Config Azure AD authentication on tomcat

Just made a simple demo project (not for production purposes) that shows you how you can use the Azure Active Directory as a REALM for your authentication. Nowadays you would use a framework that does 3rd party authentication for you…your custom authenticator will use a third party framework that federates the authentication to a (trusted) 3rd party like Facebook or Google.

Please note that this is NOT the way to use AAD in a production environment.
This is Demo code to show how you can (mis)use AAD as a LDAP solution.
In future I will create a federated authentication solution using AAD.

Here is the project: https://github.com/cvugrinec/microsoft/tree/master/java-webapp-tomcat-aad

Here you see the code in action: https://youtu.be/i61I3muADDA

picketlink implementation notes for websphere

Schermafbeelding 2016 01 28 om 08 44 08


Flow in a nutshell

User acces the application

  • The default deployment descriptor will state that this is a protected resource and needs to be handled by its container
  • The application does its security stuff within the context of websphere security domain, within this domain it is configured to make access to this application only available via a TAI (Trusted Authentication Interceptor)
  • The TAI is configured that authentication errors (which is the case if you access the application the 1st time) should be redirected to the IDP, the TAI makes sure that an authentication (LTPA) cookie is also set:
  • We have configured a SP which an SAML authentication request and sends the request to the IDP
  • The IDP will authenticate and create a SAML token, however due to problems with Websphere accepting the SAML token we had to write a custom Authentication Handler that generates the SAML token according to Websphere standards
  • The IDP redirect to the Assertion Consumer Provider which is basically a webapp which is deployed on Websphere
  • The ACS checks if the SAML token is correct and uses the username from the token to check if the user exists in it’s local LDAP The IDP contains also a X509 certificate which is used as a identifier…this certificate is used by the ACS to check if the certificate is trusted
  • After all ACS checks (X509 check/ SAML token and LDAP check) have been verified, the user is allowed to access the application
  • The ACS uses the Cookie in order to redirect to the appropriate APP, the name of the cookie is: WasSamlSPReqURL  
The Picketlink Authentication HandlerIn order to implement this handler, we have added a module in JBoss with the following config:

<?xml version="1.0" encoding="UTF 8"?> 
<module xmlns="urn:jboss:module:1.1" name=“companyhandler">
<resources> 
<resource root path="idp idp handler 2.1.8.Final.jar"/>
</resources>
<dependencies>
 <module name="org.picketlink"/>
 <module name="org.picketlink.config"/>
<module name="org.picketlink.federation"/>
<module name="org.picketlink.common"/>
<module name="javax.api"/>
 <module name="javax.servlet.api"/>
<module name="org.picketbox"/>
…..
</dependencies>
</module>
 
The main part is in the companySAML2AuthenticationHandler which is an extension of SAML2AuthenticationHandler…this handle overrides the handleRequestType method….basically it does the same…but in order for Websphere to accept this token it needs to get rid of the InResponseTo attribute…

The following code snippet was added:

Document samlResponse = this.getResponse(request); 
Node entries = samlResponse.getFirstChild();
NamedNodeMap nnm = entries.getAttributes();
nnm.removeNamedItem("InResponseTo");
NodeList nList = samlResponse.getElementsByTagName("saml:SubjectConfirmationData"); 
for (int temp = 0; temp < nList.getLength(); temp++) {
Node nNode = nList.item(temp);
Element eElement = (Element) nNode; nnm = eElement.getAttributes();
nnm.removeNamedItem("InResponseTo");
}

The code is called in the IDP by configuring the following in the webapp/WEB INF/picketlink.xml file


<Handlers xmlns="urn:picketlink:identity federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="es.company.jboss_poc.CompanySAML2AuthenticationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>

<! The following was commented out…..is replaced by the es.company.jboss_poc.CompanySAML2AuthenticationHandler

<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

The Websphere TAI only accepts keys from trusted parties…in the IBM documentation it is stated how to configure the keystore… We made ourselves known to Websphere (The TAI is accepting communication with us) by doing the following:

