Skip to main content
Kofax

At high-level how Federated Security is used to authenticate a KTA logon

Goal

The goal of this KB is to describe at high-level how Federated Security using Microsoft Active Directory as the Identity Provider(IDP) is used to authenticate a KTA logon.

What is Federated Security?

With Federated Security, the responsibility for authenticating a user is absent from the application (KTA) to the IDP. This has the advantage that all applications can use the same IDP. You do not have to manage the same identity at different locations. Federated security uses claim based identity for identifying users. When a user is authenticated by the IDP, the IDP provides the application with a claim that describes the authenticated user.

A claim contains one or more statements about an authenticated user. These claims descriptions are specified as Uri’s. E.g.
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/0...aims/givenname">
<AttributeValue>John Doe</AttributeValue>
</Attribute>

To ensure that a returned claim token from the IDP can be a trusted public key infrastructure (PKI) is used. The IDP signs the claim token with his private key and the application (KTA) verifies the signature with the public key of the IDP. In the application (KTA) it also specifies the URL of the issuer.

Every identity provider publishes a federated metadata XML that describes the endpoints (URLs), the claim descriptions and contains the public key for checking the signature.

clipboard_e9461b1f1d7c2ad9b0553b01a96eeb1fb.png

 

How does the authentication operate?

1. A user tries to access KTA (https://kta/TotalAgility/designer/)

2. KTA finds the IDP to authenticate the user. If there is only one, it’s picked as the IDP. If there are multiple IDP, the user is provided with a choice what IDP to use.

3. KTA creates an authentication request and redirects the user’s browser to the IDP.

 

Example Request:

 

<samlp:AuthnRequest ID="_0a422c2f-264b-4c5a-8c1e-f31a0b2418f4" Version="2.0" IssueInstant="2020-07-27T14:13:19Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://kta/TotalAgility/FederatedLo...m%2flogon.html" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://kta/TotalAgility/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /><samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>

 

 

4. IDP authenticates the user and generates a claim token for the user.

5. IDP redirects the user back to KTA with a response that contains the claim token.

6. KTA verifies the claim token by validating the signature with the configured certificate thumbprint. It also checks whether the response came from the configured issuer URL.

7. KTA verifies the claim token and uses user claim mapping to log the user in. If the user doesn’t exist yet, a new user is created using any configured user claim rules. If the user already exists, the user is simply logged in.

 

Example Response:

 

<samlp:Response ID="_44a93eac-2397-425f-b710-b40a1aee2230" Version="2.0" IssueInstant="2020-07-27T14:13:19.253Z" Destination="https://kta/TotalAgility/FederatedLo...m%2flogon.html" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_0a422c2f-264b-4c5a-8c1e-f31a0b2418f4" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adhost/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_0b1f59ab-0215-41bc-934d-4d098b77092a" IssueInstant="2020-07-27T14:13:19.253Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adhost/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_0b1f59ab-0215-41bc-934d-4d098b77092a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>haAjqj9ppMyjcsm4mGku9uE+H9Rv420jhA2l693KpGw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>o4ei9WWLOxU6WvIm1R0eCGoru32t9yVnA/3qUPMVumPcLbaMMOKCcea9rJ5aU0uptclenMtqzvHbPF6vEmcsvzdTFkURS5HYLgdE9+ITELdCgRdyQT3gV84rJ+0uYVV6NgALJPuTlxghaxbPI8vc9OqbfwI1Vks+W+VkwMisMg0xqaOCCVmI3d4E955XuEjN4lO+JXv296OjHdXe/30+0OPHmg6DA7pS2ODxW03xEbUVyz8S1I7Rz6itW31tB3dXSKqUdtJdtB9cwnDO/yojSzvg18UJm5oxMe7bjK1ac+FoOuwnHzl/F2KkSskJZe5h9X0XcbQoz6eLwtds2dEUOQ==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQffCucv47/qFGfEXBdKAe9TANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBVSzAyVk1UU0RDMDEuVFNURVNULkNPTTAeFw0yMDA3MjcxMTE1NDhaFw0yMTA3MjcxMTE1NDhaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIS5UU1RFU1QuQ09NMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuTmzmSCgYpGX0bdKfYqIC5lLfhu0rh6AoQ2+ZUrxWL8y99l9tFf3IqPtbrSRsX5/P4LaJCXaQ9sBHW6doyWzYVaS8slRAaeLPhIU+lrPHbv/6w8zV+YkKLnY4Xae72WAIhJt8cLMAcaUQCZ7l0hb3fKKBvO/dD1IyQKfFjl7/Ay2l2bGeolCvqWqSNxRziIgzwioAKp3kk/gXlVbP3jXQKGnhuFIPdAVwV8X+YvMUsCE4MEI8VQj5S8SKqCDmlm25jhptmyRIItWThzyc34fjf1Wgq98fMO1s1hhsRxDxlnTtjy/wctN0LhDrhOn1GUAEjDgLPtu11jmijU83uoXrwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBgnkCcdl5jDI+uYih0B22aZGupP/EsiSpHOhPNU38ghjol9Bm/EHFzwHVXDYGU2bQLNr7ebO8U5RZscd13PjsFTV5ibzBwVT0ZlKitQsW4JaWN8692WgZhHJ6nxu5UcvjWX7J1U3zmDKoVRWr75gJFWt1bAL0LCG02OPRqks+BjKW0HBoFRleo+Hv08/1w5yYVkgKDeAlw9Ya2tVsEEYG2/tlee1Ul2f17qsBdzhimbKJG0ksLkNKObkxvhhuLlk0cNFDd/Yfg7QAG8or5EpNiK34pmXUCPU10HrwLSzln5DXLYeluopwLPYnrVX3CUZCoEJ20C9KvG83pDSF08Br9</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_0a422c2f-264b-4c5a-8c1e-f31a0b2418f4" NotOnOrAfter="2020-07-27T14:18:19.253Z" Recipient="https://kta/TotalAgility/FederatedLo...m%2flogon.html" /></SubjectConfirmation></Subject><Conditions NotBefore="2020-07-27T14:13:19.251Z" NotOnOrAfter="2020-07-27T15:13:19.251Z"><AudienceRestriction><Audience>https://kta/TotalAgility</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/0...ity/claims/upn"><AttributeValue>John.Doe@kofax.com</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/0...ty/claims/name"><AttributeValue>John Doe</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/0...s/emailaddress"><AttributeValue>John.Doe@kofax.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2020-07-27T13:55:49.764Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

 

Let’s discuss the above 6 & 7 steps in more detail:

 

  • The user is redirected to KTA with the above Response that contains the claim token.
  • KTA first checks the signature. The thumbprint of the signature must be configured in KTA. If the thumbprint matches with the certificate used for signing the claim token, the response is verified.
  • KTA secondly checks if the configured issuer URL matches with the issuer URL stated in the response.
  • KTA retrieves the “Username”, “Name” and “Email Address” using User Claim mapping. Whatever is configured for “Match to” under User claim mappings in KTA is used to check if a user already exists or not. To retrieve each value an Uri is specified under user claim mapping.
  • In AttributeStatement in the response, you will see the attributes (Claim descriptions) of the authenticated user. For example, the username the Uri would be: http://schemas.xmlsoap.org/ws/2005/0...aims/givenname

 

Additional Configurations

 

 

If the user does not exist, KTA creates the user using User claim rules. The user will be created with the Category, Working Category and Working group defined in User Claim rules under Default User claim. By default, every new user is added to the everyone group.

 

You can enable Custom User Rules under User Claim Rules. This enables you to specify a rule for matching a claim type/description with a value. For example, if you have a claim description that contains the department someone belongs to, you can enter the Uri of that claim description and its value the department name. So you could have everyone from group “Sales” be created with the custom rules you defined. The advantage of custom user rules is that it enables you to add users to specific groups. 

References

Internal Kofax "APP NOTE - KTA Federated Security - Azure AD" by Dimitri Huisman.