SAML in ColdFusion

  1. ColdFusion User Guide
  2. Introduction to ColdFusion
    1. About Adobe ColdFusion
    2. What's new in ColdFusion (2021 release)
    3. ColdFusion (2021 release) Release Notes
    4. Deprecated Features
    5. REST enhancements in ColdFusion (2018 release)
    6. Server Auto-Lockdown
    7. Asynchronous programming
    8. Docker images for ColdFusion
  3. Adobe ColdFusion (2021 release)
    1. Install ColdFusion- Zip Installer
    2. Install ColdFusion- GUI Installer
    3. ColdFusion Licensing and Activation
    4. ColdFusion Package Manager
    5. CFSetup configuration tool
    6. SAML in ColdFusion
    7. ColdFusion and Amazon S3
    8. ColdFusion and DynamoDB
    9. ColdFusion and Amazon SQS
    10. ColdFusion and Amazon SNS
    11. ColdFusion and MongoDB
    12. ColdFusion and Azure Blob
    13. ColdFusion and Azure Service Bus
    14. New and updated language enancements
    15. Multi-cloud storage services
    16. Multi-cloud RDS databases
    17. ColdFusion and Azure Cosmos DB
  4. Install ColdFusion
    1. ColdFusion server profiles
    2. Prepare to install ColdFusion
    3. Install the server configuration
    4. Install the JEE configuration
    5. Install ColdFusion Express
    6. Install integrated technologies
    7. Configure your system
    8. Troubleshoot installation issues
    9. Install ColdFusion silently
    10. Install Adobe ColdFusion (2016 release) hotfix
    11. ColdFusion (2018 release) - Install JEE configuration
  5. Use ColdFusion
    1. Command Line Interface (CLI)
    2. External session storage
    3. Generate Swagger documents
    4. Language enhancements
    5. NTLM support
    6. New and changed functions/tags in Adobe ColdFusion (2016 release)
    7. PDF enhancements
    8. Security enhancements in ColdFusion (2016 release)
  6. Performance Monitoring Toolset
    1. Auto-discovery of ColdFusion nodes and clusters
    2. Code profiler in ColdFusion Performance Monitoring Toolset
    3. Configure ColdFusion Performance Monitoring Toolset settings
    4. Install ColdFusion Performance Monitoring Toolset
    5. Overview of ColdFusion Performance Monitoring Toolset
    6. View cluster and node metrics
    7. View data source metrics
    8. View external services
    9. View incoming services
    10. View list of sites and busy connections
    11. View topology of sites
    12. Datastore Health Monitoring
    13. Performance Monitoring Toolset Update 1
    14. Secure Performance Monitoring Toolset with HTTPS/SSL
    15. Performance Monitoring Toolset deployment guide
  7. Use ColdFusion Builder
    1. About ColdFusion Builder
    2. System requirements | ColdFusion Builder
    3. Install ColdFusion Builder
    4. Edit code in ColdFusion Builder
    5. Manage servers in ColdFusion Builder
    6. Manage projects in ColdFusion Builder
    7. What’s new in Adobe ColdFusion Builder (2018 release)
    8. Frequently Asked Questions (FAQ) | Adobe ColdFusion Builder (2018 release)
    9. Debug applications in ColdFusion Builder
    10. ColdFusion Builder workbench
    11. ColdFusion Builder extensions
    12. Debugging Perspective in ColdFusion Builder
    13. Build mobile applications using ColdFusion Builder
    14. Bundled ColdFusion Server
    15. Debug mobile applications in ColdFusion Builder
    16. Use extensions in ColdFusion Builder
  8. Coldfusion API Manager
    1. Overview of Adobe ColdFusion API Manager
    2. Features in ColdFusion API Manager
    3. Get started with ColdFusion API Manager
    4. Install ColdFusion API Manager
    5. Authentication types
    6. Create and publish APIs
    7. Administrator
    8. Subscriber
    9. Throttling and rate limiting
    10. Notifications
    11. Connectors
    12. Set up cluster support
    13. Integrate ColdFusion and API Manager
    14. Metrics and Logging in API Manager
    15. Generate Swagger documents
    16. Configure SSL
    17. Known issues in this release
    18. Policies in ColdFusion API Manager
    19. Create a Redis cluster
    20. Multitenancy in API Manager
    21. Docker images for ColdFusion API Manager
  9. Configure and administer ColdFusion
    1. Administer ColdFusion
    2. Use the ColdFusion administrator
    3. Data Source Management for ColdFusion
    4. Connect to web servers
    5. Deploy ColdFusion applications
    6. Administer ColdFusion security
    7. Basic Troubleshooting and FAQs
    8. Work with Server Manager
    9. Use multiple server instances
    10. WebSocket Enhancements (ColdFusion 11)
    11. Security Enhancements (ColdFusion 11)
    12. Work with Server Monitor
    13. ColdFusion Administrator API Reference
  10. CFML Reference
    1. Introduction to CFML Reference
      1. New functions in ColdFusion (2018 release)
      2. New and changed functions/tags in Adobe ColdFusion (2016 release)
      3. Script supported tags and functions
      4. New and changed tags/functions in ColdFusion 11
    2. Reserved words and variables
      1. Reserved words and variables
      2. Reserved words
      3. Scope-specific built-in variables
      4. Custom tag variables
      5. ColdFusion tag-specific variables
      6. CGI environment (CGI Scope) variables
    3. ColdFusion tags
      1. ColdFusion tags
      2. Tags in ColdFusion 10
      3. Tag summary
      4. Tags by function
      5. Tag changes since ColdFusion 5
      6. Tags a-b
      7. Tags c
      8. Tags d-e
      9. Tags f
      10. Tags g-h
      11. Tags i
      12. Tags j-l
      13. Tags m-o
      14. Tags p-q
      15. Tags r-s
      16. Tags t
      17. Tags u-z
    4. ColdFusion functions
      1. ColdFusion functions
      2. New functions in ColdFusion 10
      3. ColdFusion functions by category
      4. Function changes since ColdFusion 5
      5. Functions a-b
      6. Functions c-d
      7. Functions e-g
      8. Functions h-im
      9. Functions in-k
      10. Functions l
      11. Functions m-r
