how Iis USES saml2.0 to access adfs

Question

How does IIS use saml2.0 to access adfs?

In my opinion, IIS needs to deploy a web application to access adfs by sending the request with saml 2.0.

But until now, I haven't found the way to deploy a web application that can send saml2.0.

Does it have to use isapi or Shibboleth ?

Resolution: (1) Shibboleth SP should establish the SSO session/HTTP login session after extracting the user info from SAML response sent by SAML IdP. (2) Insert the user info into the SSO session/HTTP login session. How to insert and fetch Data from Sessions instead of Database in Asp.net MVC C# provides the instruction on how to insert data into the HTTP session (at IIS) and extract data from the HTTP session (at Glassfish).

//In IIS Session["HTTP_MAIL"] = Request.Headers["HTTP_MAIL"];

//In Glassfish after HTTP redirect string user_email = Session["HTTP_MAIL"];

Thanks for you answer!

let me tell about what I know first. If there is any something wrong, please point it out

1. Shibboleth SP save the value belongs of SAML response which is getting from SAML Idp(this time is ADFS) to three places(※), and we can see it in https://SP's domaim name/Shibboleth.sso/Session

   　※ ①Session ②Server Variables ③Request Headers refer to SP's AttributeAccess

2. After Shibboleth SP save the value, automatically jumps to the interface accessed in the browser.

3. There is information in ②Server Variables and ③Request Headers, so applications above IIS can get it through the following code through by both mail and HTTP_MAIL can get the value.

<% @ Page Language="C#" %>
<%
Response.Write("<h3>Server Variables</h3>");
Response.Write("Name = " + Request["name"] + "<br>");
Response.Write("Email = " + Request["mail"] + "<br>");
Response.Write("Tel = " + Request["tel"] + "<br>");

%>

the result is :

Server Variables
Name = tom
Email = tom@yahoo.com
Tel = 0251-4584-635

---

the question is when use HTTP Redirect(HTTP Rewrite and other way is also ok)， How are the above values passed to glassfish~

Refer to your answer, I did the following things ~

1. Modify the program above iis to this:

<% @ Page Language="C#" %>
<%
Response.Write("<h3>Server Variables</h3>");
Response.Write("Name = " + Request["name"] + "<br>");
Response.Write("Email = " + Request["mail"] + "<br>");
Response.Write("Tel = " + Request["tel"] + "<br>");

Session["HTTP_MAIL"] = Request["HTTP_MAIL"];     ※set value to Session
Response.Write("Mail2 = " + Session["HTTP_TEST"] + "<br>");  

%>

2. create Glassfish's app to this:

@RequestMapping(value = "/info2", method = RequestMethod.GET)
    public Object getUserInfo2(HttpSession session, Model model) {
    Enumeration<String> headerNames  = session.getAttributeNames();
    StringBuffer stringBuffer = new StringBuffer();
    while (headerNames.hasMoreElements()) {
            String key = (String) headerNames.nextElement();
            String value = (String) session.getAttribute(key);
            stringBuffer.append(key + ":" + value + "\n");
        } 
        model.addAttribute("StringBuffer", stringBuffer);
        return "index";

    }

there is nothing in session.

it seems that using IIS's HTTP redirect function to redirect the app on IIS before it executes. In other words, the session assignment does not appear to have been performed

Did I do that right?

Answer 1

Question #1:

How does IIS use saml2.0 to access adfs?

In my opinion, IIS needs to deploy a web application to access adfs by sending the request with saml 2.0.

Answer:

Yes. You are correct.

(1) IIS needs to deploy a SAML SP (service provider) to send SAML auth request to ADFS.

(2) You need to configure ADFS to be SAML IdP (Identity Provider).

The official Microsoft website of Add ADFS as a SAML identity provider provides the instruction on how to configure ADFS to be SAML IdP.

Question #2:

Does it have to use isapi or Shibboleth ?

Answer:

You can deploy Shibboleth SP (service provider) on IIS.

The official link of Shibboleth SP with IIS provides the instruction on how to deploy Shibboleth SP on IIS.

Follow-up Question #1:

The final effect is as follows: adfs's end point:

iis.*.com/Shibboleth.sso/SAML2/POST
iis.*.com/Shibboleth.sso/SAML2/Artifact

However, adfs is returned as a post, and I did not get the information in the request header through the program on the iis side

Refer to this website Shibboleth SP for IIS でSAML対応

How can I get the data returned by adfs through get

Answer:

(1) Shibboleth SP AssertionConsumerService does NOT provide "HTTP-Redirect" endpoint/URL for "GET".

(I) You can NOT "get the data returned by adfs through get".

(II) You have to get the data returned by adfs through POST.

