akmanchianand

Setting up Enterprise Logins using SimpleSAMLphp and MS Active Directory

Blog Post created by akmanchianand on Dec 31, 2014

Introduction

ArcGIS Online supports Security Assertion Markup Language 2.0 (SAML) for configuring enterprise logins. There are two kinds of login experiences, i.e., service provider (SP) initiated enterprise logins and identity provider (IDP) initiated enterprise logins.

 

Service Provider initiated logins

With SP initiated logins, members access their organization website directly and see options to sign in using their enterprise service provider account or their ArcGIS account. If the member selects the service provider option, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise user name and password. Upon verification of the member’s login, the enterprise identity provider informs ArcGIS Online of the verified identity for the member who is logging in and the member is redirected back to their organization website.

 

If the member chooses the ArcGIS account option, the sign-in page for the organization website opens. The member can then enter their ArcGIS user name and password to access the website. The ArcGIS account sign-in option cannot be disabled.

 

Identity provider initiated logins

With IDP logins, members directly access their enterprise login manager and sign in with their account. When the member submits their account information, the identity provider sends the SAML response directly to ArcGIS Online. The member is then logged in and redirected to their organization website where they can immediately access resources without having to sign in to the organization again.

 

The option to sign in using ArcGIS accounts directly from the enterprise login manager is not available with IDP logins. To sign in to the organization using ArcGIS accounts, members need to access their organization website directly.

 

This blog post is about setting up Enterprise Logins in ArcGIS Online using SimpleSAMLphp using the Service Provider Initiated Logins approach. You may download all the attachments to this post for a smoother setup experience.

 

Before we get started

You can configure SimpleSAMLphp 1.10 and later versions as your identity provider for Enterprise Logins in ArcGIS Online.

 

The configuration process involves two main steps:

  • registering your enterprise identity provider with ArcGIS Online and
  • registering ArcGIS Online with the enterprise identity provider

 

ArcGIS Online requires certain attribute information to be received from the identity provider when a user logs in using enterprise logins. NameID is a mandatory attribute that must be sent by your identity provider in the SAML response to make the federation with ArcGIS Online work. When a user from the IDP logs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by the NameID attribute are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.

 

ArcGIS Online supports flow-in of the givenName and the email address attributes of the enterprise login from the enterprise identity provider. When a user signs in using an enterprise login, and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the identity provider.

 

It's recommended that you pass in the email address from the enterprise identity provider so the user can receive notifications. If the user has administrator privileges, they will also be able to send invitations to others users to join the organization.

 

Step 1: Install PHP and configure with IIS

  • Download this archive containing PHP binaries and extract it to "C:\PHP". You may also download it from here if the earlier link does not work.

 

Note: Non-thread-safe build of PHP is recommended when using IIS. The non-thread-safe builds are available at» PHP for Windows: Binaries and Sources Releases.

 

  • Enable FastCGI support in IIS
    • For Windows 7
      • In the Windows Start Menu choose "Run:", type "optionalfeatures.exe" and click "Ok"

      • In the "Windows Features" dialog expand "Internet Information Services", "World Wide Web Services", "Application Development Features" and then enable the "CGI" checkbox

      • Click OK and wait until the installation is complete

01-iis7vistacgi.png

    • For Windows Server 2008 and Windows Server 2008 R2
      • In the Windows Start Menu choose "Run:", type "CompMgmtLauncher" and click "Ok"

      • If the "Web Server (IIS)" role is not present under the "Roles" node, then add it by clicking "Add Roles"

      • If the "Web Server (IIS)" role is present, then click "Add Role Services" and then enable the "CGI" checkbox under "Application Development" group

      • Click "Next" and then "Install" and wait for the installation to complete

02-addroleservices.PNG

  • Edit the PHP.ini file
    • After the php package content has been extracted, copy the php.ini-production into php.ini in the same folder
    • Open php.ini in a suitable text editor like notepad++ and make the following changes and uncomment these lines
      • open_basedir ="C:\inetpub\wwwroot;C:\windows\temp"
      • display_errors = On
      • extension_dir = "C:\PHP\ext"
      • cgi.force_redirect = 0
      • cgi.fix_pathinfo=1
      • fastcgi.impersonate = 1
      • fastcgi.logging = 0
      • extension=php_imap.dll (uncomment)
      • extension=php_ldap.dll (uncomment)
      • extension=php_openssl.dll (uncomment)
      • Alternatively, you could also use this php.ini file and copy it to the same folder. This ini file contains all the above modifications.

Note: If you make any changes to PHP.ini, you need to restart the webserver, i.e., run "iisreset" from the command window. Go ahead and do it now, to be sure.