      12. Functions s
      13. Functions t-z
      14. BooleanFormat
    5. Ajax JavaScript functions
      1. Ajax JavaScript functions
      2. Function summary Ajax
      3. ColdFusion.Ajax.submitForm
      4. ColdFusion.Autosuggest.getAutosuggestObject
      5. ColdFusion.Layout.enableSourceBind
      6. ColdFusion.MessageBox.getMessageBoxObject
      7. ColdFusion.ProgressBar.getProgressBarObject
      8. ColdFusion.MessageBox.isMessageBoxDefined
      9. JavaScriptFunctionsinColdFusion9Update1
    6. ColdFusion ActionScript functions
      1. ColdFusion ActionScript functions
      2. CF.http
      3. CF.query
    7. ColdFusion mobile functions
      1. ColdFusion Mobile Functions
      2. Accelerometer Functions
      3. Camera Functions
      4. Connection Functions
      5. Contact Functions
      6. Event Functions
      7. File System Functions
      8. Geolocation Functions
      9. Media and Capture Functions
      10. Notification Functions
      11. Splash Screen Functions
      12. Storage Functions
    8. Application.cfc reference
      1. Application.CFC reference
      2. Application variables
      3. Method summary
      4. onAbort
      5. onApplicationEnd
      6. onApplicationStart
      7. onMissingTemplate
      8. onCFCRequest
      9. onError
      10. onRequestEnd
      11. onRequest
      12. onRequestStart
      13. onServerStart
      14. onSessionEnd
      15. onSessionStart
    9. Script functions implemented as CFCs
      1. Script Functions Implemented as CFCs
      2. Accessing the functions
      3. Function summary
      4. ftp
      5. http
      6. mail
      7. pdf
      8. query
      9. Script functions implemented as CFCs in ColdFusion 9 Update 1
      10. storedproc
    10. ColdFusion Flash Form style reference
      1. Styles valid for all controls
      2. Styles for cfform
      3. Styles for cfformgroup with horizontal or vertical type attributes
      4. Styles for box-style cfformgroup elements
      5. Styles for cfformgroup with accordion type attribute
      6. Styles for cfformgroup with tabnavigator type attribute
      7. Styles for cfformitem with hrule or vrule type attributes
      8. Styles for cfinput with radio, checkbox, button, image, or submit type attributes
      9. Styles for cftextarea tag and cfinput with text, password, or hidden type attributes
      10. Styles for cfselect with size attribute value of 1
      11. Styles for cfselect with size attribute value greater than 1
      12. Styles for cfcalendar tag and cfinput with dateField type attribute
      13. Styles for the cfgrid tag
      14. Styles for the cftree tag
      15. ColdFusion Flash Form Style Reference
    11. ColdFusion event gateway reference
      1. ColdFusion Event Gateway reference
      2. addEvent
      3. CFEvent
      4. CFEventclass
      5. Constructor
      6. Gateway development interfaces and classes
      7. getStatus
      8. setCFCPath
      9. setCFCMethod
      10. getOriginatorID
      11. getLogger
      12. getBuddyList
      13. getBuddyInfo
      14. IM gateway message sending commands
      15. IM Gateway GatewayHelper class methods
      16. onIncomingMessage
      17. onIMServerMessage
      18. onBuddyStatus
      19. onAddBuddyResponse
      20. onAddBuddyRequest
      21. IM Gateway CFC incoming message methods
      22. IM gateway methods and commands
      23. CFML CFEvent structure
      24. warn
      25. info
      26. setOriginatorID
      27. data command
      28. submit Multi command
      29. submit command
      30. setGatewayType
      31. setGatewayID
      32. setData
      33. setCFCListeners
      34. outgoingMessage
      35. getStatusTimeStamp
      36. numberOfMessagesReceived
      37. numberOfMessagesSent
      38. removeBuddy
      39. removeDeny
      40. removePermit
      41. setNickName
      42. setPermitMode
      43. setStatus
      44. SMS Gateway CFEvent structure and commands
      45. SMS Gateway incoming message CFEvent structure
      46. getStatusAsString
      47. getProtocolName
      48. getPermitMode
      49. getPermitList
      50. getNickName
      51. getName
      52. getDenyList
      53. getCustomAwayMessage
      54. getQueueSize
      55. getMaxQueueSize
      56. getHelper
      57. getGatewayType
      58. getGatewayServices
      59. getGatewayID_1
      60. getGatewayID
      61. getData
      62. getCFCTimeout
      63. setCFCTimeout
      64. getCFCPath
      65. getCFCMethod
      66. GatewayServices class
      67. Gateway interface
      68. GatewayHelper interface
      69. addPermit
      70. addDeny
      71. addBuddy
      72. error
      73. debug
      74. Logger class
      75. stop
      76. start
      77. CFML event gateway SendGatewayMessage data parameter
      78. restart
      79. fatal
      80. SMS gateway message sending commands
    12. ColdFusion C++ CFX Reference
      1. C++ class overview
      2. Deprecated class methods
      3. CCFXException class
      4. CCFXQuery class
      5. CCFXRequest class
      6. CCFXStringSet class
      7. ColdFusion C++ CFX Reference
    13. ColdFusion Java CFX reference
      1. ColdFusion Java CFX reference
      2. Class libraries overview
      3. Custom tag interface
      4. Query interface
      5. Request interface
      6. Response interface
      7. Debugging classes reference
    14. WDDX JavaScript Objects
      1. WDDX JavaScript objects
      2. JavaScript object overview
      3. WddxRecordset object
      4. WddxSerializer object
  11. Develop ColdFusion applications
    1. Introducing ColdFusion
      1. Introducing ColdFusion
      2. About ColdFusion
      3. About Internet applications and web application servers
      4. About JEE and the ColdFusion architecture
    2. Changes in ColdFusion
      1. Changes in ColdFusion
      2. Replacement of JRun with Tomcat
      3. Security enhancements
