a simple WS-Fed SAML2 proxy, made to connect Outlook Web Access(OWA), to an arbitrary SAML2 IDP, via the WS-Fed Protocol (http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html), used by ADFS
configuration is done via, the following environment variables:
- SESSION_SECRET (optional: secret used to encrypt session, default: is generated randomly on startup)
- HTTPS (optional: true|false, use HTTPS for WSFED server)
- HTTPS_KEY (key for WSFED server cert, default: ../selfsigned.key (app root/selfsigned.key))
- HTTPS_CERT (cert for WSFED server, default: ../selfsigned.cert (app root/selfsigned.cert))
- SAML2_ISSUER (SAML2 issuer to be used by this SAML2 client)
- SAML2_IDENTIFIER_FORMAT (SAML2 identifier format set by the IDP)
- SAML2_IDP (address of the SAML2 IDP)
- SAML2_CLAIMS_UPN (name of the SAML2 claim holding the UPN)
- SAML2_CLAIMS_SID (name of the SAML2 claim holding the SID, in either base64 or plaintext)
- SAML2_CLAIMS_SID_BASE64 (let WSFED decode SID from base64, default is true)
- SAML2_IDP_PUB_KEY (public key from the SAML2 IDP)
- WSFED_ISSUER (issuer to used in the assertion, has to be the URI to this Proxy including path to WS-Fed endpoint, e.g. https://ws-fed-proxy/wsfed)
- WSFED_CERT (path to PEM cert for signing the assertion)
- WSFED_KEY (path to KEY for WSFED_CERT)
- WSFED_PKCS7 (path to WSFED_CERT in PKCS7 format, for use with WSFED metadata.xml)
- SAML2_ROOT (path of the SAML2 endpoint e.g. /saml2)
- WSFED_ROOT (path of the WSFED endpoing e.g. /wsfed)
- INVALID_LOGIN_REDIRECT (optional: url to redirect to in case of an invalid login request)
- TRUST_PROXY (optional: true|false, allow operation behind a reverse proxy)
- /saml2/callback (callback for SAML2 login)
- /saml2/login (initiates SAML2 login)
- /saml2/logout (SAML2 logout) "not implemented yet"
- /wsfed (WS-Fed endpoint)
- /wsfed/FederationMetadata/2007-06/FederationMetadata.xml (metadata)
- /wsfed/adfs/fs/federationserverservice.asmx (metadata)
- make sure SID and UPN are available as user attributes
- create a new SAML2 client e.g. "wsfed-proxy"
- create a mapper for upn and sid e.g. sid -> sid, upn->upn
- generate cert for signing assertions e.g.
openssl req -new \
-newkey rsa:2048 -nodes -keyout signing_cert.key \
-out signing_cert.csr \
-subj "/CN=mycorp"openssl x509 -signkey signing_cert.key -in cert_req.csr -req -days 365 -out signing_cert.crt -days 365openssl crl2pkcs7 -nocrl -certfile signing_cert.crt -out signing_cert.p7bor via Exchange
New-ExchangeCertificate -subjectname "CN=mycorp" -PrivateKeyExportable $true-
install signing cert into trusted people store
-
get fingerprint from WS-Fed Proxy signing cert
cut -d "=" -f2 <<< $(openssl x509 -noout -fingerprint -sha1 -inform pem -in signing_cert.crt) | tr -d ":" - configure Exchange for ADFS
$issuer = "<use value from WSFED_ISSUER>"
$cert = '<fingerprint from WS-Fed Proxy signing cert>'
Set-OrganizationConfig -AdfsIssuer $issuer -AdfsAudienceUris "https://<exchange URI>/owa/,https://<exchange URI>/ecp/" -AdfsSignCertificateThumbprint $cert
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $falsein OWA web.config e.g. (C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config) add
<system.diagnostics>
<sources>
<source name="Microsoft.IdentityModel" switchValue="Warning">
<listeners>
<add name="traceListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData="<logpath>\WIFTrace.log" />
</listeners>
</source>
</sources>
</system.diagnostics>