH9bbECRZ6U1uSrtr/xxi54vLaIVhKotqKUN2nKEem8LDMIgi4zlSsqoNgaoKyn7+o99wN+9bD4jd9KZsqSfY4u7DF49MNZ5lydj/yx8jpuXBcvMHstoPQWFRw6HWgm5/vQlmoZrbBjahfPvCajxxJWjYZvjdhEDBaPZcpTeSPsMME8fdEgG07NaUW0EjkI4on9CsNv1RfQkplpDnePa5Swfjv1V5BIOtBZWuCCDIANv+CkRHcpZBvmYVzG/SNOnLMRBp6Skz37+JqlYdzQ0W5NyFoYzzKOqhDndEGxHRUWbujknHqIaD9CkCg2jT16q9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIt1d96VNKbxNwjoxjQ678aamseXPoJsusSJpyiwXiVX7OFiESNQrdQ77Xe8wMccKYMZvb7ESUKhOfRBx9sS/nb6WpujCTfeiP+DR9n3QGTDrsPM6+gOK45svKus8zhVb+Ml+I6WC7iGA9WlJj2LMRR989AlcABFv10Bssqan835EU43lQrSnoS9GJTByykO7JuSjNXvgupcREE9BWgJRSfQ9U9P/r9hBVwjWT4K6gtx4Vws48vfEpY19owx09WJFaJIi4SbcTX/Mi1lyk5wmUfR6t+KHj8eoKvoyuqb/eAPjvVlr7Ktw0xOuWxt7IptGwHVV13x8arNkHb/qMrXtb0=</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing"<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://YourAdfsServer.test.edu/adfs/ls/"/>
<SingleLogoutService <KeyInfo xmlns="httpBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://wwwYourAdfsServer.w3test.orgedu/2000adfs/09ls/xmldsig#"/>
<X509Data>
<X509Certificate>EBAQUAA4IBDwAwggEKAoIBAQCvWpfMCOsjYgkuOwOzCGLjH9bbECRZ6U1uSrtr/xxi54vLaIVhKotqKUN2nKEem8LDMIgi4zlSsqoNgaoKyn7+o99wN+9bD4jd9KZsqSfY4u7DF49MNZ5lydj/yx8jpuXBcvMHstoPQWFRw6HWgm5/vQlmoZrbBjahfPvCajxxJWjYZvjdhEDBaPZcpTeSPsMME8fdEgG07NaUW0EjkI4on9CsNv1RfQkplpDnePa5Swfjv1V5BIOtBZWuCCDIANv+CkRHcpZBvmYVzG/SNOnLMRBp6Skz37+JqlYdzQ0W5NyFoYzzKOqhDndEGxHRUWbujknHqIaD9CkCg2jT16q9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIt1d96VNKbxNwjoxjQ678aamseXPoJsusSJpyiwXiVX7OFiESNQrdQ77Xe8wMccKYMZvb7ESUKhOfRBx9sS/nb6WpujCTfeiP+DR9n3QGTDrsPM6+gOK45svKus8zhVb+Ml+I6WC7iGA9WlJj2LMRR989AlcABFv10Bssqan835EU43lQrSnoS9GJTByykO7JuSjNXvgupcREE9BWgJRSfQ9U9P/r9hBVwjWT4K6gtx4Vws48vfEpY19owx09WJFaJIi4SbcTX/Mi1lyk5wmUfR6t+KHj8eoKvoyuqb/eAPjvVlr7Ktw0xOuWxt7IptGwHVV13x8arNkHb/qMrXtb0=</X509Certificate>
</X509Data><NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService </KeyInfo>
</KeyDescriptor>Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://YourAdfsServer.test.edu/adfs/ls/"/>
<SingleLogoutService<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2mace:shibboleth:1.0:bindingsprofiles:HTTP-RedirectAuthnRequest" Location="https://YourAdfsServer.test.edu/adfs/ls/"/>
<SingleLogoutService<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://YourAdfsServer.test.edu/adfs/ls/"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Bindingassertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectattrname-format:uri" Location="https://YourAdfsServer.test.edu/adfs/ls/FriendlyName="E-Mail Address"/>
<SingleSignOnService<Attribute Bindingxmlns="urn:mace:shibboleth:1oasis:names:tc:SAML:2.0:profiles:AuthnRequestassertion" LocationName="httpshttp://YourAdfsServerschemas.test.edu/adfs/ls/"/>
<SingleSignOnService Bindingxmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSTattrname-format:uri" Location="https://YourAdfsServer.test.edu/adfs/ls/FriendlyName="Given Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail AddressName"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameupn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given NameUPN"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCommonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnEmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UPNAD FS 1.x E-Mail Address"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/CommonNameGroup" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common NameGroup"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/EmailAddressUPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x E-Mail AddressUPN"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.orgmicrosoft.com/ws/2008/06/identity/claims/Grouprole" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="GroupRole"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UPNsurname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x UPNSurname"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoftxmlsoap.comorg/ws/20082005/0605/identity/claims/roleprivatepersonalidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="RolePPID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnamenameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="SurnameName ID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoapmicrosoft.orgcom/ws/20052008/0506/identity/claims/privatepersonalidentifierauthenticationinstant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PPIDAuthentication time stamp"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoapmicrosoft.orgcom/ws/20052008/0506/identity/claims/nameidentifierauthenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="NameAuthentication IDmethod"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoftxmlsoap.comorg/ws/20082005/0605/identity/claims/authenticationinstantdenyonlysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AuthenticationDeny only timegroup stampSID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethoddenyonlyprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication methodDeny only primary SID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoapmicrosoft.orgcom/ws/20052008/0506/identity/claims/denyonlysiddenyonlyprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary group SID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysidgroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primaryGroup