Integrate SAML and LDAP support with ColdFusion Administrator

What is LDAP

LDAP is a Lightweight Directory Access Protocol. LDAP’s primary function is to enable users to find data about organizations, persons, etc. It accomplishes this goal by storing data in the LDAP directory and authenticating users to access the directory. LDAP works with most vendor directory services, such as Active Directory (AD). It makes sharing information about users, services, systems, networks, and applications from a directory service to other applications and services easier to implement.

In ColdFusion, you can integrate the users or groups of an LDAP server from within the ColdFusion Administrator. In previous releases of ColdFusion, using ColdFusion Administrator, you could can add a user manager, which helps create users and assign them permissions one at a time.

In ColdFusion, you can:

  • Configure LDAP user store - It helps to store all the data required to connect and import users/groups.
  • Import LDAP users and groups from user store - it helps to import selected users/groups from the added user store.
  • Grant permissions to users and groups.

Add external authentication type

Select the option "Separate username and password authentication (allows multiple users)" in Security-> Administrator to add an external authentication type.

To add external authentication,

SAML

LDAP

Configure SAML/LDAP

LDAP

Add the LDAP configuration details in Security->Administrator->External Authentication part or using the setAdminLdapConfiguration function.

Then Add the user to CF Admin through Security-> User Manager page by selecting the LDAP authentication type and providing appropriate roles.

Then you can be logged in via the Administrator login page.

configure ldap

Add userS (LDAP)

SAML

First Add SAML IdP and SP configuration from Security->IdP Configuration page and Security->SP Configuration page

Then Add the user to CF Admin through Security->User Manager page by selecting the SAML authentication type and providing appropriate roles.

Now on the login page, you will get an option called SSO Login.

Click on that and you will be redirected to the Identity Provider Login page after successful login there, you will be directed back inside the ColdFusion Admin Page.

Add users (SAML)

Admin APIs for SAML and LDAP

Description

Sets the LDAP configuration.

Syntax

public setAdminLdapConfiguration ( required string host, required string tcpPort, required string userBaseContext, required string groupBaseContext, required string usernameAttr, required string groupnameAttr, required string timeout, string userConfig="", string groupConfig="", string userbindDN="", string userbindPass="", boolean isSSLEnabled="false", boolean isStartTLSEnabled="false" )

Parameters

  • host: string, required, host - hostname or IP Address
  • tcpPort: string, required, tcpPort
  • userBaseContext: string, required, userBaseContext - start point for searching users
  • groupBaseContext: string, required, groupBaseContext - start point for searching groups
  • usernameAttr: string, required, usernameAttr - attribute whose value is unique and can be used to search users ex: uid
  • groupnameAttr: string, required, groupnameAttr - attribute whose value is unique and can be used to search groups ex:cn
  • timeout: string, required, timeout - timeout while searching
  • userConfig: string, optional, userConfig - object Class of users to act as filter
  • groupConfig: string, optional, groupConfig - object Class of groups to act as filter
  • userbindDN: string, optional, userbindDN - DN used to connect to Ldap server
  • userbindPass: string, optional, userbindPass - Password for the provided DN
  • isSSLEnabled: boolean, optional, isSSLEnabled - CFSSL_BASIC of cfldap tag: can refer that. The certificates need to be imported into CF java keystore
  • isStartTLSEnabled: boolean, optional, isStartTLSEnabled - Whether to use the startTls extension for initiating SSL over normal LDAP port.

Description

Returns the LDAP configuration.

Syntax

getAdminLdapConfiguration ( )

Description

Removes the LDAP configuration.

Syntax

deleteLdapConfiguration ( )

Description

Sets the type of external authentication and adds config details if the type is SAML)

Syntax

setExternalAuthentication ( required String type, Struct config="[runtime expression]" )
  • type: String, required, type - Specify type of authentication
  • config: Struct, optional, config - Specify the Struct which contains SAML Configuration details

Description

Returns the selected type of external authentication.

Syntax

getExternalAuthentication ( )

Description

Deletes the SAML Configuration.

Syntax

deleteAdminSamlConfig ( )

Description

Returns the SAML Configuration.

Syntax

getAdminSamlConfig ( )

Description

Returns whether a connection can be established or not.

