version | note |
---|---|
ADFS 1.0 | Released with Windows 2003 R2. Built into OS. |
ADFS 1.1 | Released with Windows 2008 and 2008 R2. Built into OS. |
ADFS 2.0 | Released After Windows 2008 / 2008 R2. Separate download from here. |
ADFS 2.1 | Windows 2012 |
ADFS 3.0 | Windows 2012 R2 |
- Navigate to Server Manager -> Add roles and features -> Server roles
- Click Next at “Before you begin”
- Select Role-based or feature-based installation and click Next
- Select a server from the server pool and click Next
- Select Active Directory Domain Service. Check "Include management tools" and click "Add Features"
- Click Next with default setting rest until Confirmation page, and then click "Install" to install AD DS.
Don’t install ADDS with ADFS at the same time! ADDS first and then ADFS!
- The left menu in the Server Manager, select AD DS. "Configuration required for Active Directory Domain Services at ...." will be displayed on the right pane, as "SERVERS", then click "more".
- In the "All Servers Task Details and Notifications" dialog, you’ll see "Configuration required for Active Directory Domain..." message. Click "Promote this server to domain" of Action pane.
- Deployment Configuration will be displayed. Select "Add a new forest". In the "Root domain name", type "testdom.local" and click Next.
- Domain Controller Option will be displayed. Select "Windows Server 2012 R2" for both "Forest Function Level" and "Domain Functional Level"
- Type password as you like and click Next. Rest of pages such as NetBios left default and just click Next , and click "Install" at the last page to install.
- The server will automatically restart and you'll see Active Directory is enabled and user name would be displayed as "TESTDOM¥Administrator"
- Server Manager -> Add roles and features -> Server roles and click Next at “Before you begin”
- Select Role-based or feature-based installation and click Next
- Select a server from the server pool and click Next
- Select Active Directory Certificate Services. Leave Features, ADCS, Role Services as default. and click Next. Click Install at Confirmation page to install
- After installation is finished, in the Results page, click "Configure Active Directory Certificate Services on the destination server".
- AD CS Configuration will open. At Role Services, check only "Certification Authority". Leave others all default. The values will be as below.
Parameter | value |
---|---|
CA | Enterprise CA |
CA Type | Root CA |
Secret Key type | Create a new private Key |
Encryption | RSA#Microsoft Software Key Storage Provider, Key length 2048 |
- At the end, click "Configure".
- When configuration is finished, click Close.
- Click close at "Add Roles and Features Wizard" page.
- Click “PowerShell” button next to “Start” button of Windows and start "Windows Power Shell ISE” . In the script window, type 2 lines below.
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))
New-ADServiceAccount FsGmsa -DNSHostName
liferay-bdba6af.testdom.local -ServicePrincipalNames http/liferay-bdba6af.testdom.local
And click run button.
- You need IIS to generate Self signed certification. Go to Server Manager -> Add roles and features -> Server roles and install Web Server (IIS). Just leave all as default and click next and install.
- Select IIS from the left pane.
- From Servers pane, select your own server name and right click to display a context menu, then select "Internet Information Service (IIS) Manager"
- Click your own server name from the left pane
- In the right pane, Liferay-**** Home, double click "Server Certifications"
- In the Actions pane (the right pane), click "Create Self-Singed Certification"
- In the text field of "Specify a friendly name for the certificate", type server's FQDN(In this case, it7s "testdom.local")Leave "Select a certificate store for the new certificate" as Personal and click OK. The self-signed certificate will be generated.
- In the Connections pane, navigate to Sites -> Default Web Site. In the Actions pane, click Bindings.
- Site Bindings dialog will be displayed, then configure as follows
Parameter | value |
---|---|
Type | https |
IP address | All Unassigned |
Host name | liferay-bdba6af.testdom.local |
Port | 443 |
SSL Certificate | the self certificate that you just generated will appear here (testdom.local), select it |
Parameter | value |
---|---|
Type | http |
IP address | All Unassigned |
Host name | liferay-bdba6af.testdom.local |
Port | 80 |
- Click OK
Again, Don’t install ADDS with ADFS at the same time! ADDS first and then ADFS!
- Navigate to Server Manager -> Add roles and features -> Server roles, Select "Active Directory Federation Service " and install ADFS.
- ADFS configuration requires a self-signed certification. In the menu, a warning mark will be displayed next a flag icon, open it and click "Configuration the federation service on this server"
- In the Welcome page, select "Create the first federation server and federation server farm"
- Leave "Connect to AD DS" as default.
- Select generated self-certification for SSL Certificate of "Specify Service Properties"
- Type appropriate name for Federation Service Display Name, say "ADFS"
- In the Specify Service Account page, click select of "User an existing domain user account...". In the popup dialog, click "Advanced". On the right side, click "Find now", "Administrator" will be displayed in the pane below, double click it.
- You'll get back to the origin dialog, then click OK.
- Type password for the selected account and click Next
- Select "Create a database on this server using..." and click Next
- Leave "Review Option" default and click Next
- Ignore SPA warning. You are set.
- On the top bar, select "Tools" menu and select "AD FS Management"
- Open Service -> Certificates in the left pane.
- Double click "Token-decrypting" token name and the Certificate will be popped up.
- In the Certificate dialog, Details tab, select "Copy to File". Select "Base 64 encoded X.509(.CER)(S)" and generate root.cer file.
- Move the root.cer to your local machine.
- If it's Mac, run
sudo keytool -importcert -trustcacerts -file ./root.cer -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/jre/lib/security/cacerts -alias adfsca
- When "Type password for keystore" is displayed, type "changeit" and the certification will be added.
- In case it's already added, delete it first. the delete command is
sudo keytool -delete -alias adfsca -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit
- Open up tool menu of Server Manager, select "Active Directory Administrative Center".
- In the left pane, select "testdom" and select "Users" in the middle pane, then in the right pane, select "New" and "User".
- Fill following fields
parameter | value |
---|---|
First name | yasuyuki |
Last name | takeo |
User UPN logonto | yasuyuki.takeo |
Password | Pasw0rd |
Confirm password | Passw0rd |
- And click OK. Don't forget to enable this user!
Add your host IP into alias. SAML doesn't allow IP address to communicate so you do need to create aliases.
- The location of hosts is
C:\Windows\System32\drivers\etc\hosts
- Check your IP with
ipconfig
. Then add your alias into the hosts file as follows.
192.168.84.139(your IP is here) liferay-bdba6af.testdom.local (your domain is here)
- The location of hosts is
sudo /etc/hosts
192.168.84.139(your IP is here) liferay-bdba6af.testdom.local (your domain is here)
- At the
${user_home}
, type command below.
/Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/bin/keytool -genkey -alias tomcat -keyalg RSA
- .keystore will be generated at
${user_home}
. type password "changeit". It'll be required for server.xml later. - Navigate to
${tomcat_home}/conf/server.xml
and add / modify as follows.
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="[keystore_dir]/.keystore" keystorePass="[key_password]" />
-
[keystore_dir] means a path to .keystore located. [key_password] is the password when you used for creating the keystore.
-
Also you need to modify below lines to point to 443.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" URIEncoding="UTF-8" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" URIEncoding="UTF-8" />
- Save the server.xml and start Liferay. But *nix doesn't allow a general user to run an application opening below 1024, you need to start server as an administrator as
sudo ./catalina.sh run
- Make sure if you can access the Liferay with
https://localhost
. The reason why to designate 443 is because ADFS seems not to allow port numbers included in Relying party trust.
Start up Liferay server with sudo because *nix doesn't like user apps run with ports lower than 1024.
