SAML with Azure documentation for the dotCMS Content Management System

Below is an example of how to configure dotCMS to authenticate and authorize dotCMS users with Azure using SAML (this may be also valid for ADFS). It requires a number of custom attributes to be set in order to successfully connect, authenticate and also sync roles from Azure to dotCMS.

Example Custom Attributes Required for dotCMS and Azure SAML

Below are a list of custom attributes from a working Azure installation. The value containing “ClientDomain” should obviously be replaced with correct values for the Azure endpoint and the dotCMS server location. If you are cutting and pasting, please make sure not to include leading or trailing spaces in the values.

KeyValue
attribute.email.namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
attribute.firstname.namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
attribute.lastname.namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
authn.comparisontypeexact
authn.protocol.bindingHttp-POST-Raw
nameidpolicy.formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
role.extraDOTCMS_BACK_END_USER

Azure

Example IDP Metadata file

A redacted example metadata file for Azure

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="azure.dotcms.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:assertion urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://azure.dotcms.com:8443/api/v1/dotsaml/logout/60e9768b-1c58-4251-b38f-2a755bee5254"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://azure.dotcms.com:8443/api/v1/dotsaml/login/60e9768b-1c58-4251-b38f-2a755bee5254" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>