      4. ColdFusion WebSocket
      5. Enhanced Java integration
      6. ColdFusion ORM search for indexing and search
      7. Solr enhancements
      8. Scheduler enhancements
      9. Integration with Microsoft Exchange Server 2010
      10. RESTful Web Services in ColdFusion
      11. Lazy loading across client and server in ColdFusion
      12. Web service enhancements
      13. Displaying geolocation
      14. Client-side charting
      15. Caching enhancements
      16. Server update using ColdFusion Administrator
      17. Secure Profile for ColdFusion Administrator
    3. Introduction to application development
      1. Introduction to application development using ColdFusion
      2. Using the Developing ColdFusion Applications guide
      3. About Adobe ColdFusion documentation for Developers
    4. The CFML programming language
      1. The CFML programming language
      2. Elements of CFML
      3. ColdFusion variables
      4. Expressions and number signs
      5. Arrays and structures
      6. Extend ColdFusion pages with CFML scripting
      7. Regular expressions in functions
      8. ColdFusion language enhancements
      9. Built-in functions as first class citizen
      10. Data types- Developing guide
    5. Building blocks of ColdFusion applications
      1. Building blocks of ColdFusion applications
      2. Create ColdFusion elements
      3. Write and call user-defined functions
      4. Build and use ColdFusion Components
      5. Create and use custom CFML tags
      6. Build custom CFXAPI tags
      7. Use the member functions
      8. Object Oriented Programming in ColdFusion
    6. Develop CFML applications
      1. Develop CFML applications
      2. Design and optimize a ColdFusion application
      3. Handle errors
      4. Use persistent data and locking
      5. Use ColdFusion threads
      6. Secure applications
      7. Client-side CFML (for mobile development)
      8. Use the ColdFusion debugger
      9. Debugging and Troubleshooting Applications
      10. Develop globalized applications
      11. REST enhancements in ColdFusion
      12. Authentication through OAuth
      13. Social enhancements
    7. Develop mobile applications
      1. Mobile application development
      2. Build mobile applications
      3. Debug mobile applications
      4. Inspect mobile applications
      5. Package mobile applications
      6. Troubleshoot mobile applications
      7. Device detection
      8. Client-side CFML
      9. Mobile Templates
      10. Code samples to build a mobile application
    8. Access and use data
      1. Access and use data
      2. Introduction to Databases and SQL
      3. Access and retrieve data
      4. Update database
      5. Use Query of Queries
      6. Manage LDAP directories
      7. Solr search support
    9. ColdFusion ORM
      1. ColdFusion ORM
      2. Introducing ColdFusion ORM
      3. ORM architecture
      4. Configure ORM
      5. Define ORM mapping
      6. Work with objects
      7. ORM session management
      8. Transaction and concurrency
      9. Use HQL queries
      10. Autogenerate database schema
      11. Support for multiple data sources for ORM
      12. ColdFusion ORM search
    10. ColdFusion and HTML5
      1. ColdFusion and HTML 5
      2. Use ColdFusion Web Sockets
      3. Media Player enhancements
      4. Client-side charting
      5. Display geolocation data
    11. Flex and AIR integration in ColdFusion
      1. Flex and AIR integration in ColdFusion
      2. Use the Flash Remoting Service
      3. Use Flash Remoting Update
      4. Offline AIR application support
      5. Proxy ActionScript classes for ColdFusion services
      6. Use LiveCycle Data Services ES assembler
      7. Use server-side ActionScript
    12. Request and present information
      1. Request and present information
      2. Retrieve and format data
      3. Build dynamic forms with cfform tags
      4. Validate data
      5. Create forms in Flash
      6. Create skinnable XML forms
      7. Use Ajax data and development features
      8. Use Ajax User Interface components and features
    13. Office file interoperability
      1. Office file interoperability
      2. Using cfdocument
      3. Using cfpresentation
      4. Using cfspreadsheet
      5. Supported Office conversion formats
      6. SharePoint integration
    14. ColdFusion portlets
      1. ColdFusion portlets
      2. Run a ColdFusion portlet on a JBoss portal server
      3. Run a ColdFusion portlet on a WebSphere portal server
      4. Common methods used in portlet.cfc
      5. ColdFusion portlet components
      6. Support for JSR-286
    15. Work with documents, charts, and reports
      1. Work with documents, charts, and reports
      2. Manipulate PDF forms in ColdFusion
      3. Assemble PDF documents
      4. Create and manipulate ColdFusion images
      5. Create charts and graphs
      6. Create reports and documents for printing
      7. Create reports with Report Builder
      8. Create slide presentations
    16. Use web elements and external objects
      1. Use web elements and external objects
      2. Use XML and WDDX
      3. Use web services
      4. Use ColdFusion web services
      5. Integrate JEE and Java elements in CFML applications
      6. Use Microsoft .NET assemblies
      7. Integrate COM and CORBA objects in CFML applications
    17. Use external resources
      1. Send and receive e-mail
      2. Interact with Microsoft Exchange servers
      3. Interact with remote servers
      4. Manage files on the server
      5. Use event gateways
      6. Create custom event gateways
      7. Use the ColdFusion extensions for Eclipse
      8. Use the data services messaging event gateway
      9. Use the data management event gateway
      10. Use the FMS event gateway
      11. Use the instant messaging event gateways
      12. Use the SMS event gateway

