The following components require additional configuration to support ADFS over SAML 2.0.

Server.xml

1. Configure connection port 8443.

2. Comment out connection port 8080

3. Restart the Transact service and verify the server operates on https.

application-context.xml

In application-context.xml, uncomment the following line:

<import resource="classpath:/META-INF/applicationContext-security.xml"/>

web.xml

1. Uncomment the springSecurityFilterChain filter and its filter mapping.

2. Comment out sessionTimeoutFilter and its filter mapping.

3. Comment out SessionTimeoutServlet and its servlet mapping.

4. Comment out all security-constraints.

5. Comment out login-config nodes.

6. Place the authentication filter and its filter mapping below springSecurityFilterChain.

7. Make the change in logout URL to point it to correct port and URL.

8. Select the appropriate value for the authenticationType bean:

   • 1 for authentication only.

   • 2 for authentication and authorization.

9. Restart the Transact service after making the change.

Active Directory Federation Services

1. Test the ADFS Sign On Link:

   https://<domainname>/adfs/ls/idpinitiatedsignon

2. Download Transact metadata file from the Transact server:

   1. On the server, go to:

      https:localhost:8443/dcma/saml/metadataurl

   2. Copy the file to the ADFS server.

3. Configure ADFS as follows:

   1. Select ADFS Management > Relying Party Trust.

   2. Import the Transact metaDataURL file.

   3. Add Claim Rules.

   4. Double-click on the relying party, select Trust > Go To Advance and change security to SHA-1.

   5. Select ADFS Management > Certificates.

   6. Export all the certificates in DER format.

applicationContext-security.xml

1. Go to https://<domainname>/FederationMetadata/2007-06/FederationMetadata.xml, get the ADFS metadata file, and save it to a secure folder.

2. Change the constructor arguments for epheSamFilter bean.

3. Make changes in metaDataFilter bean and metaData filter.

samlKeystore.jks

Use the keytool import command to import the ADFS certificates into the samlKeystore.jks file.

Tomcat-users.xml

If you have authenticationType set to 1, add the user name and roleName in the tomcat-users.xml file that is used to authorize the user.

• Test ADFS login using the following link:

  https://<domainname>/adfs/ls/idpinitiatedsignon

  Change the domain name accordingly to FQDN.

• Transact metadata URL:

  https://localhost:8443/dcma/saml/metadata

• Keytool importcert command:

  keytool.exe -importcert -alias adfssigning -keystore C:\Ephesoft\Application\WEB-INF\classes\security\samlKeystore.jks -file <Location of ADFS Cert>

• ADFS metadata XML file:

  https://<<domainname>>/FederationMetadata/2007-06/FederationMetadata.xml

  Change the domain name accordingly to FQDN.

• You may have to modify the host file to resolve the ADFS DNS name.

• Make sure the unique identity is same in Transact and ADFS.

• ADFS Rule names can be extracted by doing the following:

  1. Click Relying Party Trust.

  2. Edit Claim Rules.

  3. Click the rule that you wish to configure in epheSamFilter bean in applicationContext-security.xml file.

  4. Click Edit Rule and view the rule language.

  5. Get the rule language from the window open.

• Make sure Signature Algorithm is set to SHA-1.

• Make sure entityId and entityBaseURL is correctly configured in the metadataGeneratorFilter bean.

• Make sure that end points in ADFS are correctly configured.

The following sample PDF files are available for reference.

• applicationContext
• applicationContext-security
• server
• tomcat-users
• web - Copy