    • PHP is now setup on your system. The next step is to enable IIS to run PHP.
  • Enable IIS to run PHP
    • In the Windows Start Menu choose "Run:", type "inetmgr" and click "Ok"
    • In the IIS Manager user interface select the server node in the "Connections" tree view
    • In the "Features View" page open the "Handler Mappings" feature

03-iis7handlericon.png

    • In the "Actions" pane click "Add Module Mapping...";
    • In the "Add Module Mapping" dialog enter the following:
      • Request path: *.php
      • Module: FastCgiModule
      • Executable: C:\[Path to PHP installation]\php-cgi.exe
      • Name: PHP_via_FastCGI
    • Click "Request Restrictions" button and then configure the mapping to invoke handler only if request is mapped to a file or a folder
    • Click OK on all the dialogs to save the configuration.
    • In the "Features View" page open the "Default Document" feature, click add and add "index.php" to the list of default documents

04-default.PNG

    • Now test if PHP is configured properly with IIS by copying this file to "C:\inetpub\wwwroot" and enter the url to this file (http://localhost/phpinfo.php) in a web-browser. If PHP is configured correctly, you should see the following page. Congratulations!, you have successfully configured IIS to run PHP.

05-phpinfo.PNG

Step 2: Install and configure SimpleSAMLphp

  • Download this package and extract it to "c:\inetpub\wwwroot"
  • Add a new virtual directory in IIS by using IIS Manager. Right-click on "Default Web Site" and select "Add Virtual Directory". Provide "simplesaml" as the Alias and "C:\inetpub\wwwroot\simplesamlphp-1.13.2\www" as the physical path. Click OK to close the dialog.
  • Open a web-browser and navigate to "http://localhost/simplesaml". You should see the following page displayed.

06-simplesaml_load.PNG

  • Open config.php from "C:\inetpub\wwwroot\simplesamlphp-1.13.2\config" in a suitable text editor like notepad++ and edit the following values
    • 'debug' => true,
    • 'auth.adminpassword' => '1234',     (ensure you change this to a different password, default is 123)
    • 'secretsalt' => 'defaultsecretsaltrandom',          (ensure you change this to any random text, default is defaultsecretsalt)
    • 'technicalcontact_email' => '<youremail>@yourcompany.com',           (useful for error notifications)
    • 'logging.level' => SimpleSAML_Logger::DEBUG,
    • 'enable.saml20-idp' => true,               (enables SAML2.0 identity provider)
    • Save config.php and close the file.

Alternatively, you can download and use this config.php and replace/overwrite it at the location (remember to change the email address)

  • Open a web-browser and navigate to "http://localhost/simplesaml". Go to Configuration tab and ensure a green tick mark is displayed against "SAML 2.0 idp" as shown in the image below.

07-samlidpenabled.PNG

Step 3: Configure SimpleSAMLphp to connect with Active Directory

  • Open authsources.php from "C:\inetpub\wwwroot\simplesamlphp-1.13.2\config" in a suitable text editor like notepad++ and uncomment the section containing an example ldap configuration and make the following changes:
    • change 'example-ldap' to 'CompanyName-LDAP' or something appropriate as you desire
    • 'hostname' => 'host.domain.com',
    • 'enable_tls' => FALSE,
    • 'debug' => TRUE,
    • 'timeout' => 10,
    • 'referrals' => FALSE,
    • 'dnpattern' => 'sAMAccountName=%username%,ou=users,dc=company,dc=com',
    • 'search.enable' => TRUE,
    • 'search.base' => 'OU=users,DC=company,DC=com',
    • 'search.attributes' => array('samAccountName'),
    • 'search.username' => 'CN=yourname,OU=Users,DC=company,DC=Com',
    • 'search.password' => ' ***** ',
  • The settings recommended above are minimal and simplest way to connect with Active Directory. You may have to consult your network/systems administrator to obtain this information if this does not work for you.
  • Open a web-browser and navigate to "http://localhost/simplesaml". Go to "Authentication" tab and click on "Test Authentication Sources". You should see "CompanyName-LDAP" as one of the options in the list. Click "CompanyName-LDAP" and provide your organization's enterprise account username and password and test if it is working correctly as shown in following images.

08-ldap.PNG

09-ldap-1.PNG

  • Alternatively, you can download and use this authsources.php and ensure all the above settings are done as shown above.
  • Congratulations! You have successfully configured Active Directory as an authentication source.

