User connectivityActive Directory resourcesADFS configuration over SAML 2.0 requirementsAuthentication Type 1 on Apache Tomcat

Authentication Type 1 on Apache Tomcat

To configure Transact in a configuration with ADFS over SAML 2.0 with Authentication Type 1 on Apache Tomcat, follow the instructions in this topic.

Authentication with SSO on Tomcat works as follows:

  • Transact only provides authentication details to the Identity Provider.

  • The Identity Provider verifies the validity of the user and sends back acknowledgment as a part of SAML Response.

  • If the validation is successful, the selected authorization method is taken into consideration. If user.connection is set to 2, the authentication is handled as defined in tomcat-users.xml.

  • The user name received as a response is matched with the records in the tomcat-users.xml file and if a matching entry is found, its role details are selected.

  • This role is successfully matched with user.super_admin=admin in the application.properties file, the user is provided with Super Admin access.

Prerequisites

This configuration requires the following to be installed.

  • Active Directory Federation Services

  • Active Directory

  • Ephesoft Transact

You also need to configure the following:

  • server.xml

  • applicationContext.xml

  • web.xml

  • applicationContext-Security.xml

  • dcma-batch.properties

  • Transact SAML metadata file (to be imported at the Transact side)

  • ADFS Federation metadata file

  • Valid keystore (JKS) for importing ADFS certificate

  • application.properties

  • user-connectivity.properties

  • tomcat-users.xml

Order of configuration

When configuring Transact with ADFS over SAML 2.0 with Authentication Type 1 on Apache Tomcat, perform these tasks in order.

  1. Generate JKS files for to configure Tomcat over SSL if you do not already have truststore and keystore.
  2. Configure Tomcat to use https.
  3. Modify the following files:

    • In dcma-batch.properties, change batch.base_http_url.

    • In workflow.properties, change wb.hostURL.

  4. Change the applicationContext.xml and web.xml files.
  5. If desired, create the JKS file in the security folder.
  6. Download the ADFS certificate and FederationMetaDataFile from ADFS and place it in the security folder.
  7. Modify the applicationContext-Security file with the changes noted in this topic.
  8. Modify the following files:

    • user-connectivity.properties

    • tomcat-users.xml

    • application.properties

  9. Download the Transact metadata file and import the file to create relying party trust on ADFS.
  10. Make sure all the properties are correct for relying party created and create claim rules.
  11. Restart the Transact service.

Components

The following components require additional configuration. You also need to configure ADFS as shown in ADFS configuration requirements.

server.xml

Change the following:

  • Configure connection port 8443.

  • Comment out connection port 8080.

When you are finished, restart the Transact service and verify if it works over https.

Note the following:

  • You can configure any port over HTTPS. This topic shows how to configure Tomcat with SSL over port 8443.

  • To generate truststore and keystore, see Set SSL/TLS in Tomcat.

  • Download the sample server.xml from here.

application-context.xml

Remove the following comment from the application-context.xml file: 

<import resource="classpath:/META-INF/applicationContext-security.xml" />

This enables SAML configuration, which is configured in applicationContext-security.xml file.

Download the sample application-context.xml file here.
web.xml

Change the following:

  • Uncomment the springSecurityFilterChain filter and its filter mapping.

  • Comment out the sessionTimeoutFilter and its filter mapping.

  • Comment out the SessionTimeoutServlet and its servlet mapping.

  • Comment out all security-constraints.

  • Comment out login-config nodes.

  • Place the authentication filter and its filter mapping below springSecurityFilterChain.

  • Change the logout URL to point it to correct port and URL.

  • Select 1 for authenticationType bean.

Download the sample web.xml file here.
Security folder

Do the following:

  • Place the sample JKS file in the Security folder. By default, Transact provides samlKeystore.jks. This can be used to configure Transact.

  • Import the ADFS certificate into the JKS file by using the following command: 

    keytool.exe -importcert -alias <alias name> -keystore "<Keystore path>" -file "<cert path>"

  • Download the FederationMetadata file in XML format from your ADFS server and place the file in the security folder.

  • Go to https://<domainname>/FederationMetadata/2007-06/FederationMetadata.xml to download the ADFS metadata file and save it in the security folder.

A sample security folder can be downloaded here. The ADFS metadata file and certificate will not work at your end and is only for reference purpose.
applicationContext-security.xml

Change the following:

  • Change the constructor arguments for epheSamlFilter bean. These constructor-arg values are based on the rule language you define in ADFS Claim Rules. Argument index 0 takes username details and argument 2 takes group details.

  • If you have created you own keystore, make sure you are providing correct name and path of the keystore file and keystore password.

  • Make sure entityId entered here is correct and the same as what you will be defining in ADFS. EntityId is defined in the value attribute of entityId property name.

  • Make changes in the metaDataFilter bean and metaData filter. Make sure to use correct metadata bean as defined in this file. Provide correct name for the FederatinMetadata.xml file.

  • Based on the secure hash algorithm, comment or uncomment SHA-1 or SHA-256 as controlled by the bean.

Download the sample applicationContext-Security.xml file here. Because we are only authenticating with SSO, configure the epheSamlFilter bean to set <constructor-arg index="0">.
user-connectivity.properties

The user.connection property must be set to 2.

Download the sample user-connectivity.properties file here.
tomcat-users.xml

Make sure the username and roles entries are present in this file.

Note the following:

  • It is not mandatory to mention the password for the username record entered in this file.

  • The values in the username and role name are two mandatory fields for authorization.

application.properties

This file is used to define Super Admin group names.

The following properties need to be changed:

  • user.super_admin: Define the Super Admin groups.
  • update_super_admin_group: Change the flag to true.