ADFS as Gerrit SAML authentication provider

Note: replace fs.hc.sct with the name of your ADFS, replace gerrit.hc.sct with the name of your Gerrit host.

Setup on the Gerrit machine

Configure Gerrit as described in the README.md. Here is an example config using SAML for Authentication, LDAP for authorization and running gerrit under the gerrit prefix.

[gerrit]
        basePath = git
        canonicalWebUrl = https://gerrit.hc.sct/gerrit/
...
[httpd]
    listenUrl = https://gerrit.hc.sct:8443/gerrit/
    filterClass = com.googlesource.gerrit.plugins.saml.SamlWebFilter
[auth]
    type = HTTP_LDAP
    logoutUrl = https://fs.hc.sct/adfs/ls/?wa=wsignout1.0
    httpHeader = X-SAML-UserName
    httpDisplaynameHeader = X-SAML-DisplayName
    httpEmailHeader = X-SAML-EmailHeader
    httpExternalIdHeader = X-SAML-ExternalId
[saml]
    keystorePath = /home/gerrit/samlKeystore.jks
    keystorePassword = pac4j-demo-password
    privateKeyPassword = pac4j-demo-password
    metadataPath = file:///home/gerrit/FederationMetadata.xml
    useNameQualifier = false
[ldap]
        server = ldap://fs.hc.sct
        username = CN=Administrator,CN=Users,DC=hc,DC=sct
        localUsernameToLowerCase = true
        sslVerify = false
        accountBase = DC=hc,DC=sct
        groupBase = DC=hc,DC=sct

You can download the IdP file FederationMeta.xml from your ADFS. You need to place it in the location configured with saml.metadataPath (note that this is an URL and that file:// is required).

wget https://fs.hc.sct/FederationMetadata/2007-06/FederationMetadata.xml

Export the certificate from the samlKeystore.jks you created during setup. You will need the certificate in your ADFS configuration (see below).

keytool -exportcert  -keystore samlKeystore.jks -alias pac4j -rfc > pac4j-demo.cer

Setup on ADFS

Open the Management console (mmc), make sure you have the AD FS Management snap-in. Add a Relying Party Trust.

Go through the wizard. The properties at the end should look like indicated on the following screens.

Monitoring: unmodified

Identifiers: The relying party identifier is: https://gerrit.hc.sct/gerrit/plugins/saml/callback

Encryption: unmodified

Signature: In the signature tab you need to import the certificate you exported above.

Accepted Claims: unmodified

Organization: unmodified

Endpoints: URL is https://gerrit.hc.sct/gerrit/plugins/saml/callback, binding POST

Proxy Endpoints: unmodified

Notes: unmodfied

Advanced: SHA-256

Select the Relying Party Truct and click on Edit Claim Rules.... You should expose the following LDAP attributes:

Allow all users to connect, or modify depending on your setup:

Delegation Authorization Rules: unmodified