SID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsidprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="DenyPrimary only primary group SID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsidprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="GroupPrimary SID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsidwindowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PrimaryWindows groupaccount SIDname"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws2012/200801/06devicecontext/identity/claims/primarysidisregistereduser" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PrimaryIs Registered SIDUser"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws2012/200801/06/identitydevicecontext/claims/windowsaccountnameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="WindowsDevice account nameIdentifier"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduserregistrationid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="IsDevice RegisteredRegistration UserIdentifier"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/identifierdisplayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Device IdentifierRegistration DisplayName"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationidostype" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Device RegistrationOS Identifiertype"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/displaynameosversion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Device RegistrationOS DisplayNameVersion"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/ostypeismanaged" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="DeviceIs OSManaged typeDevice"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/devicecontextrequestcontext/claims/osversionx-ms-forwarded-client-ip" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="DeviceForwarded OSClient VersionIP"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/devicecontextrequestcontext/claims/ismanagedx-ms-client-application" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="IsClient Managed DeviceApplication"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwardedclient-clientuser-ipagent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="ForwardedClient ClientUser IPAgent"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-applicationip" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Client ApplicationIP"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-clientendpoint-userabsolute-agentpath" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Client UserEndpoint AgentPath"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ipproxy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Client IPProxy"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-pathrelyingpartytrustid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="EndpointApplication PathIdentifier"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/0112/requestcontextcertificatecontext/claims/x-ms-proxyextension/applicationpolicy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="ProxyApplication policies"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/0112/requestcontextcertificatecontext/claimsextension/relyingpartytrustidauthoritykeyidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="ApplicationAuthority Key Identifier"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicybasicconstraints" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="ApplicationBasic policiesConstraint"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifiereku" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AuthorityEnhanced Key IdentifierUsage"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extensionfield/basicconstraintsissuer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Basic ConstraintIssuer"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extensionfield/ekuissuername" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="EnhancedIssuer Key UsageName"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/fieldextension/issuerkeyusage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="IssuerKey Usage"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuernamenotafter" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="IssuerNot NameAfter"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extensionfield/keyusagenotbefore" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="KeyNot UsageBefore"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/fieldextension/notaftercertificatepolicy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="NotCertificate AfterPolicies"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoftxmlsoap.comorg/ws/20122005/1205/certificatecontextidentity/fieldclaims/notbeforersa" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="NotPublic BeforeKey"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extensionfield/certificatepolicyrawdata" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Certificate PoliciesRaw Data"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoapmicrosoft.orgcom/ws2012/200512/05certificatecontext/identityextension/claims/rsasan" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PublicSubject Alternative