Configuring Access Manager

NOTE:To deploy this identity federation, create a new contract with the “urn:oasis:names:tc:SAML:2.0:ac:classes:Password” URI and with the name password form method. Configure this contract as the default contract.

Using ADFS Metadata to Add a New Service Provider for Access Manager

Getting the AD FS 2.0 Metadata

  1. Access the AD FS server metadata URL at https://<<ADFS (hostname or IP)/FederationMetadata/2007-06/FederationMetadata.xml.

  2. Save the AD FS metadata file.

  3. Open the AD FS metadata file in any XML editor.

  4. Remove the <RoleDescriptor> tags from the metadata. For example, remove the following tags:

    <RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration=http://..................... ……> ……….</RoleDescriptor>
      <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration=http://.....  ………> </RoleDescriptor>

  5. Save the changes.

Adding a New Service Provider Connection

  1. On the Home page, click Applications > Select a Cluster > New Application > [SAML2 Service Provider application name].

  2. In Name, specify a name by which you want to refer to the provider.

  3. Select Metadata Text from Source.

  4. In Text, specify AD FS metadata that you copied in Step 5.

  5. Click Next > Finish.

  6. Update Identity Server.

Adding an AD FS Server Trusted Certificate

  1. Download the certificate authority (CA) certificate from the AD FS server.

  2. On the Home page, click Certificates > Trusted Roots > Import.

  3. Specify a name for the certificate and browse for the ADFS certificate.

  4. Click OK.

  5. Click Uploaded AD FS CA.

  6. Click Add Trusted Root to Trust Stores and select config store.

  7. Update Identity Server.

Creating an Attribute Set in Access Manager

  1. On the Home page, click Identity Servers > IDP Global Settings icon > Attribute Sets > Plus icon.

  2. Provide the attribute set name as adfs-attributes.

  3. Click Next with the default selections.

  4. Click Add Attribute Mapping.

  5. Select ldapattribute mail in Local Attribute.

  6. Specify emailaddress in Remote Attribute.

  7. Select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ in Remote Namespace.

  8. Click Save.

  9. Click Add Attribute Mapping.

  10. Select All Roles in Local Attribute.

  11. Specify roles in Remote Attribute.

  12. Select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ in Remote Namespace.

  13. Click Save.

  14. Update Identity Server.

Configuring the Service Provider in Access Manager

  1. Select the ADFS service provider in the SAML 2.0 tab.

  2. Click Authentication Response.

  3. Select Binding to Post.

  4. Specify the name identifier format default value and select unspecified along with the defaults.

  5. Click Attributes.

  6. Select adfs-attributes from Attribute Set.

  7. Select the required attributes to be sent with authentication. For example, mail and cn.

  8. Click Save.

  9. Update Identity Server.

Exporting the Identity Provider Metadata to a File

Access https://<<Identity server IP / dns name>>:8443/nidp/saml2/metadata in a browser and save the page as XML, such asnam_metadata.xml. AD FS 2.0 uses this XML to automate the setup of the Access Manager Claims Provider instance.