Doc for ADFS
Add doc subdir for additional doc (screenshots and markdown). Linked
ADFS doc in README.md - fixed password inconsistency.
PR: https://github.com/thesamet/gerrit-saml-plugin/pull/5
Change-Id: I879ff0a9bab9f15657dd78569532c035638f950b
diff --git a/README.md b/README.md
index b7be29a..5a71701 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,9 @@
"Okta username prefix".
- Obtain your IdP metadata (either URL or a local XML file)
+If you are using Active Directory Federation Services (ADFS), follow the below steps to configure Gerrit.
+You can then [go here](doc/Setup_ADFS.md) for more details on howto make gerrit-saml-plugin work with ADFS.
+
### Download the plugin
Download [gerrit-saml-plugin](https://bintray.com/artifact/download/thesamet/maven/gerrit-saml-plugin-2.11.5-1.jar) and put it in $gerrit_site/lib/.
@@ -85,8 +88,8 @@
```
[saml]
keystorePath = /path/to/samlKeystore.jks
- keystorePassword = pac4j-demo-passwd
- privateKeyPassword = pac4j-demo-passwd
+ keystorePassword = pac4j-demo-password
+ privateKeyPassword = pac4j-demo-password
metadataPath = https://mycompany.okta.com/app/hashash/sso/saml/metadata
```
diff --git a/doc/Setup_ADFS.md b/doc/Setup_ADFS.md
new file mode 100644
index 0000000..84dbe33
--- /dev/null
+++ b/doc/Setup_ADFS.md
@@ -0,0 +1,135 @@
+# Setting-up gerrit-saml-plugin for Active Directory Federation Services (ADFS)
+Note: replace `fs.hc.sct` with the name of your ADFS, replace gerrit.hc.sct with the name of your Gerrit host.
+
+## Setup on the Gerrit machine
+Configure Gerrit as described in the [README.md](). Here is an example config
+using SAML for Authentication, LDAP for authorization and running gerrit under the `gerrit` prefix.
+
+ [gerrit]
+ basePath = git
+ canonicalWebUrl = https://gerrit.hc.sct/gerrit/
+ ...
+ [httpd]
+ listenUrl = https://gerrit.hc.sct:8443/gerrit/
+ filterClass = com.thesamet.gerrit.plugins.saml.SamlWebFilter
+ [auth]
+ type = HTTP_LDAP
+ logoutUrl = https://fs.hc.sct/adfs/ls/?wa=wsignout1.0
+ httpHeader = X-SAML-UserName
+ httpDisplaynameHeader = X-SAML-DisplayName
+ httpEmailHeader = X-SAML-EmailHeader
+ httpExternalIdHeader = X-SAML-ExternalId
+ [saml]
+ keystorePath = /home/gerrit/samlKeystore.jks
+ keystorePassword = pac4j-demo-password
+ privateKeyPassword = pac4j-demo-password
+ metadataPath = file:///home/gerrit/FederationMetadata.xml
+ [ldap]
+ server = ldap://fs.hc.sct
+ username = CN=Administrator,CN=Users,DC=hc,DC=sct
+ localUsernameToLowerCase = true
+ sslVerify = false
+ accountBase = DC=hc,DC=sct
+ groupBase = DC=hc,DC=sct
+
+You can download the IdP file FederationMeta.xml from your ADFS. You need to place it
+in the location configured with saml.metadataPath (note that this is an URL and that file:// is required).
+
+ wget https://fs.hc.sct/FederationMetadata/2007-06/FederationMetadata.xml
+
+
+Export the certificate from the samlKeystore.jks you created during setup. You will need the certificate in your ADFS configuration (see below).
+
+ keytool -exportcert -keystore samlKeystore.jks -alias pac4j -rfc > pac4j-demo.cer
+
+## Setup on ADFS
+
+Open the Management console (mmc), make sure you have the AD FS Management snap-in. Add a Relying Party Trust.
+![][screen16]
+
+Go through the wizard. The properties at the end should look like indicated on the following screens.
+
+
+Monitoring: unmodified
+
+![][screen01]
+
+Identifiers: The relying party identifier is: `https://gerrit.hc.sct/gerrit/plugins/gerrit-saml-plugin/saml`
+
+![][screen02]
+
+Encryption: unmodified
+
+![][screen03]
+
+Signature: In the signature tab you need to import the certificate you exported above.