KeyName"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/20122008/1206/certificatecontextidentity/fieldclaims/rawdataserialnumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="CertificateSerial Raw DataNumber"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extensionfield/sansignaturealgorithm" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="SubjectSignature Alternative NameAlgorithm"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws2012/200812/06certificatecontext/identityfield/claims/serialnumbersubject" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Serial NumberSubject"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/fieldextension/signaturealgorithmsubjectkeyidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="SignatureSubject Key AlgorithmIdentifier"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectsubjectname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Subject Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifiercertificatetemplateinformation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="SubjectV2 KeyTemplate IdentifierName"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/fieldextension/subjectnamecertificatetemplatename" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="SubjectV1 Template Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoftxmlsoap.comorg/ws/20122005/1205/certificatecontextidentity/extensionclaims/certificatetemplateinformationthumbprint" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="V2 Template NameThumbprint"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/12/certificatecontext/extensionfield/certificatetemplatenamex509version" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="V1 Template NameX.509 Version"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoapmicrosoft.orgcom/ws/20052012/05/identity/claims/thumbprint01/insidecorporatenetwork" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="ThumbprintInside Corporate Network"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2012/12/certificatecontext/field/x509version01/passwordexpirationtime" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="X.509 VersionPassword Expiration Time"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetworkpasswordexpirationdays" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="InsidePassword CorporateExpiration NetworkDays"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2012/01/passwordexpirationtimepasswordchangeurl" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Update Password Expiration TimeURL"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2012/01claims/passwordexpirationdaysauthnmethodsreferences" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PasswordAuthentication ExpirationMethods DaysReferences"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2012/01/passwordchangeurl/requestcontext/claims/client-request-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UpdateClient PasswordRequest URLID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/claims/authnmethodsreferences" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication Methods References"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Client Request ID"/>
</IDPSSODescriptor>
</EntityDescriptor> |
|---|
|
AD FS Claim Creation
AD FS installation and configuration isn't covered in this guide. If you need help please see here: https://technet.microsoft.com/en-us/library/dn486820(v=ws.11).aspx Once AD FS is installed the below Powershell script will create a "Relaying Party Trust" with the name CCCPilot.
(You will need your MISnnn code first discussed here: https://cccnext.jira.com/wiki/display/CSF/Steps+to+Integrate+with+the+CCC+SSO+Proxy follow the step to get the MISnnn code.):
(AD FS PowerShell tools must be active run "Add-PSSnapin Microsoft.Adfs.PowerShell" if needed. Add your MIS number in place of MISnnn)
...
Add-AdfsRelyingPartyTrust -Name "CCCPilot" -MetadataUrl https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php/MISnnn
You should see the Relaying Party Trust listed:
Image Removed
You can edit the Claim Issuance Policy manually from this page, but it's a very time consuming task. Below is a PowerShell script that can add the policies for you.
First, create a powershell script in a directory named ClaimPolicy.ps1 and copy the below. Edit the "Target Identifier" to match what is listed in AD FS.
...
Set-AdfsRelyingPartyTrust -TargetIdentifier https://YourTargetIdentifier -IssuanceTransformRulesFile rules.inc -SignatureAlgorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 -IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
In the same directory where ClaimPolicy.ps1 is stored create a file named rule.inc and copy the below policies as needed. The below are samples of claim transformations described in the Microsoft article. Not all of the examples will match your environment but you can modify the below to fit your needs. Refer to https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx for a list of all Active Directory attributes. A list of attributes we require can be found here: Attributes for CCC SSO Federated Access For the most part, these attributes should match your environment. The next section below will have examples of the "edu" specific attributes and those will need to match what you have stored in your AD. Consider what is listed as a placeholder.
