Unique authentication with ADFS

SHOW ALL CONTENT

Table of contents

Octopus can connect to your centralized authentication system (Single Sign-On) to facilitate the access to the application. (Note that this authentication is only available to the hosted customers)

Unique authentication works for:

  • The Web Portal for the requesters
  • The Application for the assignees

NOTE :

Prior to consider this solution, please make sure you have available resources with the expertise to implement and support the ADFS solution, once this required expertise is not available in the Octopus support. We are limited to activate this option in our servers. 

Prerequisites

To activate the integrated authentication solution, you must first have a federation infrastructure meeting the following requirements :

  • An Active Directory Federation Services 3.0 without encryption set up
  • Activate OauthClient on the ADFS server.
  • Please note that the Octopus team doesn't’t provide support to metadata. You must configure ADFS manually.
  • Create a Relaying Party for each of the following URLs:

    • https://app1.octopus-itsm.com

    • https://app3.octopus-itsm.com

    • https://app4.octopus-itsm.com

    • https://app.octopus-itsm.com

    • https://MyDatabase.octopus-itsm.com  ** Create a relying party for each of your databases

  • Make sure you do not add endpoints to any of our Relying Party.

  • Activate the WS-Federation Passive protocol only, with the URL stated in the previous list.
  • Create a custom rule to authorize the following claims: name, emailaddress, givenname, surname, using the following:
     
    c:[
    
      Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
    
      Issuer == "AD AUTHORITY"
    
      ]
    
    => issue(
    
      store = "Active Directory",
    
      types = (
    
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    
        ),
    
      query = ";sAMAccountName,mail,givenName,sn;{0}",
    
      param = c.Value
    
    );
  • A proxy server for your federation, visible on the Web
  • An SSL certificate recognized by all machines wanting to profit from the authentication
  • Adding the federation service to the Intranet zone for all machines wanting to profit from the authentication
  • Setting up a process to actively manage certificate rollover, either by disabling the automated certificate rollover, or by taking action right before the rollover

Active Directory configuration possibilities being endless, Octopus cannot offer technical support on setting up these requirements; you must make sure that you have an internal resource with the necessary knowledge in order to help you obtaining what is needed.

As you set up ADFS, you must ensure that the Octopus usernames match existing ADFS ones.

 

Scheduled tasks and integration tools

Special consideration must be given to the accounts used to run integration tasks, detailed here:

  • Integration tools (MailIntegration, ADSIReader, etc.) will present to the ADFS authority the same identity that has been configured to run the scheduled task.  You must make sure that the account used are recognized by your ADFS server.
  • The ADFS server will then present to Octopus the same identity.  It must at a minimum be associated with an Octopus user account bearing the same Windows login name, having a Batch licence and an associated role.
  • When enabling ADFS on your environment, the /Login and /Password switches will become superfluous, we recommend you remove them.  The /Team must remain.

 

Go live phase

Once the ADFS infrastructure in place, you must provide us the following information so we can plan the production phase:

  • The full address of your proxy server published on the Internet (for example: https://adfs.your-domain-name.com)
  • The thumbprint of your SSL certificate token-signing (for example: 12 d4 87 2b c3 ef 01 9e 7e 0b 6f 13 24 80 ae 29 db 5b 1c a3).
  • The content of your SSL certificate token-signing in base 64 format (see how to below)
  • Which functionality will use Single Sign On:
    • The Web Portal for the requesters.

    • The Application for the assignees (WinUI/WebTech).

    • Both.

Frequently asked questions related to setting up ADFS

How does Octopus work with ADFS?

Once the ADFS mode is in place, Octopus is no longer in charge of authenticating users.  When a user tries to connect, the Octopus server will redirect the authentication request to your ADFS server and wait for a session token provided by that same server.  The user's system will then use the session token to authenticate to Octopus.

If my ADFS service is unavailable, how can I connect to Octopus?

In case of an ADFS outage, we are not able to offer the support for your ADFS.  The Octopus helpdesk team will be able to suspend the ADFS mode and allow the users to connect to the system using their old password. If required, an assignee's password could be modified to give him/her access.

Can I use a self-signed SSL certificate to set up ADFS?

Yes, but you must make sure that the certificate is properly distributed to your IT installation.  Otherwise, users could be impacted – each one of them would have to manually accept the certificate as being trustworthy.

How can I extract my certificate thumbprint?

From your ADFS service manager, select the certificate associated to the token-signing, go to the properties dialog, select the Details/Properties tab then select the "Thumbprint" field.

How can I extract my certificate?

From your ADFS service manager, select the certificate associated to the token-signing, go to the properties dialog, select the Details/Properties tab then click "Copy to file" and follow the steps. When prompted for the format, select Base-64.

How can I activate OauthClient?

From a Powershell command prompt, enter the following command and replace "mysite" with your site name:

Add-AdfsClient -Name "octopus-itsm.com" -ClientId "octopus-itsm.com" -RedirectUri @("https://mysite.octopus-itsm.com/", "https://mysite.octopus-itsm.com/octopus/", "https://app.octopus-itsm.com/mysite/", "https://app.octopus-itsm.com/mysite/octopus/", "https://app1.octopus-itsm.com/mysite/", "https://app1.octopus-itsm.com/mysite/octopus/", "https://app2.octopus-itsm.com/mysite/", "https://app2.octopus-itsm.com/mysite/octopus/", "https://app3.octopus-itsm.com/mysite/", "https://app3.octopus-itsm.com/mysite/octopus/"  )

Enable-AdfsEndpoint -TargetAddress "/adfs/oauth2/"
  • Make sure your site name is all lowercase.
  • Make sure you include the trailing slash in each Redirect URI.

Is Octopus able to work with other providers supporting the WS-Federation Standard?

While theoretically, other providers compliant to the standard could work, none of them have been tested. Actually, the combination of functioning and tested product is to make Octopus work with ADFS 2.0 behind an ADFS 2.0 Proxy.

How to allow auto-logging for Chrome and Firefox?

By default, ADFS 3.0 does not allow kerberos/NTLM auto-logging for all browsers. Therefore even if the user is inside the corporate network he is redirected to a login page instead of benefiting from true auto-logging.

Here are useful links to help you understand and resolve this issue:
- ADFS v3 on Server 2012 R2 – Allow Chrome to automatically sign-in internally
- Configuring intranet forms-based authentication for devices that do not support WIA 

How can I troubleshoot the unique authentication when it does not work ?

The same way that you would troubleshoot most of the other secured services that you offer on the Internet:

  • From a global point of view, make sure that the DNS correctly resolve your proxy server
  • That your firewall authorizes secured communications to your proxy server
  • That your proxy server receives connection attempts from your customers/users
  • That the ADFS service works properly on your proxy server

Our team does not have the expertise to deploy a federation service.  Can you supply a provider name that could help us in reaching our goal ?

Unfortunately, Octopus cannot recommend any provider at the moment.

X
Help us improve our articles








Help us improve our articles