Syntax

boolean verifyConnection ( )

Examples

SAML

<cfscript>	 
		adminObj = CreateObject("component","CFIDE.adminapi.administrator");
		adminObj.login("Adm1n$","admin");
		
		secCFC = CreateObject("component","CFIDE.adminapi.security");
		
        //Add SP Configuration
		secCFC.addSpMetadata ( alias="#okta_sp_alias#", entityid="#okta_sp_entityid#", acsurl="#okta_sp_acsurl#", slourl="#okta_sp_slourl#", signrequests="true", wantassertionssigned="true", logoutresponsesigned="true", signkeystorepath="#okta_sp_signkeystorepath#", signkeystorepassword="#okta_sp_signkeystorepassword#", signkeystorealias="#okta_sp_signkeystorealias#" )
		
        //Add IDP Configuration	
		secCFC.addIdpMetadata(alias = "#okta_idp_alias#", url="#okta_idp_url#");
		
        //Add new SAML User
		secCFC.setUser("saml_username", 
				"", 
				"",
				["coldfusion.administrator","coldfusion.adminapi"],
				true, 
				true, 
				false,
				[],[],[],
				false,
				false,
				false, 
				true,
				false);
		
		config = {
 				idpName = "#okta_idp_alias#",
				spName = "#okta_sp_alias#",
				groupName = "#group_Name"
			}
		
        //Set external authentication to SAML and pass the config consisting of IdP, SP and groupName attribute name from Identity Provider	
		secCFC.setExternalAuthentication("Saml",config);
		
       //Get the added SAML Configuration details
		saml_config = secCFC.getAdminSamlConfig();
		writeDump(saml_config);
		
		
	</cfscript>

LDAP

<cfscript>
			adminObj = CreateObject("component","CFIDE.adminapi.administrator");
			adminObj.login("Adm1n$","admin")
			
			secCFC = CreateObject("component","CFIDE.adminapi.security")

            //Add LDAP Configuration
			secCFC.setAdminLdapConfiguration(ads_ldap_host, 
			ads_ldap_port, 
			ads_ldap_userBaseContext, 
			ads_ldap_groupBaseContext,   
			ads_ldap_usernameAttr,
			ads_ldap_groupnameAttr,
			ads_ldap_timeout,
			ads_ldap_userConfig,			
			ads_ldap_groupConfig, 		
			ads_ldap_userbindDN,
			ads_ldap_userbindPass,
			ads_ssl_enabled,
			ads_starttls);
			
            //Get LDAP Configuration details
			ldap_conf_details = secCFC.getAdminLdapConfiguration();
			
            //Add user with appropriate roles
			secCFC.setUser(ldap_admin_username, 
				ldap_admin_password, 
				"",
				["coldfusion.administrator","coldfusion.adminapi"],
				true, 
				true, 
				false,
				[],[],[],
				false,
				false,
				true, 
				false,
				false);
			
            //Set External Authentication to LDAP
			secCFC.setExternalAuthentication("ldap");
				
            //Login using the newly added LDAP user
			adminObj_new = CreateObject("component","CFIDE.adminapi.administrator");
			if(adminObj_new.login(ldap_admin_password,ldap_admin_username)==true)
				writeOutput("Logged in User #ldap_admin_username1#");
			//Delete LDAP Configuration
			secCFC.deleteLdapConfiguration();
		
</cfscript>

The acs URL added while creating an application in identity providers must be of this format:

<cfadmin_host>:<cfadmin_port>/CFIDE /administrator/saml/acs.cfm

CFSetup commands to set up SAML and LDAP

To enable SAML/LDAP as external authentication types, you must have multiuser authentication type enabled, and the configs for SAML/LDAP must also be present

  1. Add SAML/LDAP configuration using add command for samlconfig/ldapconfig with cfsetup.
  2. In Security Category, among other parameters, set adminAuthType to MULTIUSER, and externalAuth to SAML/LDAP.

SAML

Add a configuration

  • add samlconfig idpName=admin_login_idp spName=admin_login_sp groupName=groupName cfusion

Delete a configuration

  • delete samlconfig default cfusion

Display configuration details

  • show samlconfig cfusion

Update a configuration

  • set samlconfig groupName=admin_login_idp idpName=admin_login_idp spName=admin_login_sp cfusion

Retrieve configuration

  • get samlconfig spName cfusion

Export a configuration

  • export samlconfig saml.json cfusion

Import a configuration

  • import samlconfig saml.json cfusion 

LDAP

Add a configuration

  • add ldapconfig host=localhost port=10646 groupBaseContext="ou=Group,dc=example,dc=com" userBaseContext="ou=User,dc=example,dc=com" groupnameAttr=cn usernameAttr=cn timeout=6000 cfusion

Update a configuration

  • set ldapconfig host=localhost port=10389 groupBaseContext="ou=Group,dc=example,dc=com" userBaseContext="ou=User,dc=example,dc=com" usernameAttr=uid timeout=6000 cfusion

Retrieve configuration

  • get ldapconfig host cfusion

Delete a configuration

  • delete ldapconfig default cfusion

Export a configuration

  • export ldapconfig ldap.json cfusion

Import a configuration

  • import ldapconfig ldap.json cfusion 

User operations

Display a user

  • show user user_name

Update a user

  • set user isLdap=false

Add another user

  • add user=user2 isLdap=true isSaml=false isGroup=true

Delete a user

  • delete user user1

Retrieve user details

  • get user user_name isldap

Export user data

  • export user user1details.json

Import user data

  • import user userdetails.json 

Get help faster and easier

New user?