The first rule requests the attribute from AD and the second rule converts the attribute to the format expected by SimpleSAMLphp & Shibboleth.
...
</IDPSSODescriptor>
</EntityDescriptor> |
|---|
|
AD FS Claim Creation
AD FS installation and configuration isn't covered in this guide. If you need help please see here: https://technet.microsoft.com/en-us/library/dn486820(v=ws.11).aspx Once AD FS is installed the below Powershell script will create a "Relaying Party Trust" with the name CCCPilot.
(You will need your MISnnn code first discussed here: https://cccnext.jira.com/wiki/display/CSF/Steps+to+Integrate+with+the+CCC+SSO+Proxy follow the step to get the MISnnn code.):
(AD FS PowerShell tools must be active run "Add-PSSnapin Microsoft.Adfs.PowerShell" if needed. Add your MIS number in place of MISnnn)
You should see the Relaying Party Trust listed:
Image Added
You can edit the Claim Issuance Policy manually from this page, but it's a very time consuming task. Below is a PowerShell script that can add the policies for you.
First, create a powershell script in a directory named ClaimPolicy.ps1 and copy the below. Edit the "Target Identifier" to match what is listed in AD FS.
Set-AdfsRelyingPartyTrust -TargetIdentifier https://YourTargetIdentifier -IssuanceTransformRulesFile rules.inc -SignatureAlgorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 -IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
|
|---|
In the same directory where ClaimPolicy.ps1 is stored create a file named rule.inc and copy the below policies as needed. The below are samples of claim transformations described in the Microsoft article. Not all of the examples will match your environment but you can modify the below to fit your needs. Refer to https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx for a list of all Active Directory attributes. A list of attributes we require can be found here: Attributes for CCC SSO Federated Access For the most part, these attributes should match your environment. The next section below will have examples of the "edu" specific attributes and those will need to match what you have stored in your AD. Consider what is listed as a placeholder.
The first rule requests the attribute from AD and the second rule converts the attribute to the format expected by SimpleSAMLphp & Shibboleth.
@Rulename="Get Email"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:0.9.2342.19200300.100.1.3"), query = ";mail;{0}", param = c.Value);
@Rulename="Convert Email xml"
c:[Type == "urn:oid:0.9.2342.19200300.100.1.3"]
=> issue(Type = c.Type, Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName="Get FirstName"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:02.95.2342.19200300.100.1.34.42"), query = ";mailgivenName;{0}", param = c.Value);
@Rulename@RuleName="Convert EmailFirstName xml"
c:[Type == "urn:oid:02.95.2342.19200300.100.1.34.42"]
=> issue(Type = c.Type, Value = c.Value, Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName="Get FirstNameLastName"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:2.5.4.424"), query = ";givenNamesn;{0}", param = c.Value);
@RuleName="Convert FirstNameLastName xml"
c:[Type == "urn:oid:2.5.4.424"]
=> issue(Type = c.Type, Value = c.Value, Value = c.Value, Issuer = c.Issuer, Properties[ Issuer = c.Issuer, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@Rulename="Get sAMAaccountName"
c:[Type == "http://schemas.xmlsoapmicrosoft.orgcom/ws/20052008/0506/identity/claimproperties/attributename"]claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oasis:names:tc:SAML:2.0:attrname-format:uri"oid:1.2.840.113556.1.4.221"), query = ";uid;{0}", param = c.Value);
@RuleName@Rulename="Get LastNameConvert sAMAccountName / uid xml"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:2.5.4.4"), query = ";sn;{0}", param = c.Value);
@RuleName="Convert LastName xml"
urn:oid:1.2.840.113556.1.4.221"]
=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");@Rulename="sAMAccountName to Username / uid" c:[Type == "urn:oid:1.2.840.113556.51.4.4221"] => issue(Type = c.Type"urn:oid:0.9.2342.19200300.100.1.1", Value = c.Value, Issuer = c.IssuerValue, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@Rulename="Get sAMAaccountNamedisplayName"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:1.2.840.113556.1.42.22113"), query = ";uiddisplayName;{0}", param = c.Value);
@Rulename="Convert sAMAccountName / uiddisplayName xml"
c:[Type == "urn:oid:1.2.840.113556.1.42.22113"]
=> issue(Type = "urn:oid:02.16.9840.23421.1920030011373.1003.1.1241", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");@Rulename="sAMAccountName to Username / uid" Name Identifier"c:[Type == "urn:oid:1.2.840.113556.1.4.221"]
=> issue(Type = "urn:oid:0.9.2342.19200300.100.1.1"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributenameformat"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");:2.0:nameid-format:transient"); |
|---|
Example of eduPersonPrinipalName(EPPN) mapped to upn. Any value you use should be a unique value that won't change. You need to modify the member@yourdomain.edu in the Value property to match your domain. This is a scoped attribute.
