Federations Configuration

Federations configuration is done in the session controller - two different formats are supported.

For backwards compatibility, the old name/value -pair type of configuration documented here: JWT / OpenID Connect and Microsoft ADFS Integration / WebSSO SAML is supported.

But newer standard uses JSON configuration with a full User Interface for configuration present in Ceptor Console. The JSON approach is preferred, and new capabilities will only be added to this.

The actual configuration is saved in the regular configuration file within Ceptor Configuration Server - but the entire JSON structure is inside the property called federations_JSON_ 

Below is an example with entries for both SAML and JWT Identity providers and service providers / clients / partners / relying parties.


Example federation configuration
{
  "oauth2.datastoreclass": "dk.itp.security.authentication.oauth.data.OAuthSQLStore",
  "proxy": {
    "enabled": false,
    "port": 8080
  },
  "tokens": [
    {
      "name": "sample",
      "validaudiences": [],
      "include.in.jwks.metadata": true,
      "claims": [
        "sub=userid",
        "groups=groups",
        "name=username"
      ],
      "issuer": "https://www.portalprotect.dk",
      "keyid": "k1",
      "algorithm": "RS256",
      "expiration.minutes": 10,
      "notbefore.minutes.in.past": 2,
      "openidconnect": true,
      "keystore": {
        "provider": "BC",
        "type": "PKCS12",
        "file": "${ceptor.home}/config/x509/nemid/kr.pfx",
        "password": "{encoded}96E1FAF9F9578720",
        "password.per.alias": []
      },
      "relax.key.checks": false,
      "expires.at.exact.time": false,
      "require.subject": true,
      "fieldmappers": []
    },
    {
      "name": "sample2",
      "description": "Example token that uses a secret key",
      "validaudiences": [],
      "include.in.jwks.metadata": false,
      "expiration.minutes": 30,
      "claims": [
        "sub=userid",
        "groups=groups",
        "name=username"
      ],
      "openidconnect": true,
      "userid.attribute.name": "sub",
      "username.attribute.name": "name",
      "role.attribute.name": "groups",
      "role.pattern": "^admin*",
      "relax.key.checks": false,
      "expires.at.exact.time": false,
      "require.subject": true,
      "secretkey": "secret",
      "issuer": "https://ceptor.io/secret",
      "algorithm": "HS256"
    },
    {
      "name": "google",
      "description": "Allows validation of tokens issued by Google",
      "issuer": "accounts.google.com",
      "validaudiences": ["371213948273-79eceu24cm64ft69pln0hk2lfapok1bq.apps.googleusercontent.com"],
      "include.in.jwks.metadata": false,
      "claims": [],
      "openidconnect": false,
      "relax.key.checks": false,
      "expires.at.exact.time": false,
      "require.subject": true,
      "signer.certificates.url": "https://www.googleapis.com/oauth2/v1/certs"
    },
    {
      "name": "microsoft",
      "issuer": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
      "validaudiences": ["317190f9-efec-4307-beb9-7f8380a8ae16"],
      "include.in.jwks.metadata": false,
      "claims": [],
      "openidconnect": false,
      "relax.key.checks": false,
      "expires.at.exact.time": false,
      "require.subject": true,
      "signer.certificates.url": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
      "signer.certificates.refresh.interval.minutes": 120,
      "userid.attribute.name": "preferred_username",
      "username.attribute.name": "name"
    }
  ],
  "oauth2.defaulttoken": "sample",
  "openid.scopes": [
    {
      "name": "email",
      "description": "Email address in userinfo",
      "idtoken": ["email=email1"],
      "accesstoken": [],
      "userinfo": ["email=email1"]
    },
    {
      "name": "profile",
      "description": "User name",
      "idtoken": ["name=username"],
      "accesstoken": ["name=username"],
      "userinfo": ["name=username"]
    }
  ],
  "openid.fields": [{
    "name": "address",
    "description": "User address",
    "attributes": [
      "street_address=address1",
      "locality=city",
      "region=state",
      "postal_code=postal",
      "country=country"
    ]
  }],
  "openid.identityproviders": [
    {
      "name": "facebook",
      "description": "Authenticate using facebook",
      "clientid": "624082557774373",
      "secret": "{encoded}F89141217749F5FA6306CAF6F9656965F3A5A8E3069BE032136125F3A4B27183",