Created our own keystore:

keytool genkey validity 10000 alias HOSTNAME keyalg RSA keysize 1024 dname "CN=HOSTNAME, O=Company, C=ES” keypass PASSWORD keystore identity.jks storepass PASSWORD

Then we added the keystore to Websphere and make the TAI accept certificates from this keystore
Then we needed to extract the X509 certificate for the alias we are going to use: 

keytool export keystore lnxwaslr18.jks rfc alias lnxwaslr18 

This will give you something like this:

MIICAjCCAWugAwIBAgIEMrRLCDANBgkqhkiG9w0BAQsFADA0MQswCQYDVQQGEwJFUzEQMA4GA1UE ChMHQWxsaWFuejETMBEGA1UEAxMKbG54d2FzbHIxODAeFw0xNTEwMDUxNDQ2MTRaFw00MzAyMjAx NDQ2MTRaMDQxCzAJBgNVBAYTAkVTMRAwDgYDVQQKEwdBbGxpYW56MRMwEQYDVQQDEwpsbnh3YXNs cjE4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqkra4ZxEwExGCb5gerZWEF+dK+iCJag+A z5PIkB/2BP9UP4AomknT93y2czthCDtplzeLGN15UMiURBzdxNtwnMHCr4xku2sFOyuNs7W0yWZ3 9o7Hn1TKvwDfczillKuTF+okP4OllM9mXN5gmietiSrlIwT2kIlzaNAv0MsGHQIDAQABoyEwHzAd BgNVHQ4EFgQUNCK2/WUY51kVN7kyqHU/N4XaH/8wDQYJKoZIhvcNAQELBQADgYEAFUb/efGbZDxq rSw7u6e9j4txbHf+VqtZrVEVkm+r3cNai9vIs7jNzixgaoC6W5kE5x1wtYpkdNjH9EY7SdDFS9EP 7Wt+NI2EdAA3Op50iHjdXiJ5ESHtYNQOFEiTX8+8JglSOAUKacNSdWv0LOm/Ga2GuRe/5LXVfmi5z+eaIIs=

You will need to add the following section in your resources/idp metadata.xml file:

<EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two" ..
<EntityDescriptor entityID="http://lnxwaslr18:8080/idp metadata">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:X509Data>
<dsig:X509Certificate> MIICAjCCAWugAwIBAgIEMrRLCDANBgkqhkiG9w0BAQsFADA0MQswCQYDVQQGEwJFUzEQMA4GA1UE
ChMHQWxsaWFuejETMBEGA1UEAxMKbG54d2FzbHIxODAeFw0xNTEwMDUxNDQ2MTRaFw00MzAyMjAx NDQ2MTRaMDQxCzAJBgNVBAYTAkVTMRAwDgYDVQQKEwdBbGxpYW56MRMwEQYDVQQDEwpsbnh3YXNscjE4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqkra4ZxEwExGCb5gerZWEF+dK+iCJag+A z5PIkB/2BP9UP4AomknT93y2czthCDtplzeLGN15UMiURBzdxNtwnMHCr4xku2sFOyuNs7W0yWZ3 9o7Hn1TKvwDfczillKuTF+okP4OllM9mXN5gmietiSrlIwT2kIlzaNAv0MsGHQIDAQABoyEwHzAd BgNVHQ4EFgQUNCK2/WUY51kVN7kyqHU/N4XaH/8wDQYJKoZIhvcNAQELBQADgYEAFUb/efGbZDxq rSw7u6e9j4txbHf+VqtZrVEVkm+r3cNai9vIs7jNzixgaoC6W5kE5x1wtYpkdNjH9EY7SdDFS9EP 7Wt+NI2EdAA3Op50iHjdXiJ5ESHtYNQOFEiTX8+8JglSOAUKacNSdWv0LOm/Ga2GuRe/5LXVfmi5 z+eaIIs=
</dsig:X509Certificate> </dsig:X509Data>
</dsig:KeyInfo> </KeyDescriptor>

