AD FS, Active Directory, and SharePoint servers and client are set up as described in the ADFS guide from Microsoft. See “Step-by-Step Guide for Active Directory Federation Services”.
Access Manager is set up with a site configuration that is using SSL in Identity Server's base URL. See Section 20.0, Enabling SSL Communication.
The ADFS server rejects the contract URI names of the default Access Manager contracts, which have a URI format of secure/name/password/uri. The ADFS server expects the URI to look like a URL.
Use the following format for the URI of all contracts that you want to use with the ADFS server:
<baseurl>/name/password/uri
If DNS of your Identity Server is idp-50.amlab.net, the URI looks similar to the following format:
https://idp-50.amlab.net:8443/nidp/name/password/uri
This URL does not resolve to anything because Identity Server interprets it as a contract URI and not a URL.
To create a new authentication contract:
Click Devices > Identity Servers > Edit > Local > Contracts > New.
Specify the following details:
|
Field |
Description |
|---|---|
|
Display name |
Specify a name. For example, WS-Fed Contract. |
|
URI |
Specify a URI. For example, https://idp-50.amlab.net:8443/nidp/name/password/uri. |
|
Satisfiable by External Provider |
Select this option. The ADFS server needs to satisfy this contract. |
Move Name/Password – Form to Methods.
Click Next and specify the following details:
|
Field |
Description |
|---|---|
|
ID |
Leave this field blank. Supply a value if you want a reference to use it externally. |
|
Text |
Specify a description that is available to the user when the user hovers over the card. |
|
Image |
Select an image, such as Form Auth Username Password. This is the default image for the Name/Password - Form contract. |
|
Show Card |
Select this option so that the card can be presented to the user as a login option. |
Click Finish.
Continue with Setting the WS-Fed Contract as the Default Contract.
It is not possible to specify the contract to request from the ADFS service provider to Identity Server. You must set the contract for WS-Fed to be the default or the users must remember to click that contract every time.
Click Devices > Identity Servers > Servers > Edit > Local > Defaults.
In Authentication Contract, select the WS-Fed Contract.
Click Apply.
Continue with Enabling the WS Federation Protocol.
By default, only SAML 1.1, Liberty, and SAML 2.0 are enabled. To use the WS Federation protocol, you must enable it on Identity Server.
Click Devices > Identity Servers > Servers > Edit > General.
In the Enabled Protocols section, select WS Federation.
Click OK.
Update Identity Server.
Continue with Creating an Attribute Set for WS Federation.
The WS Federation namespace is http://schemas.xmlsoap.org/claims. With WS Federation, you need to decide which attributes you want to share during authentication. This scenario uses the LDAP mail attribute and the All Roles attribute.
Click Devices > Identity Server > Shared Settings > Attribute Sets > New.
Specify the following details:
Set Name: Specify a name that identifies the purpose of the set. For example, wsfed_attributes.
Select set to use as template: Select None.
Click Next.
To add a mapping for the mail attribute, perform the following steps:
Click New.
Specify the following details:
|
Field |
Description |
|---|---|
|
Local attribute |
Select LDAP Attribute:mail [LDAP Attribute Profile]. |
|
Remote attribute |
Specify emailAddress. This is the attribute that this scenario uses for user identification. |
|
Remote namespace |
Select the option, and then specify the following namespace http://schemas.xmlsoap.org/claims |
Click OK.
To add a mapping for the All Roles attribute, perform the following steps:
Click New.
Specify the following details:
|
Field |
Description |
|---|---|
|
Local attribute |
Select All Roles. |
|
Remote attribute |
Specify group. This is the name of the attribute that is used to share roles. |
|
Remote namespace |
Select the option, and then specify the following namespace http://schemas.xmlsoap.org/claims |
Click OK.
Click Finish.
Continue with Enabling the Attribute Set.
The WS Federation protocol uses STS. Therefore, you must enable the attribute set for STS to use it in an WS Federation relationship.
Click Devices > Identity Servers > Servers > Edit > WS Federation > STS Attribute Sets.
Move the WS Federation attribute set to the Attribute sets list.
Select the WS Federation attribute set and use the up-arrow to make it first in Attribute set.
Click OK.
Update Identity Server.
To establish a trusted relationship with the ADFS server, you need to set up the Trey Research site as a service provider. The trusted relationship allows the service provider to trust Identity Server for user authentication credentials.