 

Overview

SAML is a standard that facilitates the exchange of security information. Developed by OASIS (Organization for the Advancement of Structured Information Standards), SAML is an XML-based framework. SAML enables different organizations (with different security domains) to securely exchange authentication and authorization information.

What drives SAML

Single Sign-On: Web applications rely on browser cookies to maintain the state of user authentication, so that a user needs to authenticate again when accessing the system. However, since browser cookies are never transmitted between DNS domains, the information in the cookies from one domain is never available to another domain. Therefore, web applications support Single Sign-On (SSO) to pass authentication across domains.

Federated identity: Federated identity management (FIM) is an agreement that is made between multiple enterprises to let subscribers use the same identification data to obtain access to all enterprise data. Identity federation links a user's identity across multiple security domains, each supporting its own identity management system. When two domains are federated, the user can authenticate to one domain and then access resources in the other domain without being involved in a separate login procedure.

Install SAML package

Adobe ColdFusion (2021 release) is modularized, if you are only using the ZIP installer. By default, the module for SAML is not installed. The first step is to install the SAML package in ColdFusion. For the purpose of convenience though, this module is pre-installed in case of the GUI installer. 

Before you use the SAML features, make sure the module is installed by running ColdFusion Package Manager.

Navigate to “<instance_home>/bin” and run “cfpm.bat/cfpm.sh”.

Type “install saml” to install the SAML package.

SAML Metadata Exchange

SAML workflows require a preqreuisite metadata exchange step between the Service Provider and the Identity Provider. This helps the two parties trust each other by agreeing on a common contract. The exchange makes the entities aware of each other's endpoints, certificates and binding support. Without this step, SSO and SLO workflows would simply not work.

Configure Service Provider

A SAML service provider is a system entity that receives and accepts authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML). In the SAML domain model, a SAML relying party is any system entity that receives and accepts information from another system entity.

In ColdFusion, all SAML 2.0 metadata are supported.

There are three entities involved in any SSO scenario

  1. Principal – The principal is a usually a user requesting some sort of service from an application
  2. Service Provider – This could be any application(web/ColdFusion) that provides one/multiple services to users, but they first need to be authenticated to avail these services
  3. Identity Provider – The Identity Provider acts as an instrument of trust. The user is authenticated to the Identity Provider. The Service Provider contacts the Identity Provider to know the authentication and authorization state of the user.

To add a Service Provider (SP), in ColdFusion Administrator, navigate to Security > SP Configuration.

Field Description
Name​ Name of the Service Provider configuration to be configured.
Description​ Description of the SP.​
Entity Id​ A unique identifier for the SP. Each instance of SP must have a different Entity Id. ​
ACS (Assertion Consumer Service) URL​ The location where the SAML assertion is sent. This is often referred to as SAML ACS URL for your application.​
ACS Binding​ The SAML response is prepared according to the configuration provided by Identity Provider, encoded to base 64 string and loaded into the request based on this configuration. The HTTP-Redirect binding inserts the base 64 encoded string into the URL, while the HTTP-POST binding inserts the base 64 encoded string as a hidden FORM element. ​Takes the value “REDIRECT”/”POST".
SLO URL​ The location where the logout response needs to be sent.​
SLO Binding​ Defines how the various protocol messages are to be exchanged between the SP and the IDP.​ Takes the value “REDIRECT”/”POST”
Sign Requests​ Enable to sign requests from the SP with the private key.​
Want Assertions Signed​ Indicates whether the SP wants the Assertion response from the IDP to be signed.​
Logout Response Signed​ Enable to sign the logout response to be sent from the SP​
Signing KeyStore Path Path of the KeyStore that you had created with private/public keypair​
Signing KeyStore Password​ Password of the KeyStore.​
Signing KeyStore Alias Alias of entry in the KeyStore.​
Request Store

Request store helps match outgoing requests and incoming responses with the Identity Provider to help protect against Replay Attacks.
SAML requests can be tracked using one of the following storage methods.

  • Default option stores requests in a cache called samlcache configurable in <instance_home>/lib/auth-ehcache.xml
  • Redis - Redis can be set as the store if redis is already configured with ColdFusion and session management is enabled at the application level.
  • Cache - Uses the cache specified in the caching properties of the application. Defaults to server wide caching engine if application level caching option is not found.

ColdFusion has been using EHCache for replay attack, but it makes it difficult in cluster, when you have to go edit the XML for all the instances. 

The second option is cache. After installing caching module, you can specify server level cache in ColdFusion administrator. As well as in Application.cfc we can specify caching settings. If cache option is selected, we will use those cache settings to store

And the last option is Redis. If you have configured Redis session storage in ColdFusion Admin it will use that setting. Redis is used because all instances will point to one Redis so cluster scenario is easy

The Request Store option can be provided in Admin page or using Application.cfc by specifying the property “REQUESTSTORE” while adding SP. It takes values of "Cache" and "Redis"

For example,

this.security.samlsettings.sp = [{

        name: 'sp1',

        entityId: 'admin1',

        acsURL: 'http://localhost:89/App1/response.cfm',

        sloURL: 'http://localhost:89/App1/logout.cfm',

        ACSBINDING: 'post',

        SLOBINDING: 'post',

        SIGNREQUESTS: true,

        WANTASSERTIONSSIGNED: true,

        LOGOUTRESPONSESIGNED: true,

        SIGNKEYSTOREPATH: 'C:/okta.p12',

        SIGNKEYSTOREPASSWORD: 'abcdef',

        SIGNKEYSTOREALIAS: 'selfsigned',

        REQUESTSTORE: 'Redis'

    }];

Add Service Provider
Add Service Provider

Configure Identity Provider

The SAML Service Provider needs to know the details of the Identity Provider. This can be taken as input from the user, or it can be imported from raw xml file. The IDP metadata describes the format the Identity Provider expects messages from the Service Provider. Some IDPs are configurable and flexible to support multiple bindings/configurations. But some might have only limited implementations in which case this metadata would tell the Service Provider exactly what format to adhere to.