+
+![][screen04]
+
+Accepted Claims: unmodified
+
+![][screen05]
+
+Organization: unmodified
+
+![][screen06]
+
+Endpoints: URL is `https://gerrit.hc.sct/gerrit/plugins/gerrit-saml-plugin/saml`, binding POST
+
+![][screen07]
+
+Proxy Endpoints: unmodified
+
+![][screen08]
+
+Notes: unmodfied
+
+![][screen09]
+
+Advanced: SHA-256
+
+![][screen10]
+
+
+Select the `Relying Party Truct` and click on `Edit Claim Rules...`.
+You should expose the following LDAP attributes:
+
+![][screen11]
+![][screen12]
+
+Allow all users to connect, or modify depending on your setup:
+
+![][screen13]
+![][screen14]
+
+Delegation Authorization Rules: unmodified
+
+![][screen15]
+
+
+
+[screen01]: images/0.png "screen 01"
+[screen02]: images/1.png "screen 02"
+[screen03]: images/2.png "screen 03"
+[screen04]: images/3.png "screen 04"
+[screen05]: images/4.png "screen 05"
+[screen06]: images/5.png "screen 06"
+[screen07]: images/6.png "screen 07"
+[screen08]: images/7.png "screen 08"
+[screen09]: images/8.png "screen 09"
+[screen10]: images/9.png "screen 10"
+[screen11]: images/10.png "screen 11"
+[screen12]: images/11.png "screen 12"
+[screen13]: images/12.png "screen 13"
+[screen14]: images/13.png "screen 14"
+[screen15]: images/14.png "screen 15"
+[screen16]: images/15.png "screen 16"
+
+
+
+
+
+
+
+
+
diff --git a/doc/images/0.png b/doc/images/0.png
new file mode 100644
index 0000000..2330f30
--- /dev/null
+++ b/doc/images/0.png
Binary files differ
diff --git a/doc/images/1.png b/doc/images/1.png
new file mode 100644
index 0000000..a965a46
--- /dev/null
+++ b/doc/images/1.png
Binary files differ
diff --git a/doc/images/10.png b/doc/images/10.png
new file mode 100644
index 0000000..3e0e911
--- /dev/null
+++ b/doc/images/10.png
Binary files differ
diff --git a/doc/images/11.png b/doc/images/11.png
new file mode 100644
index 0000000..1544a2a
--- /dev/null
+++ b/doc/images/11.png
Binary files differ
diff --git a/doc/images/12.png b/doc/images/12.png
new file mode 100644
index 0000000..838ebea
--- /dev/null
+++ b/doc/images/12.png
Binary files differ
diff --git a/doc/images/13.png b/doc/images/13.png
new file mode 100644
index 0000000..acb2acb
--- /dev/null
+++ b/doc/images/13.png
Binary files differ
diff --git a/doc/images/14.png b/doc/images/14.png
new file mode 100644
index 0000000..4a85a4b
--- /dev/null
+++ b/doc/images/14.png
Binary files differ
diff --git a/doc/images/15.png b/doc/images/15.png
new file mode 100644
index 0000000..bb86e86
--- /dev/null
+++ b/doc/images/15.png
Binary files differ
diff --git a/doc/images/2.png b/doc/images/2.png
new file mode 100644
index 0000000..0039e21
--- /dev/null
+++ b/doc/images/2.png
Binary files differ
diff --git a/doc/images/3.png b/doc/images/3.png
new file mode 100644
index 0000000..f5d528a
--- /dev/null
+++ b/doc/images/3.png
Binary files differ
diff --git a/doc/images/4.png b/doc/images/4.png
new file mode 100644
index 0000000..f9da22c
--- /dev/null
+++ b/doc/images/4.png
Binary files differ
diff --git a/doc/images/5.png b/doc/images/5.png
new file mode 100644
index 0000000..c6e0e13
--- /dev/null
+++ b/doc/images/5.png
Binary files differ
diff --git a/doc/images/6.png b/doc/images/6.png
new file mode 100644
index 0000000..03a3c5d
--- /dev/null
+++ b/doc/images/6.png
Binary files differ
diff --git a/doc/images/7.png b/doc/images/7.png
new file mode 100644
index 0000000..fe8b665
--- /dev/null
+++ b/doc/images/7.png
Binary files differ
diff --git a/doc/images/8.png b/doc/images/8.png
new file mode 100644
index 0000000..2943fe7
--- /dev/null
+++ b/doc/images/8.png
Binary files differ
diff --git a/doc/images/9.png b/doc/images/9.png
new file mode 100644
index 0000000..2fc2f20
--- /dev/null
+++ b/doc/images/9.png
Binary files differ
