SAML ADFS SSO

SAML and SSO

Security Assertion Markup Language (SAML) primary role in online security is enabling you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (Microsoft Active Directory Federation Service IdP) and a web application (NorthGRC).

Web applications can leverage SAML via the identity provider to grant access to their users. This SAML authentication approach means users do not need to remember multiple usernames and passwords. It also benefits service providers as it increases security, primarily by avoiding the need to store passwords and not having to address forgotten password issues.

SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple web applications after logging into the identity provider. As the user only has to log in once, SAML SSO provides a faster, seamless user experience.

The SAML protocol does not feature a direct communication between the Identity Provider (ADFS) and the Service Provider (NorthGRC), so it is not possible to import or synchronize users. Users are created in NorthGRC on-the-fly when they authenticate with the external SAML IdP (ADFS)

Configuration in NorthGRC

We start with setting information in the service provider (NorthGRC).

• Open a page in your browser and download:
  https://<adfsserver>/federationmetadata/2007-06/FederationMetadata.xml
• In your browser, and Go to your NorthGRC
• Login with a User Manager account
• Navigate to Settings -> Security -> User Directories
• Select "Add SAML user directory"
• Set the name as "ADFS" and check "Show button on login page" (NOT SSO)
• Switch to tab "Identity Provider"
  • Locate the downloaded FederationMetadata.xml file and upload it
• Click the green Create button
• Click the edit button on the new directory provider you created in the list
• Switch to tab "SP Information"
  • Copy the SP metadata URL, and use it to download a spMetadata.xml file

Configuration in ADFS

First we will setup ADFS to allow NorthGRC as a Service Provider:

• Go to AD FS Manager Tool in the Windows Server Manager
• Select Trust Relationships
• In the right Actions section, select Add Relying Party Trust…
• Welcome: Select Start
• Select Data Source: Import data from relying party from a file, browse to the spMetadata.xml file downloaded from NorthGRC,  and then select Next.
• Specify Display Name: Enter "NorthGRC ISMS" and optional notes, and then select Next.
• In Choose Access Control Policy
  • Select "Permit everyone" if All users should have access to NorthGRC
  • Recommended is to select "Permit specific group" and select an AD security group of user that should be allowed to access NorthGRC
• In Ready to add trust, select next and Close

Configuration of claims

• Go to AD FS Manager Tool in the Windows Server Manager
• Select Trust Relationships
• In the right Actions section, select Edit Claims Issuance policy…
• Select "Add rule"
• Use claim rules template: Send LDAP attributes as Claims, press next
• Set Claim rule name: NorthGRC
• In attribute store, select: AD Active directory
• Add Claims:
  • E-Mail-addresses -> email
  • Display-Name -> displayName
  • Token-Groups - Unqualified Names -> groups
• Select Finish

Testing

After the configuration in NorthGRC, and a logout, you might have to reload the page.

When testing the login, we recommend to use a new "incognito" mode in the browser for each test, so you are not using previous saved authentication.

Groups and Teams

When one or more users have used ADFS to login, login with a user that has the User Manager Role in NorthGRC. Go to Settings -> Security -> AD Groups and note the name of the groups you want to provide access to. Navigate to Security -> Teams and add the AD groups to the Teams.

When new users login in, and are members of the AD groups, they will be given access to all elements that are linked to any of the mapped teams.

SSO

When everything works, and teams are mapped, enable SSO in the directory settings, and users will no longer see the NorthGRC login page.

Claims

We do allow a number of different claims keys to support multiple different directory providers.

E-mail claims

"email", "urn:oid: 1.2.840.113549.1.9.1", "e-mail address", "e-mail-addresses"

Name claims

In the following order:

• "displayname"
• "name"
• "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
• "unique_name"
•  "givenname" + "surname"
• "urn:oid:2.5.4.42" + "urn:oid:2.5.4.4"
• "commonname"
• "edupersonprincipalname"
• "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"

Groups claim keys

"adgroups", "affiliationgroups", "edupersonaffiliation", "urn:oid:1.3.6.1.4.1.5923.1.5.1.1", "role", "group", "groups"

Appendix: Manual configure Trust

If the metadata.xml file cannot be used, a simple trust can be set up this way (without the signing certificate):

First we will setup ADFS to allow NorthGRC as a Service Provider:

• Go to AD FS Manager Tool in the Windows Server Manager
• Select Trust Relationships
• In the right Actions section, select Add Relying Party Trust…
• Welcome: Select Start
• Select Data Source: Select Enter data about the relying party manually, and then select Next.
• Specify Display Name: Enter "NorthGRC ISMS" and optional notes, and then select Next.
• In the Configure Certificate page: Select Next
• Configure URL: Select the Enable support for the SAML 2.0 WebSSO protocol check box
  • In Relying party SAML 2.0 SSO service URL, enter the
    <assertion URL from NorthGRC SP configuration>
• Configure Identities: Add  <Service Provider ID from NorthGRC configuration> and select next.
• In Choose Access Control Policy
  • Select "Permit everyone" if All users should have access to NorthGRC
  • Recommended is to select "Permit specific group" and select an AD security group of user that should be allowed to access NorthGRC
• In Ready to add trust, select next and Close