HTTP Outbound authentication via SAML

HTTP Outbound authentication via SAML (ADFS Server)

Hi all,

this time I had to deal with a real administrative challenge:

Enable WebSphere Portal to display IBM Connections content using IC portlets and authenticate HTTP Outbound calls using SAML.

WebSphere Portal can load content from external sources using a secure HTTP Outbound proxy (aka. Ajax Proxy). This is the case for IBM Connections portlets that load content from an IBM Connections server.

Normally when you deploy those IBM Connections portlets, authentication of requests sent via HTTP Outbound Proxy is done using IBM`s SSO mechanism using LTPAToken between WebSphere Portal & IBM Connections. But when it comes to more advanced cloud environments (Hybrid cloud integrations, integration of other software tools that do not support LTPA…), this technology is out dated. So I`m back to my “hot topic” SAML ;-)… This solves most of our SSO problems but brings some new hurdles with it.

How does it work?

HTTPOutbound : SAML1

Content that you want to consume from another system is not directly loaded from server to browser when using WebSphere Portal. WebSphere Portal calls backend systems using API to e.g. IBM Connections to display content (in this case if you use the IBM Connections portlets). This communication is routed via an application called HTTPOutbound Proxy (aka. AjaxProxy).

Since WebSphere Portal 8.5 CF03 you can authentication those HTTP Outbound Proxy calls using the SAML protocol. In the above example, the Outbound Proxy authenticates the user that is logged in the WebSphere Portal server on the connected IBM Connections system. The mandatory configuration steps are documented for TFIM & ADFS Server (from CF05 on) as IdP provider. But I think the information provided in knowledge center are a bit confusing and not really complete. That`s why I tried to summarize everything in this blog post.

Steps I used to activate HTTP Outbound Connection authentication via SAML (ADFS Server as IdP)

ADFS: Changing the cookie domain –> described here
This is a rather easy step where you need to make sure that the cookies, ADFS server generates are set for the domain you use with your WebSphere Portal / IBM Connections system.

  • open the file web.config in the IIS ADFS web module (inetpub base folder  – in my case this is c:/inetpub/adfs/ls/) and add the cookie handler between
 <system.web> and <compilation defaultLanguage="c#">

Cookie handler:

<httpCookies domain="your_domain" httpOnlyCookies="false" requireSSL="false"/>

HTTPOutbound1

  • Create a Outbound rule using IIS Management Console

This is a tricky one, as you need an additional ARR (Application Request Routing) snap-in in order to configure this outbound rule. You can install this snap-in using the Microsoft Web Platform Installer 5.0 –> here

Start the exe and search for “Application Request”

HTTOutbound2

Click to install.

Then open the IIS management console and click “Application Request Routing Cache”

HTTPOutbound3

Click on “Server Proxy Settings”

HTTPOutbound4

 

 

 

 

 

Click on “Advanced Routing – URL Rewrite”

HTTPOutbound5

Add a new Outbound rule

HTTPOutbound6

More details

HTTPOutbound7

Puhh… done 😉 The documentation in the knowledge center leaves you rather alone when configuring those steps … Anyway it works like this 😉

WebSphere Portal: Create HTTP Outbound configuration –> described here

Identity provider settings

Create a xml file with the following content (Adjust hostnames to match your environment)

<?xml version="1.0" encoding="UTF-8"?>
<proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.ibm.com/xmlns/prod/sw/http/outbound/proxy-config/2.0">
<variables>
  <!--  replace values with the IdP login URL and the partner URL -->
  <endpoint name="adfs01.idp_prot">https</endpoint>
  <endpoint name="adfs01.idp_host">YOURADFSSERVER.SERVER.COM</endpoint>
  <endpoint name="adfs01.idp_port">443</endpoint>
  <endpoint name="adfs01.idp_uri">/adfs/ls/IdpInitiatedSignOn.aspx</endpoint>
  <endpoint name="adfs01.partner_url">https://YOURIBMCONNECTIONSSERVER.SERVER.COM/samlsps/acs</endpoint>
</variables>
<meta-data>
  <name>adfs01.IDP_PROTOCOL</name>
  <value>https</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_HOST</name>
  <value>YOURADFSSERVER.SERVER.COM</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_PORT</name>
  <value>443</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_URI</name>
  <value>/adfs/ls/IdpInitiatedSignOn.aspx</value>
</meta-data>
<meta-data>
  <name>adfs01.PARAM_NAME.1</name>
  <value>LoginToRp</value>
</meta-data>
<meta-data>
   <name>adfs01.PARAM_VALUE.1</name>
   <value>https://YOURIBMCONNECTIONSSERVER.SERVER.COM/samlsps/acs</value>
</meta-data>
<meta-data>
   <name>adfs01.IDP_AUTH_TOKEN_SOURCE</name>
   <value>cookies</value>
</meta-data>
<meta-data>
   <name>adfs01.IDP_AUTH_TOKEN_COOKIE.1</name>
   <value>MSISAuth</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.2</name>
  <value>MSISAuth1</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.3</name>
  <value>MSISAuthenticated</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_COOKIE.1</name>
  <value>SamlSession</value>
</meta-data>
</proxy-rules>