To add an Identity Provider, in ColdFusion Administrator, navigate to Security > IDP Configuration.

Field Description

Name

Specify the name of the Identity Provider to be created.

Description

Description of the Identity Provider.

Entity Id

A uniquely identifiable identifier for the IDP. Each instance of IDP must have a different entity ID.

SSO URL

The URL which points to the SSO service of the IDP.

SLO URL

The URL which points to the SSO logout service of the IDP

SSO Binding

Takes the value “REDIRECT”/”POST” as explained below.

SLO Binding

Takes the value “REDIRECT”/”POST” as explained below.

POST binding

The SAML request is prepared, encoded to base 64 string and loaded into a HTML form as one of the form input fields.  You can provide any template path which has a form using the “template” parameter in functions InitSAMLAuthRequest / InitSAMLLogoutRequest. Refer cfinstance/wwwroot/WEB-INF/saml/login.cfm for an example

REDIRECT binding

The SAML request is prepared, encoded into a base 64 string and is loaded into the URL as a query parameter.

Sign Requests

Enable this option if you want the request to be signed.

Encrypt Requests

Enable this option if you want the request to be encrypted.

Sign Certificate and Encrypt Certificate

Create your own certificate using, for example, keytool, and upload it to CF Administrator.

IDP settings
IDP settings

Import Identity Provider configuration

You can import the SAML metadata in one of the four ways:

  • Import from SAML URL
  • Import from an existing SAML definition
  • Import from XML file in local system
  • Create your own SAML definition

SSO requests

Now that you've configured both the IdP and SP, you can initiate the SSO workflows. Call InitSAMLAuthRequest function.

<cfset config = {

                             idp = {name = “testidp”},

                             sp = {name = “testsp”},

                             relayState = “cart”

}>

<cfset InitSAMLAuthRequest(config)>

Once you authenticate, the IdP then responds with a set of assertions which include your identity as well as roles/grants that may have been configured for the given user. These can be extracted using the ProcessSAMLResponse function below:

<cfset response = ProcessSAMLResponse(“testidp”,”testsp”)>

<cfdump var = “#response#”>

SLO requests

Single Logout requests are similar to SSO requests. Call the InitSAMLLogoutRequest function with the details received during login like sessionindexnameId and nameIdFormat.

These are dependent upon the IdP which sometimes also require the nameIdQualifier and spNameIdQualifier fields.

<cfset config = {

                             idp = {name = “testidp”},

                             sp = {name = “testsp”},

                             sessionindex = “#response.SESSIONINDEX#”,

                             nameId = “#response.NAMEID#”,

                             nameIdFormat = “#response.NAMEIDFORMAT#”

}>

<cfset InitSAMLLogoutRequest(config)>

You will be redirected to the IdP which will try to process your Logout Request. The response returned from the IdP will contain a Boolean value which tells us whether the logout at the IdP was successful or not. This can be extracted using the same ProcessSAMLResponse function.

<cfset response = ProcessSAMLResponse(“testidp”,”testsp”)>

<cfdump var = “#response#”>

Application.cfc

You can also configure the SP and IdP settings via Application.cfc. For example,

component { 
    this.name = 'sampleApp'; 
    this.security.samlsettings.idp = [ 
    { 
        name: 'idpt', 
        entityID: 'http://www.linktoentityid.com', 
        ssoURL: 'https://entityid.com/sso/saml', 
        sloURL: 'https://entityid.com/slo/saml', 
        ssoBinding: 'POST', 
        sloBinding: 'REDIRECT', 
        signMessage: true, 
        signrequests: true, 
        encryptrequests: false, 
        signcertificate: 'ABCDEF...'          
    } 
    ] 
    this.security.samlsettings.sp = [ 
    { 
  name: 'spt', 
        entityId: 'admin', 
        acsURL: 'http://localhost:8500/response.cfm', 
  sloURL: 'http://localhost:8500/logout.cfm', 
  acsbinding: 'POST', 
  slobinding: 'REDIRECT', 
  signrequests: true, 
  wantassertionssigned: true, 
  logoutresponsesigned: true, 
  signkeystorepath: 'C:\ColdFusion\cfusion\lib\okta.p12', 
  signkeystorepassword: 'abcdef', 
  signkeystorealias: 'selfsigned', 
        requeststore: 'redis' 
 } 
    ] 
}

SAML ColdFusion APIs

InitSAMLAuthRequest

Initiates the login process with IDP.

Syntax

InitSAMLAuthRequest(options)

Parameters

idp

Name of the Identity Provider.

sp

Name of the Service Provider.

relayState

 A string token that is attached with the request. On succesful authentication with the IdP, this token is sent back in the SAMLResponse so that the user can be redirected to any page once authentication is done.

template

The location of a template that can be used as an intermediate loading page before redirection to the IDP takes place. Valid only for POST bindings.

lifetime

The time that the SAML request must be entertained while waiting for the response from the IDP.

Example

<cfset struct1 = StructNew()> 
<cfset struct1.relaystate = "page"> 
<cfset struct1.idp = StructNew()> 
<cfset struct1.idp.name = "idp1"> 
<!--- Specify the name of the idp added through ColdFusion admin page or Application.cfc ---> 
<cfset struct1.sp = StructNew()> 
<!--- Give the name of the sp added through ColdFusion admin page or Application.cfc ---> 
<cfset struct1.sp.name = "sp1"> 
<cfdump var="#struct1#"> 
<cfscript> 
 InitSAMLAuthRequest(struct1); 
</cfscript>

GetSAMLAuthRequest

Returns a representation of what the XML Authorization request looks like.

