User connectivityActive Directory resourcesADFS configuration over SAML 2.0 requirementsAuthentication Type 2

Authentication Type 2

To configure Transact in a configuration with ADFS over SAML 2.0 with Authentication Type 2, follow the instructions in this section.

Authentication Type 2 uses SSO for authentication and authorizing. Users enters the user name on the SSO log on the page that is forwarded as a SAML request to the Identity Provider. Transact receives the user name and associated groups with the user as a SAML response.

This topic covers Authentication Type 2 with a single group. For multi-group configuration, see Authentication Type 2 with multiple group support.

Prerequisites

This configuration requires the following to be installed.

  • Active Directory Federation Services

  • Active Directory

  • Ephesoft Transact

You also need to configure the following components:

  • server.xml

  • applicationContext.xml

  • web.xml

  • applicationContext-Security.xml

  • dcma-batch.properties

  • Transact SAML metadata file (to be imported at the Transact side)

  • ADFS Federation metadata file

  • Valid keystore (JKS) for importing ADFS certificate

Components

The following components require additional configuration to support ADFS over SAML 2.0 with Authentication Type 2. You also need to configure ADFS as shown in ADFS configuration requirements.

Server.xml

Change the following:

  • Configure connection port 8443.

  • Comment out connection port 8080.

When you are finished, restart the Transact service and verify if it works over https.

Note the following:

  • You can configure any port over HTTPS. This topic shows how to configure Tomcat with SSL over port 8443.

  • See the Tomcat web site for information about configuring Tomcat over HTTPS.

  • To generate truststore and KeyStore, see Set SSL/TLS in Tomcat.

  • Download the sample server.xml from here.

  • Download truststore and keystore file here. Password for both files is "abhishek".

application-context.xml

Uncomment the following line in the application-context.xml file. 

<import resource="classpath:/META-INF/applicationContext-security.xml" />

This enables SAML configuration, which is configured in applicationContext-security.xml file.

Download the sample application-context.xml file here.

web.xml

Change the following:

  • Uncomment the springSecurityFilterChain filter and its filter mapping.

  • Comment out the sessionTimeoutFilter and its filter mapping.

  • Comment out the SessionTimeoutServlet and its servlet mapping.

  • Comment out all security-constraints.

  • Comment out login-config nodes.

  • Place the authentication filter and its filter mapping below springSecurityFilterChain.

  • Change the logout URL to point it to the correct port and URL.

  • Select 2 for authenticationType bean.

Download the sample web.xml file here.
Security folder

Do the following:

  • Place the sample JKS file in the Security folder. By default, Transact provides samlKeystore.jks. This can be used to configure Transact.

  • Import the ADFS certificate into the JKS file by using the following command: 

    keytool.exe -importcert -alias <alias name> -keystore "<Keystore path>" -file "<cert path>"

  • Download the FederationMetadata file in XML format from your ADFS server and place the file in the security folder.

  • Go to https://<domainname>/FederationMetadata/2007-06/FederationMetadata.xml to download the ADFS metadata file and save it in the security folder.

A sample security folder can be downloaded here. The ADFS metadata file and certificate will not work at your end and is only for reference purpose.
applicationContext-security.xml

Change the following:

  • Change the constructor arguments for the epheSamlFilter bean. These constructor-arg values are based on the rule language you define in ADFS Claim Rules. Argument index 0 takes username details and argument 2 takes group details.

  • If you have created you own keystore, make sure you are providing the correct name and path of the keystore file and keystore password.

  • Make sure entityId entered here is correct and is same as what you will be defining in ADFS. EntityId is defined in the value attribute of entityId property name.

  • Make changes in the metaDataFilter bean and metaData filter. Make sure to use correct metadata bean as defined in this file. Provide correct name for the FederatinMetadata.xml file.

  • Based on the secure hash algorithm, comment or uncomment SHA-1 or SHA-256 as controlled by the bean.

Download the sample applicationContext-Security.xml here.

Order of SSO configuration

When configuring SSO, perform these tasks in order.

  1. Generate JKS files for to configure Tomcat over SSL if you do not already have truststore and keystore.

  2. Configure Tomcat to use https.

  3. Modify the following files:

    • In dcma-batch.properties, change batch.base_http_url.

    • In workflow.properties, change wb.hostURL.

  4. Change the applicationContext.xml and web.xml files.

  5. Create the JKS file in the security folder.

  6. Download the ADFS certificate and FederationMetaDataFile from ADFS and place it in the security folder.

  7. Modify the applicationContext-Security file with the changes noted in this topic.

  8. Download the Transact metadata file and import the file to create relying party trust on ADFS.

  9. Make sure all the properties are correct for the relying party created and create claim rules.

  10. Restart the Transact service.

Log on process

When the configuration is complete, the logon process should work as follows:

  1. Go to the Transact URL.

    You are redirected to the ADFS logon URL and screen.

  2. Enter your user name and password.

  3. You are redirected to the Transact home page where you have access rights based on your user name.