Trey Research is the default name for the ADFS resource server. If you have used another name, substitute it when following these instructions. To create a service provider, you must know the following details about the ADFS resource server:
Table 5-14 ADFS Resource Server Information
|
Option |
Default Value |
Description |
|---|---|---|
|
Provider ID |
urn:federation:treyresearch |
This is the value that the ADFS server provides to Identity Server in the realm parameter of the query string. This value is specified in the Properties of the Trust Policy page on the ADFS server. The parameter label is Federation Service URI. |
|
Sign-on URL |
https://adfsresource.treyresearch.net/adfs/ls/ |
The identity provider redirects this value to the user after login. Although it is listed as optional, and is optional between two Access Manager Identity Servers, the ADFS server does not send this value to the identity provider. It is required when setting up a trusted relationship between an ADFS server and a Access Manager Identity Server. This URL is listed in the Properties of the Trust Policy page on the ADFS server. The parameter label is Federation Services endpoint URL. |
|
Logout URL |
https://adfsresource.treyresearch.net/adfs/ls/ |
This parameter is optional. If it is specified, the user is logged out of the ADFS server and Identity Server. |
|
Signing Certificate |
NA |
The ADFS server uses this certificate for signing. You need to export it from the ADFS server. It can be retrieved from the properties of the Trust Policy on the ADFS Server on the Verification Certificates tab.This certificate is a self-signed certificate that you generated when following the Active Directory step-by-step guide. |
To create a service provider configuration, perform the following steps:
Click Devices > Identity Servers > Servers > Edit > WS Federation.
Click New > Service Provider, then specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name that identifies the service provider, such as TreyResearch. |
|
Provider ID |
Specify the provider ID of the ADFS server. The default value is urn:federation:treyresearch. |
|
Sign-on URL |
Specify the URL that the user is redirected to after login. The default value is https://adfsresource.treyresearch.net/adfs/ls/. |
|
Logout URL |
(Optional) Specify the URL that the user can use for logging out. The default value is https://adfsresource.treyresearch.net/adfs/ls. |
|
Service Provider |
Specify the path to the signing certificate of the ADFS server. |
Click Next, confirm the certificate, and then click Finish.
Continue with Configuring the Name Identifier Format.
The Unspecified Name Identifier format is the default for a newly created WS Federation service provider, but this name identifier format does not work with the ADFS federation server. Additionally, some Group Claims (Adatum ClaimApp Claim and Adatum TokenApp Claim) must be satisfied to gain access to the SharePoint server.
On the WS Federation page, click the name of the TreyResearch service provider.
Click Attributes, then specify the following details:
|
Field |
Description |
|---|---|
|
Attribute set |
Select the WS Federation attribute set you created. |
|
Send with authentication |
Move the All Roles attribute to Send with authentication. |
Click Apply, then click Authentication Response.
Select E-mail for the Name Identifier Format.
Select LDAP Attribute:mail [LDAP Attribute Profile] as the value for the e-mail identifier.
Click OK > OK.
Update Identity Server.
Continue with Setting Up Roles for ClaimApp and TokenApp Claims.
When users access resources on the ADFS server, they need to have two roles assigned: a ClaimApp role and a TokenApp role. The following steps explain how to create these two roles so that they are assigned to all users that log in to Identity Server.
Click Devices > Identity Servers > Servers > Edit > Roles > Manage Policies.
Click New, specify a name for the policy, select Identity Server: Roles, and click OK.
On the Rule 1 page, leave Condition Group 1 blank.
With no conditions to match, this rule matches all authenticated users.
In the Actions section, click New > Activate Role.
Specify ClaimApp.
In the Actions section, click New > Activate Role.
Specify TokenApp.
Click OK > OK.
Click Apply Changes.
Click Close.
On the Roles page, select the role policy you just created, then click Enable.
Click OK.
Update Identity Server.
Continue with Importing the ADFS Signing Certificate into the NIDP-Truststore.
Access Manager Identity Server must have the trusted root of the ADFS signing certificate (or the certificate itself) listed in its trust store, and specified in the relationship. Most ADFS signing certificates are part of a certificate chain, and the certificate that goes into the metadata is not the same as the trusted root of that certificate. Because the Active Directory step-by-step guide uses self-signed certificates for signing, it is the same certificate in both the trust store and in the relationship.
To import the ADFS signing certificate’s trusted root (or the certificate itself) into the NIDP-Truststore, perform the following steps:
Click Devices > Identity Servers > Servers > Edit > Security > NIDP Trust Store > Add.
Next to Trusted Root(s), click the Select Trusted Root(s) icon.
This adds the trusted root of the ADFS signing certificate to the trust store.
Select the trusted root or certificate that you want to import and click Add Trusted Roots to Trust Stores. If there is no trusted root or certificate in the list, Import it.
Next to Trust store(s), click the Select Keystore icon.
Select the trust stores where you want to add the trusted root or certificate, then click OK > OK.
Update Identity Serve.
Configuration for Identity Server to trust the ADFS server is completed. The ADFS server must be configured to trust Identity Server. Continue with Configuring the ADFS Server.