@Rulename="GetTransform displayName"sAMAccountName to EPPN" c:[Type == "http://schemas.microsoftxmlsoap.comorg/ws/20082005/0605/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
upn"] => addissue(storeType = "Active Directoryurn:oid:1.3.6.1.4.1.5923.1.1.1.6", typesValue = ("urn:oid:1.2.840.113556.1.2.13"), query = ";displayName;{0}", param = c.Value);
@Rulename="Convert displayName xmlc.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@Rulename="Transform EPPN & add scope"
c:[Type == "urn:oid:1.2.840.113556.1.2.13http://schemas.xmlsoap.org/claims/Group", Value == "Domain Users"]
=> issue(Type = "urn:oid:2.16.8401.3.6.1.4.1.5923.113731.31.1.2416", Value = c"member@yourdomain.Valueedu", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");@Rulename="Name Identifier:oasis:names:tc:SAML:2.0:attrname-format:uri");
|
|---|
Example of eduPersonPrincipalName(EPPN) mapped to sAMAccountName. Like the above example, the EPPN needs to be unique not only to your organization but to others as well. The sAMAccountName doesn't have the domain value added, the below example you creates three custom rules. The first queries AD for sAMAccountName & upn, the second pulls the domain value from the upn, the third adds the domain value to the sAMAccountName and gives it the EPPN value.
@Rulename="Query AD for upn and sAMAccountName" c:[Type == "http://schemas. |
|---|
xmlsoaporg200505upn"]windowsaccountname", Issuer = |
|---|
> issue(Type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");Example of eduPersonPrinipalName(EPPN) mapped to upn. Any value you use should be a unique value that won't change. You need to modify the member@yourdomain.edu in the Value property to match your domain. This is a scoped attribute.
@Rulename="Transform sAMAccountName to EPPN"
AD AUTHORITY"]
=> add(store = "Active Directory", types = ("ssupn", "sswindowsaccountname"), query = ";userPrincipalName,sAMAccountName;{0}", param = c.Value);
@Rulename="Obtain the domain from the upn"
c:[Type == " |
|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnissueurn:oid:1.3.6.1.4.1.5923.1.1.1.6ssnewupn", Value = RegExReplace(c.Value, |
|---|
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@Rulename="Transform EPPN & add scope"
c"^(.*?)@", ""));
@Rulename="Combine sAMAccountName with domain"
c1:[Type == " |
|---|
http://schemas.xmlsoap.org/claims/Group", Valuessnewupn"]
&& c2:[Type == " |
|---|
Domain Users
=> issue(Type = "urn:oid:
|
|---|
1361.4.1.5923.1.6"member@yourdomain.edu"c2.Value + "@" + c1.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"); |
|---|
Example of eduPersonAffiliation stored in title:
...