SAML Integration using

SimpleSAMLphp for ADFS

Security Assertion Markup Language (SAML) is an XML-based, open-
standard data format for
exchanging authentication and authorization data between parties,
particularly between an identity provider and a service provider. SAML
is a product of the OASIS Security Services Technical Committee.

Unlike AD SSO, SAML support is not native in Jedox Web, i.e., it requires
additional third-party software and consulting work. For the
authentication of users, it is possible to configure Jedox Web to use
SAML. The SAML integration in Jedox uses SimpleSAMLphp for Active
Directory Federation Services (ADFS).

Note: Jedox Excel Add-in and Jedox Mobile do not support SAML at the
time of writing of this document.

Setup includes the following steps:

1. Installation

2. Exchange metadata

3. Create a service provider configuration in SimpleSAMLphp

4. Create the Relying Party Trust in ADFS 2012R2

5. Jedox customization

Copyright © Jedox AG
1 Installation
1. First, install Jedox (we recommend using the standard
paths).

2. Download SimpleSAMLphp here: http://simplesamlphp.org/.

3. Extract it into the docroot directory and rename it

simplesaml.
Linux: (/opt/jedox/ps/htdocs/app/docroot)
Windows: (C:\Program Files (x86)\Jedox\Jedox
Suite\httpd\app\docroot)
Note: if you change the name to something else, you’ll
need to keep that in mind when changing the other files.

4. Open /config/config.php and

1. update baseurlpath to point from the web root
to the www folder, e.g.
https://yourserver/simplesaml/www/

2. change adminpassword to something else (it

won’t let you keep the default).

5. Generate a certificate and add it to

config/authsources.php, as explained in section 1 of the
following document:
http://simplesamlphp.org/docs/stable/simplesamlphp-sp.

6. Point your browser to whatever you set as the base URL

Copyright © Jedox AG
 above (e.g. localhost/simplesaml/www/) and you should
see the SimpleSAMLphp installation page.

2 Exchange metadata
Open a browser and navigate to the FederationMetadata.xml location
at
https://adfs_server_addr/FederationMetadata/2007-06/FederationMetad
ata.xml, where you’ll be prompted to save the file to disk.

Open the file and copy its contents to the clipboard.

Browse to our web application’s installation of SimpleSAMLphp.

Navigate to the Federation tab and click on XML to simpleSAMLphp
metadata converter:

Paste the contents of the file “FederationMetadata.xml” into the “XML

metadata” field and click the Parse button:

Copyright © Jedox AG
The page will return two sets of data. For our purposes, the first set,
saml20-sp-remote, can be ignored, since we are not using
SimpleSAMLphp as an identity provider (that’s ADFS’ job). Scroll to
saml20-idp-remote and copy the contents of this field to the
clipboard.

Browse to the installation of SimpleSAMLphp in the Jedox installation

and open the metadata folder. Open the file “saml20-idp-remote.php”
in your preferred text editor. Paste the converted metadata at the
bottom of the file and then save it:

Copyright © Jedox AG
3 Create a service provider configuration in
SimpleSAMLphp
Navigate to your SimpleSAMLphp installation folder in Jedox and open
the config folder. Open the file “authsources.php” in your preferred
text editor. Here we will create a service provider configuration that
uses our ADFS server.

The name of your SP is your choice. In this example, it’s called jedox-
sp:

Copyright © Jedox AG
The image above shows how the code looks inside
the authsources.php file.

Note that the SP code defines the actions sign.logout, redirect.sign,

and assertion.encryption, meaning that we need a certificate and key
to sign and encrypt these communications. We already did that with
step 4 in the installation steps.

The final declaration enforces the best-practice use of SHA-256.

Copyright © Jedox AG
4 Create the Relying Party Trust in ADFS
2012R2
Now that the service provider configuration is complete,
SimpleSAMLphp creates the SAML 2.0 SP metadata that we can use to
import into ADFS.

First you’ll need to add the certificate from your SAML environment to
your Trusted Root Certification Authorities:

Copyright © Jedox AG
Navigate to the web application’s SimpleSAML application and click
the Federation tab. In this example, we are using jedox-sp.

If you want to see the metadata, click the Show metadata link, but
before you do, copy the Entity ID: URL. We need to give this URL to
ADFS when we configure the Relying Party Trust.

On your ADFS server, open the ADFS Management console,

expand Trust Relationships, and select the Relying Party
Trusts node. In the Actions pane, click Add Relying Party Trust….

Copyright © Jedox AG
Click Start, then paste the Entity ID URL into to the Federation
Metadata address field and click Next:

Click OK at the warning screen:

Copyright © Jedox AG
Click your way through the wizard until you reach the Ready To
Add Trust page. Here you’ll want to review the numerous tabs; check
that the Encryption and Signature tabs have certificates associated
with them.

Click Next and the winssoclient “Relying Party Trust” is added:

Select the Relying Party Trust we’ve just added and then click Edit
Claim Rules…

Add an Issuance Transform Rule based on the “Send LDAP

Copyright © Jedox AG
Attributes as Claims” template. Select at least UPN; whatever else
you select here is your choice, but do add another attribute, such
as mail or uid (depends on what you’re using as username; in normal
cases you use the uid. This is important for the next steps.):

Add another Issuance Transform Rule, but this time based on the
“Transform an Incoming Claim” template. This one is important and
is required to allow SimpleSAMLphp to talk with ADFS:

Copyright © Jedox AG
Once configured, you should have two Issuance Transform Rules that
appear as follows:

Copyright © Jedox AG
5 Jedox customization
In
Linux: (/opt/jedox/ps/htdocs/app/docroot)
Windows: (C:\Program Files (x86)\Jedox\Jedox Suite\httpd\app\docroot)
add these two files: saml_logged_out.php and saml_logout.php.

saml_logged_out.php

Copyright © Jedox AG
[crayon-5b869ece83802460894310/]

saml_logout.php

[crayon-5b869ece8380a333950189/]

In
Linux: (/opt/jedox/ps/htdocs/app/docroot/ui/login)
Windows: (C:\Program Files (x86)\Jedox\Jedox
Suite\httpd\app\docroot\ui\login)
replace the file index.php with the new created index.php.

IMPORTANT!
Here you’ll need to change the uid to whatever you’ve named the
attribute in your Claim Rule (see previouse steps).
If you named it uid, you can use the script as it is; otherwise check the
“saml login” part.

index.php

This needs to be added to the index.php. This is an example how you

could realize the SAML negotiation and return username and password
to SupervisionServer.
For $pass = <AUTH_TOKEN>; you can decide what kind of information
you’d like to use for the check.

Copyright © Jedox AG
In this case, it’s returned as password.

[crayon-5b869ece8380d953003441/]

Add the following entries to:

Linux: (/opt/jedox/ps/Data/palo.ini)
Windows: (C:\Program Files (x86)\Jedox\Jedox Suite\olap\data\palo.ini)

worker /svs-Linux-x86_64/SupervisionServer

workerlogin authorization

Change the file

Linux: (/opt/jedox/ps/svs-Linux-x86_64/SupervisionServer/sep.inc.php)
Windows: (C:\Program Files (x86)\Jedox\Jedox Suite\svs\sep.inc.php)
to point to the needed PHP script. For example:

[crayon-5b869ece8380f913676700/]

Use the OnUserAuthenticate function (instead of the standard

function for the Supervision Server) to check and allow access to Jedox.
This is an example script that checks whether the user exists.
You’ll need to add some code for a check and return true.

[crayon-5b869ece83811327246515/]

Copyright © Jedox AG