Example config for ADFS #17
Description
I would like to share my experiences to get SamlAuth working with ADFS.
We have a Windows based test Kanboard installation where I would like to make access via saml possible.
My environment : Win2022 with IIS and PHP 8.2, Kanboard 1.2.26, sqlite Database LDAP connect to AD and a Win2022 ADFS Server
After downloading the zip file and unpacking it to kanboard\plugins\SamlAuth it missed the Thirdparty Modul php-saml so i downloaded it manual and copy it to kanboard\plugins\SamlAuth\Thirdparty\php-saml.
And here are my Configuration settings:
SP Entity ID:
is a unique string, i use the FQDN from Kanboard Server
Single Signon Service
https://FQDN_Kanboard_Server/kanboard/index.php
Single Logout Service
https://FQDN_Kanboard_Server/kanboard/logout (not sure about that)
SP Certificate
public key from the Kanboard Server cert
SP Certificate Private Key
privat key from the Kanboard Server cert in --> RAW format
For the Identity Provider Configuration i used the informations from the https://FQDN_ADFS_Server/FederationMetadata/2007- 06/FederationMetadata. xml
IDP Entity ID
http://FQDN_ADFS_Server/adfs/services/trust
Single Signon Service
https://FQDN_ADFS_Server/adfs/ls/
Single Logout Service
https://FQDN_ADFS_Server/adfs/ls/
IDP Certificate
public key from the ADFS Server cert
Identity Provider Attribute Mapping
Full name Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Username Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Remove text in username attribute
empty
Email Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Generate the Metadata XML and import it in ADFS.
I configure the Claims as follow:
Rule 1:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";sAMAccountName,mail,displayName;{0}", param = c.Value);
Rule 2:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("temp_name"), query = ";sAMAccountName;{0}", param = c.Value);
Rule 3:
c:[Type == "temp_name"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value = RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(c.Value, "A", "a"), "B", "b"), "C", "c"), "D", "d"), "E", "e"), "F", "f"), "G", "g"), "H", "h"), "I", "i"), "J", "j"), "K", "k"), "L", "l"), "M", "m"), "N", "n"), "O", "o"), "P", "p"), "Q", "q"), "R", "r"), "S", "s"), "T", "t"), "U", "u"), "V", "v"), "W", "w"), "X", "x"), "Y", "y"), "Z", "z"));
Because Kanboard usernames are case sensitive i have to convert the username, send by ADFS, to lowercases to prevent double
users. (Rule 2 and3)
Maybe this will help someone to get this Plugin to work ....