(2) Assume that your website is https://shibbolethiis.int.secioss.work

(I) Shibboleth SP AssertionConsumerService endpoint/URL demonstrated by your Shibboleth SP metadata "https://shibbolethiis.int.secioss.work/Shibboleth.sso/Metadata"

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibbolethiis.int.secioss.work/Shibboleth.sso/SAML2/POST" index="1"/>

(II) Quote the link from your comment. i.e., Shibboleth SP for IIS でSAML対応

「Default Web Site」を選択し。IISを再起動します。

これでShibboleth-SPの設定は終了です。 以下のURLに接続し、正常に稼働しているか確認してください。

https://shibbolethiis.int.secioss.work/Shibboleth.sso/Status

正常に稼働している場合、以下のようなXMLが返ります。 最後のStatusタグの内容がOKなら正常です。

(III) Check your website Shibbolth SP session

https://shibbolethiis.int.secioss.work/Shibboleth.sso/Session

The above Shibboleth SP Session URL should display the user info carried by SAML response sent by ADFS

If you can NOT find any user info from the above Shibboleth SP Session URL

(III.a) Configure ADFS to send the user info with SAML attribute/SAML assertion/SAML response

(III.b) Modify Shibboleth SP "attribute-map.xml" to accept SAML attributes sent by ADFS with reference to the example provided by Shibboleth SP shibboleth-sp-testapp/shibboleth-sp/attribute-map.xml at the GitHub repository.

Usually Shibboleth SP uses SAML attribute such as "mail" attribute (e.g., ethan.smith@example.com) to log the user in to your website.

(4) Remarks:

(I) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides Shibboleth SP configuration example.

(II) For your convenience, I have made a new commit to add ADFS attributes to Shibboleth SP shibboleth-sp-testapp/shibboleth-sp/attribute-map.xml at the above GitHub repository. Note that I have used the same ADFS attributes to log in to Box account successfully.

(III) Configuring Attributes for SAML 2.0 and ADFS 3.0 provides the valuable information and discussion on how Shibboleth SP extract the user info/data returned by ADFS through "attribute-map.xml".

Follow-up Question #2:

After modifying attribute. XML, and visit shibboleth.sso/Session, it can display the following information.

Attributes mail: 1 value(s) 
tel: 1 value(s) 

Refer to this website Shibboleth SP for IIS でSAML対応

５．動作確認 

Display the following information 

HTTP_MAIL:ya*@cn.*.com 
HTTP_TEL:17* 

how can i get information from the request header when i redirect it to glassfish via iis's HTTP redirect function?

Answer:

Another StackOverflow question Getting a Request.Headers value provides the solution on how to get information from the request header using C#, for example,

if (Request.Headers["HTTP_MAIL"] != null) {
    string user_email = Request.Headers["HTTP_MAIL"];
}

Follow-up Question #3:

Instead of asking how to get headers on IIS, my question is how to get login information on glassfish~ In other words, how do i pass the request-header information to glassfish after getting it from iis? I also asked a question in glassfish get shibboleth sp attribute on iis, and it is more detailed than his current comment.

Answer:

From the cybersecurity perspective, you can NOT redirect the user info to establish the HTTP login session for Glassfish application. Otherwise, hackers can use the same user info to log in to Glassfish application without any authentication such as local username/password authentication or third-party SAML authentication.

Follow-up Question #4:

when use HTTP Redirect(HTTP Rewrite and other way is also ok)， How are the above values passed to glassfish?

there is nothing in session.

it seems that using IIS's HTTP redirect function to redirect the app on IIS before it executes. In other words, the session assignment does not appear to have been performed

Did I do that right?

Answer:

(1) Apache, GlassFish, IIS, Jetty, and Tomcat can be regarded as parallel web servers for hosting web applications.

Top Java Application Servers: Tomcat vs. Jetty vs. GlassFish vs. WildFly

Microsoft IIS vs Apache Tomcat: What are the differences?

Microsoft IIS and Apache Tomcat belong to "Web Servers" category of the tech stack.

Windows Server 2016 can run both IIS 10 web server and GlassFish 5.1.0 web server, while IIS 10 web server and GlassFish 5.1.0 web server can run their own web application.

(2) From the cybersecurity perspective, different web application should establish their HTTP login session on their backend server (such as Apache, Glassfish, IIS, JETTY, and Tomcat) after their user has been authenticated by a third-party SAML IdP (such as Shibboleth SAML IdP).

Therefore, you can NOT redirect the user info from IIS to Glassfish, because IIS and Glassfish should establish their own different HTTP sessions for their user who is granted access to web application.

Resolution:

You can use OneLogin Java SAML SP tookit (Code Your Java App to Provide SSO via OneLogin) to build SAML SP for your Java-based GlassFish web application.

Note that OneLogin SAML SP for your Java-based GlassFish web application can communicate with any SAML IdP including their own OneLogin SAML IdP, Shibboleth SAML IdP running on Docker container, or SAML IdP provided by our Zero-Password Authentication and Authorization System.