September 15, 2020
SAML in ColdFusion
Comments
(8)
September 15, 2020
SAML in ColdFusion
Developer for Adobe ColdFusion
Newbie 1 posts
Followers: 2 people
(8)

This blog post is going to be about how to implement a simple SSO application using ColdFusion SAML.

To know more about SAML in general, go through the OASIS SAML documentation: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

There are 3 entities involved in any SSO scenario

  1. Principal – The principal is a usually a user requesting some sort of service from an application
  2. Service Provider – This could be any application(web/CF) that provides one/multiple services to users, but they first need to be authenticated to avail these services
  3. Identity Provider – The Identity Provider acts as an instrument of trust. The user is authenticated to the Identity Provider. The Service Provider contacts the Identity Provider to know the authentication and authorization state of the user.

Prerequisite

Before you use the SAML features, make sure the module is installed by running ColdFusion Package Manager.

Navigate to “<instance_home>/bin” and run “cfpm.bat/cfpm.sh”. You can then type in the command “install saml” to install the SAML module and make use of it’s features.

Metadata Exchange

The first step in developing a SAML application is to exchange metadata between the providers. This acts as a handshake between your ColdFusion application (Service Provider) and the Identity Provider. Exchange of metadata is necessary for messages to be encrypted, decrypted and validated as messages from untrusted/malicious parties should be rejected.

1. Service Provider Configuration

Firstly, let’s add the configuration of our ColdFusion application (SP). This can be done from the ColdFusion Administrator as seen below:

Once you have created a configuration for your Service Provider in ColdFusion, you will need to configure some relevant details in your identity Provider. You can export the SP configuration from the ColdFusion Administrator and upload it to your Identity Provider(if it supports that), or you might need to enter it manually while creating the Identity Provider configuration.

2. Identity Provider Configuration

For the Identity Provider, we are going to be using Okta. After setting up your developer account in Okta, you can start creating your SAML application there. You can follow the guide available here: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm

Let’s review some of the configuration details:

As you can see, the Single sign on URL is nothing but the ACS URL we created earlier in the SP configuration. The Audience URL is the SP entity Id. In case you are using encryption in your application, you can upload the public key in the ‘Show Advanced Settings’ section.

Once the application setup is done, OKTA will establish the metadata for this application in an XML format like

https://dev-538790.okta.com/app/exk5hk9p0wmMqRjbt357/sso/saml/metadata . This metadata needs to be imported back into ColdFusion as it contains the information regarding the login/logout endpoints for Okta, the binding to be used and the signing public key to verify the authenticity of messages from the IdP. If encryption is being used, the encryption public key will also be found in the metadata.

SSO Requests

Now that the IdP and SP know each other and their respective configurations, we can start initiating SSO workflows. In order to do this, we simply need to call InitSAMLAuthRequest function

<cfset config = {

idp = {name = “testidp”},

sp = {name = “testsp”},

relayState = “cart”

}>

<cfset InitSAMLAuthRequest(config)>

Calling the InitSAMLAuthRequest function prepares the SAML Request according to the contract between the IdP and SP, and sends it to the IdP.

Once you authenticate, the IdP then responds with a set of assertions which include your identity as well as roles/grants that may have been configured for the given user. These can be extracted using the ProcessSAMLResponse function below:

<cfset response = ProcessSAMLResponse(“testidp”,”testsp”)>

<cfdump var = “#response#”>

You can now do a CFLOGIN to create a local session, based on the details received from the IdP.

SLO Requests

Single Logout requests are pretty much the same as SSO requests. We simply need to call the InitSAMLLogoutRequest function with the details we have received during login like sessionindex, nameId and nameIdFormat. These are dependent upon the IdP which sometimes also require the nameIdQualifier and spNameIdQualifier fields.

<cfset config = {

idp = {name = “testidp”},

sp = {name = “testsp”},

sessionindex = “#response.SESSIONINDEX#”,

nameId = “#response.NAMEID#”,

nameIdFormat = “#response.NAMEIDFORMAT#”

}>

<cfset InitSAMLLogoutRequest(config)>

You will be redirected to the IdP which will try to process your Logout Request. The response returned from the IdP will contain a Boolean value which tells us whether the logout at the IdP was successful or not. This can be extracted using the same ProcessSAMLResponse function.

<cfset response = ProcessSAMLResponse(“testidp”,”testsp”)>

<cfdump var = “#response#”>

If the logout was successful, we can perform a local logout for the corresponding user using a CFLogout if we had created such a session earlier. If the logout was unsuccessful, the IdP logs need to be checked to see the reason for the incorrect logout.

8 Comments
2021-03-08 23:22:30
2021-03-08 23:22:30

Is the CF documentation going to be updated to cover the new functions — InitSAMLAuthRequest(), ProcessSAMLResponse(), InitSAMLLogoutRequest() and any others that weren’t discussed in this article?

Like
(4)
>
Hemi345
's comment
2021-03-09 14:49:38
2021-03-09 14:49:38
>
Hemi345
's comment

Hemi, the docs have indeed been updated to cover those functions and nearly two dozen others, and in more than just reference material but also as a user guide…indeed, it’s IN the CF Developer’s Guide, specifically at:

https://helpx.adobe.com/mx/coldfusion/using/saml-coldfusion.ug.html

Perhaps you were looking ONLY in the CFML Reference Manual instead, and I can confirm it’s missing these new functions, which is indeed unfortunate. But until then, the link offered will give what you needed and more.

And beyond this blog post, readers should see also Andy Peterson’s helpful post:

http://ciacfug.org/blog/round-trip-from-coldfusion-to-okta-using-saml-and-coldfusion-2021b

Like
>
Charlie Arehart
's comment
2021-03-10 20:21:10
2021-03-10 20:21:10
>
Charlie Arehart
's comment

I must have overlooked the function references for all the parameters when I was trying to get this going a few weeks ago… that’s the info I needed, thank you!

I have to say, once I figured out the slight nuances and naming conventions, CF’s SAML setup is so much easier and intuitive to configure than installing the Shibboleth SP software. 

Like
>
Hemi345
's comment
2021-03-10 20:34:56
2021-03-10 20:34:56
>
Hemi345
's comment

Very good to hear, and thanks for the update.

Like
>
Charlie Arehart
's comment
2021-03-10 21:19:02
2021-03-10 21:19:02
>
Charlie Arehart
's comment

I’ve just posted a bug ticket asking Adobe to address this at CF-4211296.

Like
2020-11-12 13:42:54
2020-11-12 13:42:54

Hi Charlie, really sorry for the delayed response. You probably know by now, but that was the intended name as CF is releasing closer to 2021. It was sort of decided right around that time and hence why I’ve mentioned it in the post.

Like
(1)
>
samueljo@adobe.com
's comment
2020-11-12 15:17:59
2020-11-12 15:17:59
>
samueljo@adobe.com
's comment

Yep, thanks. 🙂

Like
2020-09-22 00:41:17
2020-09-22 00:41:17

Thanks for sharing that, Samuel. I’ve not had a chance to read it all yet, but the opening sentence/summary caught my attention and I want to ask if that’s a mistake. You refer to cf2021. The formal name for the beta is of course project Stratus, but when the future version name has been mentioned even by other Adobe folks, they’ve referred to it as cf2020, not 2021. Would you care to elaborate or correct the above?

Like
(2)
Add Comment