DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:adfs

This is an old revision of the document!


adfs Plugin

Compatible with DokuWiki

hrun

plugin Provides user authentication against Active Directory Federation Service via SAML 2.0

Last updated on
2015-01-29
Provides
Auth
Repository
Source

This extension has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues.

Similar to authad, saml

Tagged with ad, adfs, saml, sso

Installation

A CosmoCode Plugin

Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin. Refer to Plugins on how to install plugins manually.

Setup ADFS with SAML 2.0

The plugin was tested with Windows Server 2008. Please note that there is an updated version of the Federation Services for Windows Server 2008 that have to be dowloaded separately: Download them from Microsoft.

Run the installer and follow the wizard to set up the Federation Services, IIS and the needed certificate. For real world use a certificate signed by a well-known Authority is recommended but not needed. A self-signed one will work too.

Your wiki has to be SSL secured as well! ADFS will refuse to work without SSL! A browser accepted certificate is highly recommended.

Once the services are set up, add a new Relying Party Trust in the ADFS snap-in.

For configuration use the following Federation metadata address: https://yourwiki/doku.php?do=adfs where yourwiki is your wiki server's address of course.

Enter any name and description, and select Permit all users to access this relying party.

Finally run the Edit Claim Rules dialog. Add a new “Issuance Transform Rule” and pick “Send LDAP Attributes as Claims”. Add the follwing:

  • Claim rule name: User Attributes
  • Attribute Store: Active Directory
  • Mapping of LDAP attributes 1):
    • User-Principal-Name → login
    • E-Mail-Addresses → mail
    • Token-Groups - unqualified Names → groups
    • Display-Name → fullname

Configure the Plugin

There are two settings to configure in the Configuration Manager:

  • endpoint this is where your ADFS server provides the SAML 2.0 endpoint. It's usually https://<youradfs>/adfs/ls/
  • certificate this is the certificate you set up for the ADFS Server above

You can find the certificate in an XML file that is usually found under ''https://<youradfs>/FederationMetadata/2007-06/FederationMetadata.xml''. Look for <IDPSSODescriptor *><KeyDescriptor use=“signing”><X509Certificate>. It should be a long string of characters. Just paste that into the config. Make sure you use the signing key and not the encryption one.

Once everything is set up you can switch the authtype to adfs.

Usage

Clicking the login button will bring up the ADFS login form. Users can login with their Active Directory user name there and will be redirected to the wiki. If setup correctly, the ADFS form will use Single-Sign-On to log users in automatically.

The login will be remembered by the wiki. Unless they log out explicitly subsequent visits will trigger the login process automatically.

Please make sure your users have valid email addresses set in the Active Directory! Otherwise certain DokuWiki features may not work for them.

1)
you have to type the right side, these names are not in the dropdown
plugin/adfs.1424775772.txt.gz · Last modified: 2015-02-24 12:02 by andi

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki