Monday, 24 August 2015

Windows 2012 R2, ADFS3, WIF4.5 and OpenAM v12

Recently I was involved in a Proof of Concept that required OpenAM v12 to be the authentication service to an application that relied on Integrated Windows Authentication.  Normally, you might use the IIS Policy Agent for this scenario because it supports Impersonation.  However, this also requires that OpenAM's DataStore is configured as the Active Directory.  In the PoC, OpenAM was not able to use the AD as the DataStore and was instead depending on an OpenDJ DataStore.  To resolve this I made use of Windows Identity Framework 4.5 as part of Windows 2012 R2 because this has the ability to Impersonate a user based on Windows Identity Claims.  These claims are provided to WIF4.5 via ADFS 3 (it's not formally called ADFS 3 - but it is the version that comes with 2012 R2 that everyone refers to as ADFS 3).  The claims were passed-through ADFS having being initially generated by OpenAM v12.

I decided to write this up as a series of wiki articles providing step-by-step guidance because I realised that some people might come at this knowing Windows/ADFS well, but limited experience with OpenAM.  Similarly, some readers might be very familiar with OpenAM, but have limited Windows experience.  So the series of articles is designed such that you can skip various parts if you already have the necessary components.  Bear in mind that SSL is a 'must' - even for a PoC - so you need to be aware of how to exchange and trust self-signed certificates across the different servers.  In my PoC I used different operating systems (CentOS for the OpenAM instance) so the articles also explain how to exchange self-signed certificates.

The articles can be found here: