ADFS Integration

[radunicolae]

Good morning!

I'm trying to integrate the jupyterhub-samlauthenticator with our ADFS server but I'm missing something.
The IdP setup was done with the https://jupyter.example.org:8000/hub/login path, and I got the metadata.xml file from the IT admin.
The problem is that the redirect takes us to https://adfs.example.org/adfs/ls/ and we never reach the login screen.

This is all the info I get in debug mode:

[I 2019-10-11 10:27:10.820 JupyterHub samlauthenticator:711] Starting SP-initiated SAML Login
[D 2019-10-11 10:27:10.822 JupyterHub samlauthenticator:616] Got metadata etree
[D 2019-10-11 10:27:10.822 JupyterHub samlauthenticator:622] Got valid metadata etree
[D 2019-10-11 10:27:10.822 JupyterHub samlauthenticator:628] Final xpath is: //md:SingleSignOnService[@binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']/@location
[I 2019-10-11 10:27:10.823 JupyterHub log:174] 302 GET /hub/login?next= -> https://federation.bitdefender.biz/adfs/ls/ (@192.168.1.1) 3.34ms
[I 2019-10-11 10:27:18.061 JupyterHub log:174] 302 GET /login?next= -> /hub/login?next= (@92.168.1.1) 0.84ms

Any advise ?

Thank you!

[psdavis]

I'm getting a very similar error.
Here is the config:
c.JupyterHub.authenticator_class = 'samlauthenticator.SAMLAuthenticator'
c.SAMLAuthenticator.metadata_filepath = '/tmp/FederationMetadata.xml'
c.SAMLAuthenticator.acs_endpoint_url = 'https://cs-jhub.servers.bsu.edu/login'
c.SAMLAuthenticator.entity_id = 'csjhub'
c.SAMLAuthenticator.create_system_users = False
Here is the error the SSO admin is getting on their end:

Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

and here is what I am seeing in my logs:

[I 2020-07-28 12:52:14.335 JupyterHub samlauthenticator:724] Starting SP-initiated SAML Login
[D 2020-07-28 12:52:14.337 JupyterHub samlauthenticator:629] Got metadata etree
[D 2020-07-28 12:52:14.337 JupyterHub samlauthenticator:635] Got valid metadata etree
[D 2020-07-28 12:52:14.337 JupyterHub samlauthenticator:641] Final xpath is: //md:SingleSignOnService[@binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']/@location
[I 2020-07-28 12:52:14.338 JupyterHub log:174] 302 GET /hub/login -> https://shibboleth.bsu.edu/adfs/ls/ (@10.244.3.1) 3.88ms

Any help with this is greatly appreciated.

[christleijtens]

Dear Tom,

We are running into very similar issues. We have setup our jupytherhub_config.py and we get the 302 redirect to our ADFS server but then we receive an error. From your documentation it looks like the SP metadata to be used is generated from the settings in the configuration file. But we do not understand where this data lives. Our IdP administrators except us to deliver an SP metadata XML to them through a URL so that the ADFS server can read our settings.

We are really stuck now and would like your assistance on this.

To the others in this issue, did you in the end find a solution an get it working? This issue was opened in October 2019 so I suppose you got it fixed or took another route to get the same functionality?

Any pointers for help are really appreciated.

Kind regards,

Christ Leijtens (acam.leijtens@rotterdam.nl / christ.leijtens@gmail.com)

[distortedsignal]

Hey guys,

I've been silent on this issues because of a couple reasons -

1. I haven't tested this with ADFS. I know this is a shock, seeing as this component is pretty clearly not designed to work with ADFS.
2. I don't really have any plans to test this with ADFS. All the work I do on this project is for my job, and right now my job is not focused on this project. Further, if I were to take this on in my spare time, I would need a copy of AD with ADFS enabled. I'm not going to spend that kind of money for this kind of marginal effect.

I would encourage you to do the work yourselves. Open Source is Open Source for a reason. You can see everything I'm doing here. Take a chance! Get your hands dirty! If you need help understanding what is going on here, I'm more than happy to answer questions. But for right now, ADFS support is outside the scope of this project.