Syntax

GetSAMLAuthRequest(options)

Parameters

idp

Name of the Identity Provider.

sp

Name of the Service provider.

Example

<cfset struct1 = StructNew()> 
<cfset struct1.idp = StructNew()> 
<cfset struct1.idp.name = "idp1"> 
<cfset struct1.sp = StructNew()> 
<cfset struct1.sp.name = "sp1"> 
<cfset authreq=XmlParse("#GetSAMLAuthRequest(struct1)#")> 
<cfdump var="#authreq#">

ProcessSAMLResponse

Verify the integrity of the SAML response from the server.

Syntax

ProcessSAMLResponse(idp, sp)

Parameters

idp

Name of the Identity Provider.

sp

Name of the Service provider.

Example

The response struct returned by ProcessSAMLResponse contains the following important fields:

SSO response

  • AUTHENTICATED - A boolean value that tells us if the user was successfully authenticated at the IdP
  • NAMEID - The username (or) email used for authentication
  • NAMEIDFORMAT - Describes the format of the NAMEID field for further processing
  • ATTRIBUTES - A list of attributes configured with the user at the IdP. May include First Name, Last Name, Permissible roles, etc
  • RELAYSTATE - A string token that is attached with the request. On succesful authentication with the IdP, this token is sent back in the SAMLResponse so that the user can be redirected to any page once authentication is done.

Example

<cfset RespStruct = "#ProcessSAMLResponse("idp1", "sp1")#"> 
<cfdump var="#RespStruct#"> 
<cfif RespStruct.AUTHENTICATED> 
<cflogin> 
<cfloginuser name="#RespStruct.NAMEID#" password="" roles="#ArrayToList(RespStruct.ATTRIBUTES)#"> 
</cflogin> 
</cfif>

SLO response

  • SUCCESSFULLOGOUT - A boolean value that indicates whether the user's global session at the IdP was successfully destroyed

InitSAMLLogoutRequest

Initiates the logout process with IDP.

Syntax

InitSAMLLogoutRequest(options)

Parameters

idp

Name of the Identity Provider.

sp

Name of the Service Provider.

relayState

 A string token that is attached with the request. On succesful authentication with the IdP, this token is sent back in the SAMLResponse so that the user can be redirected to any page once authentication is done.

template

The location of a template that can be used as an intermediate loading page before redirection to the IDP takes place. Valid only for POST bindings.

lifetime

The time that the SAML request must be entertained while waiting for the response from the IDP.

Example

<cfset struct1 = StructNew()> 
<cfset struct1.idp = StructNew()> 
<cfset struct1.idp.name = "idp1"> 
<cfset struct1.sp = StructNew()> 
<cfset struct1.sp.name = "sp1"> 
<cfset struct1.lifetime = 600> 
<cfset struct1.relaystate = "page"> 
<cfscript>      
 InitSAMLLogoutRequest(struct1); 
</cfscript>

GetSAMLLogoutRequest

Returns a representation of what the XML Authorization request looks like.

Syntax

GetSAMLLogoutRequest(options)

Parameters

idp

Name of the Identity Provider.

sp

Name of the Service provider.

Example

<cfset struct1 = StructNew()> 
<cfset struct1.idp = StructNew()> 
<cfset struct1.idp.name = "idp1"> 
<cfset struct1.sp = StructNew()> 
<cfset struct1.sp.name = "sp1"> 
<cfset authreq=XmlParse("#GetSAMLLogoutRequest(struct1)#")> 
<cfdump var="#authreq#">

isSamlLogoutResponse

Returns TRUE if it is a SAML logout response.

Syntax

issamlLogoutResponse()

Example

<cfif isSAMLLogoutResponse()> 
<!--- dumping logout response---> 
<cfset struct2 = "#ProcessSAMLResponse()#"> 
<cfdump var="#struct2#"> 

isSamlLogoutRequest

Returns TRUE if it is a SAML logout response.

Syntax

isSamlLogoutRequest()

Example

<cfif isSamlLogoutRequest()> 
<!--- dumping logout request---> 
<cfset struct3 = "#ProcessSAMLLogoutRequest("logout2", "sp2")#"> 
<cfdump var="Logging out in App2" output="console"> 
<cfdump var="#struct3#" output="console"> 
<cfset SendSAMLLogoutResponse(#struct3.SESSIONINDEX#)>

SendSAMLLogoutResponse

This function sends the response back to the IDP. 

Syntax

SendSAMLLogoutResponse(sessionIndex, idp, sp)​

Parameters

sessionIndex

Uniquely identify the session being closed. 

idp

Name of the Identity Provider.

sp

Name of the Service provider.

Example

<cfif isSamlLogoutRequest()> 
              <!--- dumping logout request---> 
              <cfset LogReq = "#ProcessSAMLLogoutRequest("idp1", "sp1")#"> 
<cfdump var="#LogReq#"> 
              <cfset SendSAMLLogoutResponse(#LogReq.SESSIONINDEX#,"idp1", "sp1")> 
</cfif>

ProcessSAMLLogoutRequest

Once the request is received, this function returns a struct with the values- (NAMEID, NAMEIDFORMAT, NAMEIDQUALIFIER, NAMEIDSPQUALIFIER, SESSIONINDEX). 

Syntax

ProcessSAMLLogoutRequest(idp,sp)​

Parameters

idp

Name of the Identity Provider.

sp

Name of the Service provider.