Register this XML file using a ConfigEngine task

 ./ConfigEngine.sh update-outbound-http-connection-config -DConfigFileName=XML_file -DOutboundProfileType=global

Define a policy rule for the remote Connections to the IBM Connections Server

Create a xml file with the following content (Adjust hostnames to match your environment):

<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright IBM Corp. 2011, 2014  All Rights Reserved.              -->
<proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.ibm.com/xmlns/prod/sw/ajax/proxy-config/1.1">
<mapping contextpath="/proxy" url="*"/>
<mapping contextpath="/myproxy" url="*"/>
<mapping contextpath="/common_proxy" url="*"/>

<policy active="true" basic-auth-support="false" name="SocialADFS" url="https://YOURIBMCONNECTIONSSERVER.SERVER.COM/*">
<actions>
  <method>POST</method>
  <method>GET</method>
  <method>DELETE</method>
  <method>PUT</method>
  <method>HEAD</method>
</actions>
<headers>
  <header>Accept-Language</header>
  <header>User-Agent</header>
  <header>Accept.*</header>
  <header>Content.*</header>
  <header>Authorization*</header>
  <header>Content*</header>
  <header>If-.*</header>
  <header>Pragma</header>
  <header>Cache-Control</header>
  <header>X-Update-Nonce</header>
  <header>X-Shindig-ST</header>
  <header>X-IC-CRE-Request-Origin</header>
  <header>X-IC-CRE-User</header>
  <header>X-Method-Override</header>
  <header>X-Requested-With</header>
</headers>
<cookie-rule name="SocialAdfs_WEF_Cookie_Rule">
  <cookie>*</cookie>
  <scope>user</scope>
  <handling>store-in-request</handling>
</cookie-rule>
<meta-data>
  <name>SSO_SAML20_IDP</name>
  <value>adfs01</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_HOST</name>
  <value>YOURADFSSERVER.SERVER.COM</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_PORT</name>
  <value>443</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_URI</name>
  <value>/adfs/ls/IdpInitiatedSignOn.aspx</value>
</meta-data>
<meta-data>
  <name>adfs01.PARAM_NAME.1</name>
  <value>LoginToRp</value>
</meta-data>
<meta-data>
  <name>adfs01.PARAM_VALUE.1</name>
  <value>https://YOURIBMCONNECTIONSSERVER.SERVER.COM/samlsps/acs</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_SOURCE</name>
  <value>cookies</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.1</name>
  <value>MSISAuth</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.2</name>
  <value>MSISAuth1</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.3</name>
  <value>MSISAuthenticated</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_COOKIE.1</name>
  <value>SamlSession</value>
</meta-data>
<meta-data>
  <name>forward-http-errors</name>
  <value>true</value>
</meta-data>
<meta-data>
  <name>xhr-authentication-support</name>
  <value>true</value>
</meta-data>
<meta-data>
  <name>socket-timeout</name>
  <value>50000</value>
</meta-data>
<meta-data>
  <name>retries</name>
  <value>2</value>
</meta-data>
<meta-data>
  <name>max-connections-per-host</name>
  <value>50</value>
</meta-data>
<meta-data>
  <name>max-total-connections</name>
  <value>1000</value>
</meta-data>
</policy>
</proxy-rules>

Register this XML file using a ConfigEngine task

 ./ConfigEngine.sh update-outbound-http-connection-config -DConfigFileName=/ibm/proxy_smartcloud.xml -DApplicationScopeRef=PA_icWEFPtlts

–> This time I limit the configuration to the IBM Connections portlets … “-DOutboundProfileType=global” should also work.

The result is:

HTTPOutbound8

Summary

To be honest … This was a real piece of work… Tough and really complex stuff!

Anyway… Thanks IBM for this great integration. Do more SAML stuff… I really like this 😉

2 thoughts on “HTTP Outbound authentication via SAML

  1. Couple of ADFS beginner questions:

    1. In ADFS 2.0 I would update the web.confign with the following
    Since there is no web.config in ADFS 3.0, what is the command that would let me achieve the same as above?

    2. How would I create an ARR( Application Request Routing ) outbound rule in ADFS 3.0?

    Thanks for your help.

    • Hi Sruajn,

      thanks for your comment. To be honest, I never tested this with ADFS 3.0…
      I think the IBM Knowledge Center needs an update – I will address this to IBM as I do not yet know the answers to your questions.
      As soon as I get a response I will get back to you.

      Julius

Leave a Reply

Your email address will not be published. Required fields are marked *