ADFS as Gerrit SAML authentication provider

Note: replace fs.hc.sct with the name of your ADFS, replace gerrit.hc.sct with the name of your Gerrit host.

Setup on the Gerrit machine

Configure Gerrit as described in the README.md. Here is an example config using SAML for Authentication, LDAP for authorization and running gerrit under the gerrit prefix.

[gerrit]
        basePath = git
        canonicalWebUrl = https://gerrit.hc.sct/gerrit/
...
[httpd]
    listenUrl = https://gerrit.hc.sct:8443/gerrit/
    filterClass = com.googlesource.gerrit.plugins.saml.SamlWebFilter
[auth]
    type = HTTP_LDAP
    logoutUrl = https://fs.hc.sct/adfs/ls/?wa=wsignout1.0
    httpHeader = X-SAML-UserName
    httpDisplaynameHeader = X-SAML-DisplayName
    httpEmailHeader = X-SAML-EmailHeader
    httpExternalIdHeader = X-SAML-ExternalId
[saml]
    keystorePath = /home/gerrit/samlKeystore.jks
    keystorePassword = pac4j-demo-password
    privateKeyPassword = pac4j-demo-password
    metadataPath = file:///home/gerrit/FederationMetadata.xml
    useNameQualifier = false
[ldap]
        server = ldap://fs.hc.sct
        username = CN=Administrator,CN=Users,DC=hc,DC=sct
        localUsernameToLowerCase = true
        sslVerify = false
        accountBase = DC=hc,DC=sct
        groupBase = DC=hc,DC=sct

You can download the IdP file FederationMeta.xml from your ADFS. You need to place it in the location configured with saml.metadataPath (note that this is an URL and that file:// is required).

wget https://fs.hc.sct/FederationMetadata/2007-06/FederationMetadata.xml

Export the certificate from the samlKeystore.jks you created during setup. You will need the certificate in your ADFS configuration (see below).

keytool -exportcert  -keystore samlKeystore.jks -alias pac4j -rfc > pac4j-demo.cer

Setup on ADFS

Open the Management console (mmc), make sure you have the AD FS Management snap-in. Add a Relying Party Trust. screen 16

Go through the wizard. The properties at the end should look like indicated on the following screens.

Monitoring: unmodified

screen 01

Identifiers: The relying party identifier is: https://gerrit.hc.sct/gerrit/plugins/saml/callback

screen 02

Encryption: unmodified

screen 03

Signature: In the signature tab you need to import the certificate you exported above.

screen 04

Accepted Claims: unmodified

screen 05

Organization: unmodified

screen 06

Endpoints: URL is https://gerrit.hc.sct/gerrit/plugins/saml/callback, binding POST

screen 07

Proxy Endpoints: unmodified

screen 08

Notes: unmodfied

screen 09

Advanced: SHA-256

screen 10

Select the Relying Party Truct and click on Edit Claim Rules.... You should expose the following LDAP attributes:

screen 11 screen 12

Allow all users to connect, or modify depending on your setup:

screen 13 screen 14

Delegation Authorization Rules: unmodified

screen 15