Example

<cfif isSamlLogoutRequest()> 
    <!--- dumping logout request---> 
     <cfset LogReq = "#ProcessSAMLLogoutRequest("idp1", "sp1")#"> 
    <cfdump var="#LogReq#"> 
    <cfset SendSAMLLogoutResponse(#LogReq.SESSIONINDEX#,"idp1", "sp1")> 
</cfif>

GenerateSAMLSPMetadata

This function creates the metadata for SAML Service Provider.

Syntax

GenerateSAMLSPMetadata()​

Example

<cfset struct1 = StructNew()> 
<cfset struct1.entityid = "generated_sp_id"> 
<cfset struct1.acsurl = "http://localhost:8500/acsurl.cfm"> 
<cfset struct1.slourl = "http://localhost:8500/slourl.cfm"> 
<cfscript> 
    sp = GenerateSAMLSPMetadata(struct1); 
</cfscript> 
<cfdump var="#sp#">

SAML Admin APIs

AddIdpMetadata

Adds an Identity Provide configuration. 

Parameters

  • alias: string, required, alias - Alias for the Identity Provider
  • url: string, optional, url - URL to import the metadata from 
  • file: string, optional, file - File to import the metadata from 
  • rawxml: string, optional, rawxml - Raw xml to import the metadata from 
  • description: string, optional, description 
  • entityid: string, optional, entityid - Unique Entity ID of the Identity Provider 
  • ssourl: string, optional, ssourl - Single Sign On URL of the Identity Provider 
  • ssobinding: string, optional, ssobinding - Binding to be used for Single Sign On service (“REDIRECT” or “POST”) 
  • slourl: string, optional, slourl - Single Logout Service URL of the Identity Provider 
  • slobinding: string, optional, slobinding - Binding to be used for Single Logout service (“REDIRECT” or “POST”)
  • logoutresponseurl: string, optional, logoutresponseurl - URL to redirect to after a logout request is received from the Identity Provider 
  • signrequests: boolean, optional, signrequests - Flag that indicates whether responses are signed by the Identity Provider (Default false)
  • encryptrequests: boolean, optional, encryptrequests - Flag that indicates whether responses are encrypted by the Identity Provider (default false)
  • signcertificate: string, optional, signcertificate - X509 certificate used for signing 
  • encryptcertificate: string, optional, encryptcertificate - X509 certificate used for encryption 

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin"); 
  
    // Instantiate the security object.  
  
    myObj = createObject("component","CFIDE.adminapi.security")  
 
    // Add metadata from URL  
    idpAlias="url"  
    idpMetadataUrl=”https://metadata-url/” 
 
    try{  
        myObj.addIdpMetadata(alias= idpAlias,url= idpMetadataUrl)  
        writeOutput("IDP Metadata added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
 
 // Add metadata from file 
 
 idpAlias = “file” 
 idpMetadataFile = “/opt/metadata.xml” 
 
    try{  
        myObj.addIdpMetadata(alias= idpAlias,file= idpMetadataFile)  
        writeOutput("IDP Metadata added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
 
    // Add raw metadata xml 
 
 idpAlias = “raw” 
 idpMetadataRaw = “<md:EntityDescriptor ......” 
 
    try{  
        myObj.addIdpMetadata(alias= idpAlias,rawxml= idpMetadataRaw)  
        writeOutput("IDP Metadata added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
// Add metadata manually 
 
idpAlias = “manual” 
 idpSsoUrl = “http://idp.com/sso” 
 idpEntityId = “entity1” 
 
    try{  
        myObj.addIdpMetadata(alias= idpAlias,ssourl= idpSsoUrl, entityid = idpEntityId)  
        writeOutput("IDP Metadata added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>  

AddSpMetadata

Adds a Service Provider configuration. 

Parameters

  • alias: string, required, alias - Alias for the Service Provider 
  • description: string, optional, description 
  • entityid: string, required, entityid - Unique Entity ID of the Service Provider 
  • acsurl: string, required, acsurl - Assertion Consumer Service URL of the Service Provider 
  • acsbinding: string, optional, acsbinding - Binding to be used for Single Sign On service (“REDIRECT” or “POST”)
  • slourl: string, optional, slourl - Single Logout Service URL of the Service Provider 
  • slobinding: string, optional, slobinding - Binding to be used for Single Logout service (“REDIRECT” or “POST”)
  • signrequests: boolean, optional, signrequests - Flag that indicates whether responses are signed by the Service Provider 
  • wantassertionssigned: boolean, optional, wantassertionssigned - Flag that indicates whether Identity Provider should sign assertions 
  • logoutresponsesigned: boolean, optional, logoutresponsesigned - Flag that indicates whether Identity Provider should sign logout requests 
  • signkeystorepath: string, optional, signkeystorepath - Path to the keystore file to be used for signing 
  • signkeystorepassword: string, optional, signkeystorepassword - Password of the keystore file to be used for signing 
  • signkeystorealias: string, optional, signkeystorealias - Alias of the entry in the keystore 
  • signmetadata: boolean, optional, signmetadata - Indicates whether to sign the metadata while exporting 

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");   
  
    // Instantiate the security object.  
  
    myObj = createObject("component","CFIDE.adminapi.security")   
  
    // setting up parameter values  
    spAlias="spAlias"  
    spDescription="sp description"   
    spEntityid="abc"   
    spAcsbinding="POST"   
    spAcsurl="http://localhost:8500/acsurl.cfm"  
  
    try{  
        myObj.addSpMetadata(alias = spAlias,  
                           description = spDescription,  
                           entityid = spEntityid,  
                           acsbinding = spAcsbinding,  
                           acsurl = spAcsurl)  
        writeOutput("SP added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>  

DeleteIdpMetadata

Deletes an Identity Provider configuration.