NB: Only the cursive part

Websphereconfiguration is according to these documents:

http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansche.html https://www 01.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.base.doc/ae/twbs_enablesamlsso.html https://www 01.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.base.doc/ae/rwbs_samltaiproperties.html https://www 01.ibm.com/support/knowledgecenter/SS7JFU_8.5.5/com.ibm.websphere.base.doc/ae/cwbs_samlssosummary.html https://developer.ibm.com/digexp/docs/docs/customization administration/step step guide implement saml 2 0 portal 8 5/

Picketlink configuration


Adding LDAP Authentication for JBoss EAP 6

A while ago I scribbled a piece about authentication with ldap on Weblogic, see:

http://datalinks.nl/wordpress/?p=1131

This article does the same for JBoss EAP 6.0. I am using apacheDS as opensource ldap server…
In the article mentioned earlier it shows you how to setup apacheDS (great tool 🙂 and how to create a ldap user…if you have another ldap server that contains your users…you can make an export of a user(s)…and import the ldiff file with the following command:

ldapmodify -h localhost -p 10389 -D “uid=admin,ou=system” -w secret -a -f someExportedLdifFilename.ldif

the command above contains the default values for the apachDS installation…

Configure JBOSS by adding the following sections to your config (default = standalone.xml )

<management>

   <security-realms>

        <security-realm name=”TestRealm”>
           <authentication>
              <ldap connection=”ldap_connection” base-dn=”ou=users,ou=system”>
                 <username-filter attribute=”uid” />
              </ldap>
           </authentication>
        </security-realm>

…..

   </security-realms>

……

     <management-interfaces>
          <native-interface security-realm=”TestRealm”>
             <socket-binding native=”management-native”/>
          </native-interface>
          <http-interface security-realm=”TestRealm”>
             <socket-binding http=”management-http”/>
          </http-interface>
       </management-interfaces>

……

      <outbound-connections>
         <ldap name=”ldap_connection” url=”ldap://127.0.0.1:10389″ search-dn=”uid=admin,ou=system” search-credential=”secret” />
      </outbound-connections>

</management> 

What you just did is defining in the management section a REALM (a collection of users)  and making sure that the interfaces for MGMT communication are using this newly defined security realm.

Weblogic Authentication via external LDAP provider

Intro:
Note on how to setup external LDAPAuthentication provider for weblogic, hopefully people who read this find this usefull.  

Weblogic comes with a Default internal LDAP Authentication provider. This is fine for a couple of domains, usually the egineer who sets the environment up, uses a script with 1 default username and password. This is something you would not like to have in your Production environment, especially if your environment contains multiple domains making it harder to maintain (user management for each domain). In that case you would like to have a centralized (clustered) LDAP solution where you do your user management.

Weblogic supports out of the box the at least the following external LDAP providers:

– Active Directory (microsofts LDAP solution)
– Open LDAP (open source stuff)
– Apache Directory Service (Apache LDAP server)

In this article I will user Weblogic 11g (10.3.5) and Apache Directory Service 2.0 and Apace Directory Studio v 2.0 (for LDAP maintenance). 
I am assuming you already installed weblogic and have setup a domain which currently uses the Weblogic Default Authentication provider. You can download the Apache LDAP Software for free at the following URL: (great products by the way )

http://directory.apache.org/apacheds/downloads.html for Apache Directory Service

http://directory.apache.org/studio/downloads.html for Apache Directory Studio

 

Install Apache Directory Server

I am using the Binary Linux 32bit download 🙂 just download and follow the standard installation wizzard. The instructions on the site are pretty straight forward, however here a short installation instruction:

after downloading and unpacking you will have a file like: apacheds-2.0.0-M10-64bit.bin , do a chmod 750 apacheds-2.0.0-M10-64bit.bin and execute the binary, you will be presented with a wizzard that looks like this:

apache DS wizzard1

..I ran the installer as ROOT…and started it by 

/etc/init.d/apacheds-2.0.0-M10-default start

Ps if you have problems starting the server with the RPM/.DEB installation try downloading and running the ZIP file with the binaries which is also downloadable.

