Authenticating and impersonating ADFS with a Java Application (Spring MVC in a Jetty Application)

Question

Authenticating and impersonating ADFS with a Java Application (Spring MVC in a Jetty Application)

I have a Java web application that provides a search service, and in some cases you need to check the security of the results. If that matters, it is implemented in Spring MVC and runs under the pier.

I have a client that needs web application authentication:

Do this through Active Directory Federation Services (ADFS) instead of the existing build mechanism (to avoid separate logins).
The ability to impersonate a remote user on the search server, so that security checks can be performed using a separate application on the search server (which itself does not know anything about ADFS, but can perform the corresponding checks when it starts as the user in question).

Is it possible, and if so, how?

(Apologizes if the terminology of Windows is a bit of a world from it - this is not something that I know a lot about, but I hope at least the intention is clear)

A few notes on puzzle pieces that I have already looked at:

Impersonating a user from a Java servlet is a question that I had several years ago, covering about the same place, but without the ADFS requirement - I'm not sure how ADFS affects things, but Waffle (solution for this question), doesn't seem to support any support.
I saw a Java application with SSO (SAML) and ADFS and How do I talk to ADFS with Java? which seem to provide a way for ADFS authentication, but I'm not sure if this is compatible with subsequent impersonation.
I saw http://blogs.objectsharp.com/post/2010/09/10/Converting-Claims-to-Windows-Tokens-and-User-Impersonation.aspx and https://msdn.microsoft.com/en- au / library / ee517278.aspx , but I'm not sure:
- If I have access to the necessary requirements for this, if I follow the SAML or OAuth path above
- Is it possible to implement this from Java
I think the second part (impersonation) is about the same as representing the ASP.NET identity identity with the Windows identifier , except that I want to do this from inside Java, not .Net.

+5

java active-directory impersonation adfs

Matt sheppard Mar 12 '16 at 0:34

source share

2 answers

nzpcmad · Answer 1 · 2016-03-15T19:08:51+0000

You did not mention the ADFS version?

You have three options:

WS-Fed
SAML
OAuth2

In the Java world, SAML is commonly used. This means the SAML stack.

The SO link above has a response from me with links to the SAML stack list.

Since you are already using Spring, Spring Security seems good.

Spring SAML Security Extension

ADFS does not currently support OpenID Connect, which disables OAuth.

Yes - Spring Security provides you with a list of claims created by ADFS.

ADFS provides impersonation through identity delegation .

Unfortunately, this is usually done through WCF and WIF (both .NET constructs).

craigcaulfield · Answer 2 · 2016-03-17T00:07:26+0000

I have a similar application. My client is a Swing client, not a web application, but the process should be similar. It should send requests under the intended role using the AWS API after the first authentication using the local ADFS server. In our environment, ADFS is configured to issue SAML claims, and AWS is configured to recognize them. So this is what I am doing:

If necessary, the application asks the user for their normal network credentials, and they are used to request SAML approval from ADFS. I am using Apache HttpClient to call:

private String getAdfsResponse(String username, String password) throws Exception { log.debug("Trying to log onto ADFS server for {}", username); // Lax redirect policy is needed so that all HTTP 302 redirects are followed after hitting the initial ADFS URL. try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) { HttpUriRequest login = RequestBuilder.post() .setUri(new URI(ADFS_URL)) .addParameter("UserName", username) .addParameter("Password", password) .build(); CloseableHttpResponse response = httpClient.execute(login); if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) { HttpEntity responseEntity = response.getEntity(); String adfsResponse = EntityUtils.toString(responseEntity, "UTF-8"); log.debug("ADFS server responded with {}", adfsResponse); return adfsResponse; } else { throw new Exception("ADFS server responded with " + response.getStatusLine()); } } }

If credentials are verified, ADFS returns a SAML response that looks like an HTML form but contains an input element with a SAMLResponse name / value SAMLResponse .
If the SAMLResponse value attribute has base64 decoding, it will contain a SAML statement. For AWS, I need to extract some role information, and I use it along with the full SAMLResponse to invoke the AWS STS token service. If everything is ok with AWS, I get a set of temporary security credentials that I can use for requests that I really want to make. The whole round trip is described at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

It all depends on how ADFS and the other side are configured for SAML, and for the other side, to provide a suitable API that allows you to take on a role. Is that what you face?

Authenticating and impersonating ADFS with a Java Application (Spring MVC in a Jetty Application)

More articles: