A couple of weeks ago we had to interface with an application running on Tomcat using Apache CXF Fediz as it’s authentication mechanism. We had successfully tied the application to work with our ADFS 3.0 server using SAML 1 tokens. While this worked wonderfully for users using web browsers we had problems getting it to work programmatically with Powershell. This was needed for some API calls and we had to authenticate with ADFS first.
So below you will find the script we used along with it’s description, I have actually posted two scripts one where you obtain an initial cookie from the application as this was a requirements and a second one where an initial coockie is not neeed. If you get the message “HTTP Status 408 – The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser” then you need to use the cookie method.
So how does the script work:
- First it obtains the needed cookie from the Apache application and stores it in a web session
- Then it creates the envelope for the soap call to the ADFS server, we are requesting an “urn:oasis:names:tc:SAML:1.0:assertion” but you can request an “urn:oasis:names:tc:SAML:2.0:assertion” if need be.
- It then makes a post request to the ADFS server with the envelope in the body
- Once it receive the reply we need to clean it as we only require the body section example of the result:
1<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust”>..............<t:RequestSecurityTokenResponse> - The script then loads the result into a hashtable
- It then makes a post request with the hashtable in the body to the Apache application using the Websession we initially established
- Once that is complete we can use the web session to make any api calls we like eg(getting a status)
For application requiring an initial cookie:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
$GetAvar = Invoke-WebRequest -Uri "https://apache.application.com" -Method GET -SessionVariable myWebSession
$federationServer = "adfs.gi-architects.co.uk"
$appliesTo = "https://apache.application.com"
$endpoint = "https://" + $federationServer + "/adfs/services/trust/2005/usernamemixed"
$username = "useraccount"
$password = "userpassword"
$rst= [String]::Format(
'<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">{0}</a:To><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:UsernameToken><o:Username>{1}</o:Username><o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">{2}</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><a:EndpointReference><a:Address>{3}</a:Address></a:EndpointReference></wsp:AppliesTo><t:KeySize>0</t:KeySize><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType></t:RequestSecurityToken></s:Body></s:Envelope>', `
$endpoint,
$username,
$password,
$appliesTo)
$webresp = Invoke-WebRequest $endpoint -Method Post -Body $rst -ContentType "application/soap+xml"
$tokenXml = [xml]$webresp.Content
$wresult = $tokenXml.Envelope.Body.InnerXml
$wa = "wsignin1.0"
$postParams = @{wa=$wa;wresult=$wresult}
$temp = Invoke-WebRequest -Uri "https://apache.application.com" -Method POST -ContentType "application/x-www-form-urlencoded" -Body $postParams -WebSession $myWebSession
Invoke-WebRequest -Uri "https://apache.application.com/web/session.xql?action=status" -Method Get -WebSession $myWebSession
|
For application not requiring to obtain an initial cookie:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
$federationServer = "adfs.gi-architects.co.uk"
$appliesTo = "https://apache.application.com"
$endpoint = "https://" + $federationServer + "/adfs/services/trust/2005/usernamemixed"
$username = "useraccount"
$password = "userpassword"
$rst= [String]::Format(
'<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">{0}</a:To><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:UsernameToken><o:Username>{1}</o:Username><o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">{2}</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><a:EndpointReference><a:Address>{3}</a:Address></a:EndpointReference></wsp:AppliesTo><t:KeySize>0</t:KeySize><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType></t:RequestSecurityToken></s:Body></s:Envelope>', `
$endpoint,
$username,
$password,
$appliesTo)
$webresp = Invoke-WebRequest $endpoint -Method Post -Body $rst -ContentType "application/soap+xml"
$tokenXml = [xml]$webresp.Content
$wresult = $tokenXml.Envelope.Body.InnerXml
$wa = "wsignin1.0"
$postParams = @{wa=$wa;wresult=$wresult}
$temp = Invoke-WebRequest -Uri "https://apache.application.com" -Method POST -ContentType "application/x-www-form-urlencoded" -Body $postParams -SessionVariable myWebSession
Invoke-WebRequest -Uri "https://apache.application.com/web/session.xql?action=status" -Method Get -WebSession $myWebSession
|