sinsu17

Configure SAML with ADFS as Identity Provider and CA API Developer Portal as Service Provider

Blog Post created by sinsu17 Employee on Jul 17, 2018

Introduction

This blog will explain the configuration required for SAML Authentication in CA API Developer Portal and ADFS(Active Directory Federation Services). ADFS would be used as an Identity Provider whereas CA API Developer Portal would be used as Service Provider.

 

SAML

The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider.
For more info on SAML:- http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html  
SAML 2.0 - Wikipedia 

CA API Developer Portal

The developer portal is a key component of your full lifecycle API management solution and is where your API owner can control how APIs are published, your developers discover what services you have available and your operations team can keep an eye on performance.

For more info:- CA API Developer Portal - CA Technologies 

 

ADFS (Active Directory Federation Services)

Active Directory Federation Services (AD FS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries.

For more info:- Windows Server 2012 AD FS Deployment Guide | Microsoft Docs 

Active Directory Federation Services - Wikipedia 

 

 

Pre Requisite

The configuration in this blog assumes you have installed :-

  1. CA API Developer Portal version 4.2.8 or more 
  2. ADFS 3.0

Configuration

This section contains the configuration required for SAML on both the IDP(Identity Provider) and SP(Service Provider) side. The ADFS used is installed on windows Server 2012 R2 which essentially means it is ADFS 3.0 and CA API Developer Portal used is 4.2.8.

 

Note:-

Since this configuration requires to and fro of the information that has to be copied in between CA API Developer Portal and ADFS. We will create CA API Developer Portal configurations with some of the dummy values about Identity Provider and will replace those after configuring ADFS.

 

CA API Developer Portal (Dummy Configuration)

Login to the Portal with the administrator credentials. Click on the Gear Icon button at the top right to get the list of Settings. Select "Authentication" from the List and it will show you all the Authentication schemes configured. By default there will be only see 1 default auth scheme present.

 

Steps

  1. Click on Add Authentication Scheme button.
  2. Select SAML SSO and Click Next
  3. Add Basic Details in the Provider Name and Description and click Next
  4. In Identity Provider URL and Issuer ID type a dummy values that will be replaced after configuring ADFS. Also provide a dummy certificate after clicking on Upload Trusted Certificate. (This step is required as we do not have values present from ADFS configuration, if those are present then this can be skipped and replaced with actual values).
    Identity Provider URL -> https://dummyurl.com
    Issuer ID -> dummyid
    Upload Trusted Certificate -> give a dummy file
  5.  Leave other information as Defaults and Scroll Down to click on Next. Copy "Assertion Consumer Service (ACS) URL" and "Service Provider ID"  and keep it aside. This URL would be required while configuring ADFS.
    ACS URL i.e. https://demo.app.dev1.w2.saasqa.ca.com/api/demo/authenticate/saml/response/76ff3ae5-d225-46b7-8e0d-01d03589d285
    Service Provider ID i.e. https://demo.app.dev1.w2.saasqa.ca.com
  6.  Attribute Mapping section is used to provide the values that would be mapped from ADFS to CA API Developer Portal. Provide the values that would be passed from your ADFS in SAML Response.
    Email -> mail
    First Name -> givenName
    Last Name -> sn
    Login -> login
    Organization -> organization
    Role -> memberOf
  7. Scroll Down to Role Mapping Section and provide the Role Mappings of Portal's role to your ADFS roles being returned in SAML response as part of "Role" attribute's value provided in the above section. 
    Click on Create to complete the creation of SAML Authentication Scheme on Portal.

    Portal Administrator - > admin

    Note: In this example SAML Response containing memberOf and role as admin will be allowed to login in Portal as Portal Administrator.
  8. You will land on Authentication Schemes page and can find SAML ADFS Demo Auth Scheme created there.


ADFS

On Windows Server 2012 R2 machine, open Server Manager.

  1. Click On Tools and select AD FS Management
  2. In AD FS Window expand "Trust Relationships" and right click on "Relying Party Trusts" and select "Add Relying Party Trust"
  3. Click on Start
  4. Select "Enter data about the relying party manually" and click on Next
  5. Enter Display Name and click Next
  6. Select AD FS profile and click Next
  7. Click on Next without providing encryption certificate.
  8. Select "Enable Support for the SAML 2.0 WebSSO protocol" and paste the Url copied in Step 5 of  CA API Developer Portal (Dummy Configuration) and Click Next
  9. In Relying Part Trust Identifier paste the value of "Service Provider ID" copied in Step 5 of CA API Developer Portal(Dummy Configuration) and click Add


  10. Click Next to move onto the next screen
  11. Select "I do not want to configure multi-factor authentication settings for this relying party trust at this time" and click Next 
  12. Select "Permit all users to access this relying party" and click Next
  13. Review the values and click Next