Parameters

  • alias: string, required, alias - Alias for the Identity Provider

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin"); 
  
  
    // Instantiate the security object.  
  
  
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="myalias"  
    try{  
        myObj.deleteIdpMetadata(alias)  
        writeOutput("IDP deleted successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>  

DeleteSpMetadata

Deletes a Service Provider configuration.

Parameters

  • alias: string, required, alias - Alias for the Service Provider

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin"); 
  
    // Instantiate the security object.  
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="spAlias"  
    try{  
        myObj.deleteSpMetadata(alias)  
        writeOutput("SP deleted successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>  

ExportSpMetadata

Exports the selected service provider configuration.

Parameters

  • alias: string, required, alias - Alias for the Service Provider

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin"); 
   
    // Instantiate the security object.  
   
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="spAlias"  
    try{  
        myObj.ExportSpMetadata(alias)  
        writeOutput("SP exported successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript> 

Note: The exported SP Metadata gets stored by default in cfinstance/lib/saml folder.

GetIdpMetadata

Returns the service provider configuration for a given alias in a struct

Parameters 

  • alias: string, required, alias - Alias for the Service Provider 

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");   
 
    // Instantiate the security object.  
 
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="spAlias"  
    spMetadataDetails=myObj.getSpMetadata(alias)  
    writeDump(spMetadataDetails)  
</cfscript>  

GetSpMetadata

Returns the service provider configuration for a given alias in a struct.

Parameters

  • alias: string, required, alias - Alias for the Service Provider 
<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");   
 
    // Instantiate the security object.  
 
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="spAlias"  
    spMetadataDetails=myObj.getSpMetadata(alias)  
    writeDump(spMetadataDetails)  
</cfscript>

ModifyIdpMetadata

Modifies an already existing Identity Provider configuration. 

Parameters

  • oldalias: string, required, oldalias - Alias for the existing Identity Provider configuration 
  • newalias: string, required, newalias - New alias for the Identity Provider configuration 
  • url: string, optional, url - URL to import the metadata from 
  • file: string, optional, file - File to import the metadata from 
  • rawxml: string, optional, rawxml - Raw xml to import the metadata from 
  • description: string, optional, description 
  • entityid: string, optional, entityid - Unique Entity ID of the Identity Provider 
  • ssourl: string, optional, ssourl - Single Sign On URL of the Identity Provider 
  • ssobinding: string, optional, ssobinding - Binding to be used for Single Sign On service (“REDIRECT” or “POST”)  
  • slourl: string, optional, slourl - Single Logout Service URL of the Identity Provider 
  • slobinding: string, optional, slobinding - Binding to be used for Single Logout service (“REDIRECT” or “POST”) 
  • logoutresponseurl: string, optional, logoutresponseurl - URL to redirect to after a logout request is received from the Identity Provider 
  • signrequests: boolean, optional, signrequests - Flag that indicates whether responses are signed by the Identity Provider 
  • encryptrequests: boolean, optional, encryptrequests - Flag that indicates whether responses are encrypted by the Identity Provider 
  • signcertificate: string, optional, signcertificate - X509 certificate used for signing 
  • encryptcertificate: string, optional, encryptcertificate - X509 certificate used for encryption

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");  
   
    // Instantiate the security object.  
   
    myObj = createObject("component","CFIDE.adminapi.security")  
    oldalias="myalias"  
    newalias="newalias"  
    url="http://idp-url"  
    try{  
        myObj.modifyIdpMetadata(oldalias = oldalias, 
newalias = newalias, 
url = url)  
        writeOutput("IDP modified successfully")  
    }  
    catch(any e){  
        writeDump(e)  
    }  
</cfscript> 

ModifySpMetadata

Modifies a Service Provider configuration. 

Parameters

  • oldalias: string, required, oldalias - Old alias for the Service Provider 
  • newalias: string, required, newalias - New alias for the Service Provider 
  • description: string, optional, description 
  • entityid: string, required, entityid - Unique Entity ID of the Service Provider 
  • acsurl: string, required, acsurl - Assertion Consumer Service URL of the Service Provider 
  • acsbinding: string, optional, acsbinding - Binding to be used for Single Sign On service (“REDIRECT” or “POST”) 
  • slourl: string, optional, slourl - Single Logout Service URL of the Service Provider 
  • slobinding: string, optional, slobinding - Binding to be used for Single Logout service(“REDIRECT” or “POST”)  
  • signrequests: boolean, optional, signrequests - Flag that indicates whether responses are signed by the Service Provider 
  • wantassertionssigned: boolean, optional, wantassertionssigned - Flag that indicates whether Identity Provider should sign assertions 
  • logoutresponsesigned: boolean, optional, logoutresponsesigned - Flag that indicates whether Identity Provider should sign logout requests 
  • signkeystorepath: string, optional, signkeystorepath - Path to the keystore file to be used for signing 
  • signkeystorepassword: string, optional, signkeystorepassword - Password of the keystore file to be used for signing 
  • signkeystorealias: string, optional, signkeystorealias - Alias of the entry in the keystore 
  • signmetadata: boolean, optional, signmetadata - Indicates whether to sign the metadata while exporting 

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");   
 
    // Instantiate the security object.  
 
    myObj = createObject("component","CFIDE.adminapi.security")  
    oldalias="spAlias"  
    newalias="newalias"  
    acsurl = “http://sp.com” 
    entityid="http://entity-id-url/"  
    acsbinding="REDIRECT"  
    try{  
        myObj.modifySpMetadata(oldalias = oldalias, 
newalias = newalias, 
entityid = entityid, 
acsurl = acsurl, 
acsbinding = acsbinding) 
        writeOutput("SP modified successfully")  
    }  
    catch(any e){  
        writeDump(e)  
    }  
</cfscript>
Adobe logo

Sign in to your account