Add weblogic user to LDAP

If you like to use a LDAP user that is able to login to the weblogic admin console, this user needs to be part of the Administrators group which by default has the admin role in weblogic.
A user which has this role can access the weblogic admin console.
You can create this user in Apache Directory (LDAP) Server with the Active Directory Studio (this excellent LDAP browser is able to also connect to other LDAP servers).

Create a connection:

LDAP–> New Connection

 local ldap connection

Fill in the default values:

<ip or hostname of where you have your server running>, PORT is default 10389

–> Next, then fill in your default Apache Directory Server username/ password: username: uid=admin,ou=system password = secret (change this asap)

adc default username password

 

The next 2 steps in the wizzard I use the default values. Once connected you will see the LDAP tree, it will look something like this:

 

ldap tree

 

Now create a user in the users OU. I do this by right clicking an existing user, copy it and paste it under the users ou. Then I right click the pasted entity and rename it, see picture below:

uid rename

Luckily Apache Directory Server contains by default an Administrators group,so you do not need to create this group. But you need to add your newly created user to this group. You can do this by expanding the groups–> Administrators and right click the unique member property of the administrator group. Copy and paste it:

add user to group

For the second Unique member of this group you change the value to the DN of the user you created earlier: uid=chris,ou=users,ou=system

Schermafbeelding 2013 02 06 om 20 58 15

you did your LDAP part…..now configure Weblogic to make use of this LDAP Authenticator.

Add LDAP Authenticator to Weblogic

In your weblogic console, go to –> Security Realms –> select your realm, –> click on the Providers TAB and choose the 1st tab Authentication

wl console add auth provider

Click on the new Button, choose any name you like, but select the LDAP Authenticator in the dropdown menu below

 

ldap authenticator

Click on OK…now you have to restart your WL Admin server. Then go back to your security Realm –> Provider and select the LDAP Authenticator you just created.

 

Schermafbeelding 2013 02 06 om 21 28 24

In the Configuration TAB and sub TAB COMMON put the control FLAG to SUFFICIENT
Then on the Configuration TAB select the SUB tab Provider Specific

Now you have to configure your LDAP Authenicator, there are 3 parts interesting: configuration of the host (with credentials) , configuration of users, configuration of groups. 

Config of host

ldap1

If you left everything like the way it was (see previous screens), then the values would be: host: 192.168.189.101, PORT 10389, Principal uid=admin, ou=system, Credential: secret

Configure Users

Schermafbeelding 2013 02 06 om 21 22 33

just fill in ou=users,ou=system in the User BASE DN field, leave everything else as is.

Configure Groups

 

Schermafbeelding 2013 02 06 om 21 24 53

just fill in ou=groups,ou=system in the Group BASE DN field, leave everything else as is.

Save your stuff, and then restart your server again…I know, this sucks…

Now check if you can see the users of your LDAP in your weblogic console. Login to your weblogic console, go to your security REALM and select the Users and GROUP tab.

Schermafbeelding 2013 02 06 om 21 38 58

There you will see the LDAP user you just created, also note that the user is coming from your provider you created a couple of steps earlier…see 3rd column. Now check if your user is part of the Administrator group by click on the user from your ldap provider. Select the groups Tab and you will see that your user is part of the Administrators group.

Schermafbeelding 2013 02 06 om 21 41 18

So this is great, if you have come this far…you can be pretty sure this will work fine. You can disable the default Authenitcator provider and only use the one you created with this article, or (this is preferable) reorder your Authentication providers so that the One you created is the 1st one…If for some reason your LDAP is not available you have the Weblogic (internal) default authenticator as fallback.

Here a screenshot on how to reorder your LDAP Authenticators.

Schermafbeelding 2013 02 06 om 21 44 46