  14. Check "Open Edit Claim Rules .." and click on Close.
  15.  In Edit Claim Rules Screen , in the "Issuance Transform Rules" click on "Add Rule..."
  16. Select Claim Rule Template as "Send LDAP Attributes as Claims" and click Next 
  17. Give Claim Rule Name as "Map LDAP  Attributes to CA API Developer Portal" and Select Active Directory from Attribute Store.
  18. Select SAM-Account-Name in the "LDAP Attribute"
  19. Select Name ID in the "Outgoing Claim Type"
  20. Start mapping all the values provided in CA API Developer Portal in Step 6 of of CA API Developer Portal(Dummy Configuration). Start with Email first. Select E-Mail-Addresses from "LDAP Attribute"

  21. Type "mail" in the outgoing claim (This value is copied from  above section Step 6 of CA API Developer Portal )

  22. Similarly provide all the values mapped earlier in the Portal and click Finish.
    Given-Name -> givenName
    Surname -> sn

    User-Principal-Name -> login
    Company -> organization
    Token-Groups - Unqualified Names -> memberOf



  23. Click Apply and then OK to save the configuration

  24. You can see under Relying Party Trusts "Demo with CA API developer Portal" listed

 

Fetch ADFS Configuration

 

Fetch Issuer ID:-

On Windows Server 2012 R2 machine, open Server Manager.

  1. Click On Tools and select AD FS Management
  2. In the AD FS window, right click on Service and Select "Edit Federation Service Properties".
  3. In General Tab you would find "Federation Service Identifier", keep a note of its value which would be used in SAML configuration on Portal, you can click on Cancel to close Properties windows. 
    "Federation Service Identifier" i.e. http://demowithca/adfs/services/trust

    Fetch Identity Provider URL:-

  4. Expand Service and Click on Endpoints and see the endpoint with Type "SAML 2.0/WS-Federation". 
    This would be something like /adfs/ls
    So your URL to hit this endpoint would be:-
    https://<machinehostname>/adfs/ls
    eg https://cademohostname.com/adfs/ls/ 

    Fetch ADFS Certificate:-

  5. Expand Service and Click on Certificates. Right click the Token-Signing certificate and select View Certificate.


  6. Click On "Details" tab and then click on "Copy to File..."
  7.  In Certificate Export Wizard Welcome Screen click Next
  8. In Export File Format, choose "Base-64 encoded X.509(.CER)" and click Next
  9. Provide a file Name, say "adfscert.cer" and click Next
  10. Keep track of the fileName location and click Finish. 
    Note: This certificate would be required for SAML configuration on CA API Developer Portal.

 

CA API Developer Portal (Final Configuration)

This configuration would be required to finalise the federation between ADFS and CA Portal. Edit your previously provided dummy configuration and replace with the actual values fetched from above ADFS section.

  1. Go to Authentication schemes page and click on Edit for the previously added configuration "SAML ADFS Demo".
  2. Click on Provider Configuration and it will display page with dummy values as previously set.
  3. Edit the values and paste it from "Fetch ADFS Configuration" section. 
    In Identity Provider URL paste the value copied above in "Fetch Identity Provider URL" section. (Step 4)
           Note:-Make sure you give the exact hostname of the machine that is also being passed in the SAML response
    In IssuerId paste the value copied as "Federation Service Identifier" in "Fetch Issuer ID" section (Step 3)
    In Upload Trust Certificate upload the certificate file downloaded in "Fetch ADFS Certificate"  section(Step 10)

    Identity Provider URL -> https://cademohostname.com/adfs/ls/ 
    Issuer Id -> http://demowithca/adfs/services/trust 
    Upload Trust Certificate -> adfscert.cer
  4. Keep the Service Provider Configuration as is and click on Next
  5. Keep the Attribute Mappings as it is because they have been provided same in the ADFS configuration.
  6. Change the Portal Role Mappings and provide the user's value to which it belongs to in the memberOf attribute and click on Save.
    Portal Administrator -> Schema Admins
    Api Owner -> portalgroup
    Org Administrator -> orgadmingroup
    Developer -> developergroup


    Note: This role mapping is required in order to Login the user in its corresponding portal role. For eg in this example all the users which are member Of Group "Schema Admins" will login as Portal Administrator and member Of Group "portalgroup" will login as API Owner in CA Portal. Similarly Users belonging to orgadmingroup and developergroup will login into portal with their corresponding privileges into their existing Organization as mapped in Attribute Mapping Group.
  7. This will save the configuration and you will land on configuration screen page.

 

Login into CA API Developer Portal with ADFS

  1. Check the user's properties in Active Directory with which you want to login in CA Portal. As in this example we have used user "Demo Ca Portal" which has user login name as "demoadfs" and it belongs to "portalgroup". Make sure First name, Last name, Email Id of the User is configured.
  2. Open home page of tenant in CA API Developer Portal and click on Login and then Click on "SAML ADFS Demo" authentication scheme from the provided list of Authentication schemes.
  3. It will redirect you to ADFS login page which will ask for credentials to login into ADFS. After providing the credentials, click on Sign In.
  4. It will land you on CA Portal page logged in with "API Owner" role we have mapped the user's role to login with this permission in CA Portal.

After this you have successfully configured CA Portal with ADFS and you can edit the role mappings to reflect the actual permissions required to login for the users.

Outcomes