When you access to Liferay after you set up SAML, access by https or you'll get error from ADFS because Relying Party is incompatible
- Login on Liferay with
test@liferay.com
and passwordtest
- Navigate to Control Panel -> Apps -> Store and login to Liferay Marketplace. Search "Liferay SAML 2.0 Provider" and install it.
- After the portlet is successfully installed, Navigate to Control Panel -> Configuration and confirm "SAML Plugin" is displayed.
key | note |
---|---|
Common tab -> Saml role | Service Provider |
Entity ID | SP (This should be same as SP’s entity ID. but once you change Entity ID on IdP, you need to fetch Metadata from ADFS and recreate Relying party accordingly. ) |
key | note |
---|---|
Country | XX (Any country is fine) |
Key algorithm | RSA |
Key length | 2048 |
In terms of other fields, populate with appropriate values.
Check fields below
When you fetch metadata from SP and IdP, please access with https otherwise servers will generate the URL with http for a metadata, which ADFS doesn't allow you to access for SAML.
- Required assertion certification
- SSL required
- Enable LDAP import
key | note |
---|---|
name | ADFS (any name is fine) |
Entity ID | You can get metadata.xml from https://[ADFS server name]/FederationMetadata/2007-06/FederationMetadata.xml, and set the entityID here. |
Metadata URL | https://[ADFS server name]/FederationMetadata/2007-06/FederationMetadata.xml |
Upload Metadata XML | Upload xml that you fetched from https://[ADFS server name]/FederationMetadata/2007-06/FederationMetadata.xml |
Name Identifier format | Unspecify |
Attribute mappings | get text here |
- Go back to the General tab and check "Enabled" to enable SAML SP.
- Select Server Manager -> Tools -> AD FS Management
- Select Trust Relationships -> Relying party trust, click "Add Relying party trust"
- Click "Start", At Select Data Source, select "Import data about the relying party from a file". Download the SP's metadata from https://liferaysp.local/c/portal/saml/metadata and save in a file, then select it here.
- Ignore warning. Type "ADFS" for the Display name
- Leave rests of fields as default and click Close at the end.
- At Edit Claim Rules for ADFS, select "Issuance Transform Rules" and click "Add rule". And add them according to the configuration as follows:
- Select "Send LDAP Attributes as Claims" and click Next
- Type "CR" for the Claim rule name
- Select "Active Directory" for the Attribute store.
- Set "Papering of LDAP attributes to outgoing claim types as follows:
- Click Finish
LDAP Attribute | Outgoing Claim Type |
---|---|
SAM-Account-Name | Common Name |
E-Mail-Address | E-Mail Address |
Given-Name | Given Name |
Surname | Surname |
- Select "Transform an Incoming Claim" and click Next
- Type "TR" for the "Claim rule name"
- Select "Common Name" for "Incoming Claim type". (you can select it from the pulldown)
- Select "Name ID" for "Outgoing claim type". (you can select it from the pulldown)
- Set Unspecified for the "Outgoing name ID format"
- Select "Pass through all claim values"
- Click Finish
- Back to AD FS Management Console, In the "Relying Party Trusts" pane, select your own Relying party Trusts, (should be ADFS) and double click it. ADFS Properties dialog will be displayed.
- Open "Advanced" tab in the ADFS Properties dialog and change the hash algorithm to SHA-1 and click OK.
- Requests from ADFS to Liferay must be signed. So run command below in Power shell window. Please replace "ADFS" part to your Relying part that you created.
Set-AdfsRelyingPartyTrust -TargetName "ADFS" -SamlResponseSignature MessageAndAssertion
- Create a user on Liferay (SP) with a same name that you created in ADFS (IdP)
- Access to https://your-liferay-server-url, you'll be redirected to ADFS and can login with SSO. If you want to automatically sync up user data in Liferay with ADFS, use general Liferay’s LDAP integration.
To confirm if users are properly created, enable
com.liferay.saml.resolver.DefaultUserResolver
log in Administrator console of Liferay.