Thread "ActiveDriectory Federation Services ILIAS"

Hi,

I searched the forum bit didn`t find an appropriate answer.

Is it possible to use Active directory federation services as Autentication provider in ILIAS?

If it is possbile: Where would I have to start implementing that? Has anybody experience with that?

I definitely mean ADFS, not AD DS or LDAP.

Thanks for your answers!

 

Hi,

Yes, it's possible to use ADFS with ILIAS.

ADFS is based on SAML2.0 and ILIAS supports Login with Shibboleth. Shibboleth is based on SAML2.0, too. You need to install Shibboleth on the Server, and change a few configruation files from Shibboleth.

After install and configuration, there will be a new Button on the Login-Page. Pressing this button, will forward the user to the Login-Page from your IdP. The user can Login on your IdP, which will forward him to ILIAS and he is logged in.

But, you can't synchronise all accounts in the night with a cron job, because with ADFS, ILIAS will get the user attributs with the first Login.

We host different ILIAS Systems with Shibboleth and ADFS. Please contact me fur further information.

Marcel

Great, thanks for your reply!

For my understanding...

I have to install the Shibboleth server where ADFS is running, correct?

And what do you mean withe I can`t synch nightly? Do I have to synch anything?

Hi,

You need to install Shibboleth where ILIAS is running. ILIAS is the SP (Service Provider) and needs Shibboleth for using with ADFS. Shibboleth on the ILIAS Server and ADFS on the other Server supports SAML2.0. 

A guide to install shibboleth, you can find here:

https://www.switch.ch/aai/guides/sp/installation/

But you can't use the Guide from SWITCH for configuration it, this Guide is not for ADFS, it's for a special Authentication in Switzerland (SWITCHaai).

I don't know, if you need a sync. Perhaps you need a daily sync, to add new users automaticly to import to courses and groups. If a new user has no account in ILIAS, but a valid ADFS-Login, the user can log in, and the account will be generated automaticly. But if you would like to search for user and add them to courses and groups and you have no sync, you have to tell the new user to log in first.

For add new users by a daily cron job, we have a Plugin "Hub" which sync the user accounts.

Marcel

Thank you very much for the tipps and the howto!

I`ll have a try as soon as there is more time for that.

I resurrect this old thread because I see that is similar to what I need to do.

Basically I need to:

1) use SSO via SAML2

2) add users AND/OR modify user groups with a nightly sync

So I do not want to wait that users do first login but I need to prefill accounts.

Can I do these points with ilias?

I suppose I can do them with Shibboleth and Hub, am I right?

If it is possible, which are the mandatory fields in Ilias I should fill?

Thanks,

Mario

Hello Mario,

We have several installations with a SAML2 Authentication and a nightly sync. For the authentication with SAML2 we use Shibboleth. The problem is, with SAML2 only, you need to wait users do first login. For this, we use the Hub Plugin to sync it every night.

If customers need different attributes with the accounts (e.g. phone number, address,...) we don't send these data by SAML2, we sync theses data with the nightly sync. For the customers, it's easier to send this information through the Hub Plugin.

If you need more information, you can contact me by mail or phone: http://www.ilias.de/docu/goto_docu_usr_12467.html

Best regards

Marcel

Hello.
Im trying to configure ADFS to authenticate ilias users on-premises.
I have found only this feature description in ilias wiki DOCU: Feature Wiki (ilias.de)
Alas, there is no guideline or any configuration examples.

Ilias side saml, i have changed :
config.php - 'enable.adfs-idp' => true,
authsources.php - 
'privatekey'  => 'saml.pem',
'certificate' => 'saml.crt',
Ilias gui:
I have pasted matadata from https://adfs_server_addr/FederationMetadata/2007-06/FederationMetad
ata.xml 


Adfs Side:
I have build relying party trust using federation metadata link provided by ilias

And added two claim issuing rules



When i try to authenticate i get this error in Ilias log

[00hs5] [2022-06-20 15:27:11.186996] Main_root.ERROR: ilErrorHandling::{closure}:50 0 Requester/InvalidNameIDPolicy in /var/www/html/ilias/libs/composer/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php:484#0 /var/www/html/ilias/libs/composer/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php(616): SimpleSAML\Module\saml\Message::getResponseError()
#1 /var/www/html/ilias/libs/composer/vendor/simplesamlphp/simplesamlphp/modules/saml/www/sp/saml2-acs.php(141): SimpleSAML\Module\saml\Message::processResponse()
#2 /var/www/html/ilias/Services/Saml/lib/saml2-acs.php(47): require_once('/var/www/html/i...')
#3 {main}

Im quite new in claims / saml and authentication, can anyone help me a bit? Thanks.