Configuring Access Manager

NOTE:To deploy this identity federation, create a new contract with the “urn:oasis:names:tc:SAML:2.0:ac:classes:Password” URI and with the name password form method. Configure this contract as the default contract.

Using ADFS Metadata to Add a New Service Provider for Access Manager

Getting the AD FS 2.0 Metadata

  1. Access the AD FS server metadata URL at https://<<ADFS (hostname or IP)/FederationMetadata/2007-06/FederationMetadata.xml.

  2. Save the AD FS metadata file.

  3. Open the AD FS metadata file in any XML editor.

  4. Remove the <RoleDescriptor> tags from the metadata. For example, remove the following tags:

    <RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration=http://..................... ……> ……….</RoleDescriptor>
      <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration=http://.....  ………> </RoleDescriptor>

  5. Save the changes.

Adding a New Service Provider Connection

  1. Click Devices > Identity Server > Edit > SAML 2.0 > New > Add Service Provider.

  2. In Name, specify a name by which you want to refer to the provider.

  3. Select Metadata Text from Source.

  4. In Text, specify AD FS metadata that you copied in Step 5.

  5. Click Next > Finish.

  6. Update Identity Server.

Adding an AD FS Server Trusted Certificate

  1. Download the certificate authority (CA) certificate from the AD FS server.

  2. Click Security > Certificates > Trusted Roots > Import.

  3. Specify a name for the certificate and browse for the ADFS certificate.

  4. Click OK.

  5. Click Uploaded AD FS CA.

  6. Click Add to Trusted Store and select config store.

  7. Update Identity Server.

Creating an Attribute Set in Access Manager

  1. Click Devices > Identity Servers > Shared Settings > Attribute Sets > New.

  2. Provide the attribute set name as adfs-attributes.

  3. Click Next with the default selections.

  4. In the Create Attribute Set section, click New.

  5. Select ldapattribute mail from Local Attribute.

  6. Specify emailaddress in Remote attribute.

  7. Select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ from Remote namespace.

  8. Click OK.

  9. Click New.

  10. Select All Roles from Local Attribute.

  11. Specify roles in Remote Attribute.

  12. Select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ from Remote namespace.

  13. Click OK.

  14. Update Identity Server.

Configuring the Service Provider in Access Manager

  1. Select the ADFS service provider in the SAML 2.0 tab.

  2. Click Authentication Response.

  3. Select Binding to POST.

  4. Specify the name identifier format default value and select unspecified along with the defaults.

  5. Click Attributes.

  6. Select adfs-attributes from Attribute Set.

  7. Select the required attributes to be sent with authentication. For example, mail and cn.

  8. Click OK.

  9. Update Identity Server.

Exporting the Identity Provider Metadata to a File

Access https://<<Identity server IP / dns name>>:8443/nidp/saml2/metadata in a browser and save the page as XML, such asnam_metadata.xml. AD FS 2.0 uses this XML to automate the setup of the Access Manager Claims Provider instance.