 

Step 4: Create certificates using OpenSSL

  • Download and install vcredist_x86
  • Download and install Win32OpenSSL_Light-1_0_1j.exe
  • Open a command prompt and cd into c:\OpenSSL-Win32\bin
  • Run the following commands
    • set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
    • openssl req -new -x509 -days 3652 -nodes -out serverhostname.crt -keyout serverhostname.pem

10-certifca.PNG

    • The above command will create two files hostname.crt and hostname.pem in the same directory (c:\OpenSSL-Win32\bin)
    • Create a new directory named 'cert' in "C:\inetpub\wwwroot\simplesamlphp-1.13.2" and copy these two files to this directory

 

Step 5: Register SimpleSAMLphp as the enterprise identity provider with ArcGIS Online

  • Configure the authentication source you created above as an authentication module in the SimpleSAMLphp IdP. Open saml20-idp-hosted.php from "C:\inetpub\wwwroot\simplesamlphp-1.13.2\metadata" in a text editor and make the following changes
    • 'privatekey' => '<hostname>.pem', (this is the certificate you created in step 4 above)
    • 'certificate' => '<hostname>.crt', (this is the certificate you created in step 4 above)
    • 'auth' => 'Company-ldap', (this is the name you provided in step 3 above)
    • Add the following snippet just after 'auth' and save saml20-idp-hosted.php

 

'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

'authproc' => array(

3 => array(

'class' => 'saml:AttributeNameID',

'attribute' => 'sAMAccountName',

'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

),

),

  • Alternatively, you can download and use this saml20-idp-hosted.php and ensure all the above settings are done as shown above.
  • Register the SimpleSAMLphp identity provider for your ArcGIS Online organization.
    • Verify that you are signed in as an Administrator of your organization and click My Organization > Edit Settings > Security.
    • Within the Enterprise Logins section, click the Set Identity Provider button and enter your organization's name in the window that opens (for example, CyberTech). When users access the portal website, this text displays as part of the SAML sign in option (for example, "Using your CyberTech account").
    • Choose if users will be able to join the organization Automatically or Upon invitation from an administrator. Selecting the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator; their account is registered with the organization automatically the first time they sign in. The second option requires the administrator invite the necessary users to the organization. When the user receives the invitation, they will be able to sign in to the organization.
    • Provide metadata information for the identity provider. Open http://localhost/simplesaml in a web browser and go to "Federation" tab and click on "Show Metadata" under "SAML 2.0 IdP Metadata". You should see the idP metadata as shown in the image below

11-idpmetadata.PNG

    • Copy the SAML 2.0 Metadata XML format and paste it into a new empty text file and save it as an xml file for e.g., saml-idp-metadata.xml
    • Choose "File" in "Metadata for the Enterprise Identity Provider will be supplied using:" in the Set Identity Provider dialog and browse to the xml file you created in the previous step
    • Click "Set Identity Provider" to close the dialog. You have successfully registered SimpleSAMLphp as the identity provider to ArcGIS Online

 

Step 6: Register ArcGIS Online as the trusted service provider with SimpleSAMLphp

  • Configure ArcGIS Online as a trusted service provider with SimpleSAML by configuring the <SimpleSAMLphp_HOME>/metatadata/saml20-sp-remote.php file
  • Obtain the metadata XML file of your ArcGIS Online organization. To get the metadata file, sign in as an Administrator of your organization and open your organization page. Click the Edit Settings button and the Security tab, and within the Enterprise Logins section, click the Get Service Provider button. This will download an xml file.
  • Convert the XML file you got in the above step to PHP format.
  • SimpleSAMLphp expects the service provider’s metadata information to be provided in PHP format. SimpleSAMLPHP provides an in-built XML to PHP metadata converter which, by default, is available in the "Federation" tab. Use the converter to convert the XML to PHP. You have to open the xml file and copy and paste its contents into the converter and click "Parse" to generate the PHP code. Copy the generated php code to your clipboard from the saml20-sp-remote section under Converted Metadata on the same page.
  • Open the <SimpleSAMLphp_HOME>/metatadata/saml20-sp-remote.php file and paste the configuration of the service provider in PHP format created in previous step
  • Configure the attribute that gets passed as NameID to ArcGIS Online from the SimpleSAMLphp IdP after authenticating the user. To do this, add the attribute at the end of the service provider’s configuration you added in the previous step.Copy and paste the following lines just below the lines you copied in the previous step.

'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

'simplesaml.nameidattribute' => 'samaccountname',

/* The following indicates whether to send all the attributes received from the authentication source to the service provider or not.

If true, it will send, otherwise it will not send all the attributes*/

'simplesaml.attributes' => false,

);

 

Step 7: Test Enterprise Login

  • Enter the url to your organization in your web browser and you should see the login screen with two options as shown below

12-login.PNG

  • Clicking the enterprise login option will redirect you to the simplesamlphp login page where you have to provide your enterprise account credentials and upon successful authentication you are automatically redirected to the organization.
  • Congratulations! You have successfully configured enterprise logins in ArcGIS Online with MS Active Directory.

Outcomes