      "tokenurl": "https://graph.facebook.com/v2.9/oauth/access_token",
      "facebook": true,
      "linkedin": false,
      "fieldmappers": []
    },
    {
      "name": "google",
      "description": "Google as an identity provider",
      "clientid": "371213948273-79eceu24cm64ft69pln0hk2lfapok1bq.apps.googleusercontent.com",
      "secret": "{encoded}806F9FE0C7CBC28D5777D6DE91772DA4961482568956695A",
      "tokenurl": "https://accounts.google.com/o/oauth2/token",
      "facebook": false,
      "linkedin": false,
      "fieldmappers": []
    },
    {
      "name": "microsoft",
      "description": "Authenticate using microsoft as identity provider",
      "clientid": "317190f9-efec-4307-beb9-7f8380a8ae16",
      "secret": "{encoded}9EED6C32369008FE6F3DC027CC0C2195137300594A2620",
      "tokenurl": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
      "facebook": false,
      "linkedin": false,
      "fieldmappers": []
    }
  ],
  "oauth2.accesstoken.datastoreclass": "dk.itp.security.authentication.oauth.data.AccessTokenSQLStore",
  "oauth2.refreshtoken.datastoreclass": "dk.itp.security.authentication.oauth.data.RefreshTokenSQLStore",
  "oauth2.datastorename": "datastore-primary",
  "oauth2.clients": [{
    "name": "Sample",
    "client_id": "https://www.example.com/",
    "description": "Example client",
    "client_secret": "secret",
    "accesstoken_type": "UUID",
    "allowed_uris": ["https://www.example.com/oauth2"],
    "allowed_logout_uris": [],
    "valid_grant_types": [
      "authorization_code",
      "implicit",
      "hybrid",
      "refresh_token"
    ],
    "allowed_scopes": [
      "openid",
      "profile",
      "offline_access"
    ],
    "refreshtoken_validity_seconds": 86400,
    "maximum_idtoken_expiration_minutes": 120
  }],
  "saml.identityproviders": [
    {
      "name": "azure",
      "description": "Azure Cloud Identity Provider",
      "display.name": "Ceptor Test",
      "identifier": "https://ceptor.io",
      "subject.as.userid": false,
      "userid.attribute.name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
      "username.attribute.name": "http://schemas.microsoft.com/identity/claims/displayname",
      "role.attribute.name": "role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
      "url": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/wsfed",
      "known.ip.list": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/wsfed",
      "metadata.url": "https://login.microsoftonline.com/75700533-6f5e-4bd3-8730-8b46858f4e2c/federationmetadata/2007-06/federationmetadata.xml",
      "metadata.update.interval.minutes": 120
    },
    {
      "name": "microsoft",
      "description": "Use Microsoft online as Identity Provider",
      "display.name": "Microsoft",
      "identifier": "317190f9-efec-4307-beb9-7f8380a8ae16",
      "subject.as.userid": true,
      "userid.attribute.name": "upn;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
      "username.attribute.name": "name;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
      "role.attribute.name": "role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
      "url": "https://login.microsoftonline.com/common/wsfed",
      "metadata.url": "https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml",
      "serviceprovider.metadata": "<?xml version=\"1.0\"?>\r\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\"\r\n\t\t\t\t\t xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"\r\n                     validUntil=\"%{validuntil}\"\r\n                     cacheDuration=\"PT1440M\"\r\n                     entityID=\"317190f9-efec-4307-beb9-7f8380a8ae16\">\r\n    <md:SPSSODescriptor AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n        <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\r\n                                Location=\"https://my.server.name/logout\" />\r\n        <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\r\n                                Location=\"https://my.server.name/logout\" />\r\n        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent<\/md:NameIDFormat>\r\n        <md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\r\n                                     Location=\"https://my.server.name/adfs\"\r\n                                     index=\"1\" />\r\n\t\t<md:AttributeConsumingService index=\"0\" isDefault=\"true\">\r\n\t\t  <md:ServiceName xml:lang=\"da\">SP<\/md:ServiceName>\r\n\t\t<\/md:AttributeConsumingService>\r\n    <\/md:SPSSODescriptor>\r\n    <md:Organization>\r\n       <md:OrganizationName xml:lang=\"en-US\">My organisation<\/md:OrganizationName>\r\n       <md:OrganizationDisplayName xml:lang=\"en-US\">My org<\/md:OrganizationDisplayName>\r\n       <md:OrganizationURL xml:lang=\"en-US\">https://my.server.name<\/md:OrganizationURL>\r\n    <\/md:Organization>\r\n    <md:ContactPerson contactType=\"technical\">\r\n        <md:GivenName>Techcontact<\/md:GivenName>\r\n        <md:EmailAddress>tech@mail.dk<\/md:EmailAddress>\r\n    <\/md:ContactPerson>\r\n    <md:ContactPerson contactType=\"support\">\r\n        <md:GivenName>Support<\/md:GivenName>\r\n        <md:EmailAddress>support@mail.dk<\/md:EmailAddress>\r\n    <\/md:ContactPerson>\r\n<\/md:EntityDescriptor>"
    }
  ],
  "saml.serviceproviders": [
    {
      "name": "local",
      "description": "Local example service provider",
      "keystore": {
        "file": "${ceptor.home}/config/x509/issuer/certissuer.pfx",
        "password": "password",
        "password.per.alias": []
      },
      "display.name": "Local Ceptor Test ADFS",
      "url": "https://adfs.itptest.dk/adfs/ls/",
      "issuer": "http://www.portalprotect.dk/adfs/services/trust",
      "identifiers": ["http://adfs.itptest.dk/adfs/services/trust"],
      "attributes": [
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username",
        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1"
      ],
      "identityprovider.metadata": "<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"%{validuntil}\" cacheDuration=\"PT1440M\" entityID=\"http://www.portalprotect.dk/adfs/services/trust\">\r\n  <md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n    <md:KeyDescriptor use=\"signing\">\r\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n        <ds:X509Data>\r\n          <ds:X509Certificate>%{signcert}<\/ds:X509Certificate>\r\n        <\/ds:X509Data>\r\n      <\/ds:KeyInfo>\r\n    <\/md:KeyDescriptor>\r\n    <md:KeyDescriptor use=\"encryption\">\r\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n        <ds:X509Data>\r\n          <ds:X509Certificate>%{encryptcert}<\/ds:X509Certificate>\r\n        <\/ds:X509Data>\r\n      <\/ds:KeyInfo>\r\n    <\/md:KeyDescriptor>\r\n    <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.my.server/logoff\"/>\r\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.my.server\"/>\r\n  <\/md:IDPSSODescriptor>\r\n  <md:Organization>\r\n    <md:OrganizationName xml:lang=\"en-US\">orgname<\/md:OrganizationName>\r\n    <md:OrganizationDisplayName xml:lang=\"en-US\">orgdispname<\/md:OrganizationDisplayName>\r\n    <md:OrganizationURL xml:lang=\"en-US\">http://my.org<\/md:OrganizationURL>\r\n  <\/md:Organization>\r\n  <md:ContactPerson contactType=\"technical\">\r\n    <md:GivenName>techname<\/md:GivenName>\r\n    <md:EmailAddress>tech@mail.dk<\/md:EmailAddress>\r\n  <\/md:ContactPerson>\r\n  <md:ContactPerson contactType=\"support\">\r\n    <md:GivenName>support name<\/md:GivenName>\r\n    <md:EmailAddress>support@mail.dk<\/md:EmailAddress>\r\n  <\/md:ContactPerson>\r\n<\/md:EntityDescriptor>",
      "saml.response.script": "%{script:groovy}def log = org.slf4j.LoggerFactory.getLogger(\"samlscript\")\r\n\r\n// Parse the SAML Response\r\ndef samlResponse = new XmlParser().parseText( saml )\r\nlog.info(\"SAML Issuer: {}\", samlResponse.Issuer)\r\n\r\n// Find the AttributeStatement entry\r\ndef attrStatement = samlResponse.Assertion.AttributeStatement[0]\r\n\r\n// Add a new Attribute with a name and an AttributeValue\r\ndef attr = attrStatement.appendNode('Attribute',[Name: 'AdditionalInfo'])\r\nattr.appendNode('AttributeValue', [:], 'SomeValue')\r\n\r\ndef result = XmlUtil.serialize(samlResponse)\r\nlog.debug(\"SAML response modified to {}\", result)\r\n\r\nreturn result"
    },
    {
      "name": "adfs",
      "description": "Microsoft AFDS as a Service Provider, using Ceptor as Identity Provider",
      "display.name": "Ceptor Test ADFS2",
      "url": "https://adfs2.itptest.dk/adfs/ls/",
      "issuer": "https://www.pptest.dk:4443/adfs",
      "identifiers": [
        "https://www.pptest.dk:4443/adfs",
        "http://adfs2.itptest.dk/adfs/services/trust"
      ],
      "attributes": [
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username",
        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1"
      ],
      "keystore": {
        "file": "${ceptor.home}/config/x509/issuer/certissuer.pfx",
        "password": "password",
        "password.per.alias": []
      }
    }
  ]
}

© Ceptor ApS. All Rights Reserved.