AD FS, Active Directory, and SharePoint servers and client are set up as described in the ADFS guide from Microsoft. See “Step-by-Step Guide for Active Directory Federation Services”.
Access Manager is set up with a site configuration that is using SSL in Identity Server's base URL. See Section 21.0, Enabling SSL Communication.
The ADFS server rejects the contract URI names of the default Access Manager contracts, which have a URI format of secure/name/password/uri. The ADFS server expects the URI to look like a URL.
Use the following format for the URI of all contracts that you want to use with the ADFS server:
<baseurl>/name/password/uri
If DNS of your Identity Server is idp-50.amlab.net, the URI looks similar to the following format:
https://idp-50.amlab.net:8443/nidp/name/password/uri
This URL does not resolve to anything because Identity Server interprets it as a contract URI and not a URL.
To create a new authentication contract:
On the Home page, click Identity Servers > [cluster name] > Authentication > Contracts > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name. For example, WS-Fed Contract. |
|
URI |
Specify a URI. For example, https://idp-50.amlab.net:8443/nidp/name/password/uri. |
|
Advanced Settings > Satisfy with an external provider |
Select this option. The ADFS server needs to satisfy this contract. |
In Authentication Methods, select Name/Password – Form.
Click the Plus icon under Authentication Card and specify the following details:
|
Field |
Description |
|---|---|
|
Card Image |
Select an image, such as Form Auth Username Password. This is the default image for the Name/Password - Form contract. |
|
Card ID |
Leave this field blank. Supply a value if you want a reference to use it externally. |
|
Text |
Specify a description that is available to the user when the user hovers over the card. |
Turn on Show Card to show the card to users, which allows them to select and use the card forauthentication.
Click Save.
Continue with Setting the WS-Fed Contract as the Default Contract.
It is not possible to specify the contract to request from the ADFS service provider to Identity Server. You must set the contract for WS-Fed to be the default or the users must remember to click that contract every time.
On the Home page, click Identity Servers > [cluster name] > Authentication > Configuration > Defaults.
In Authentication Contract, select the WS-Fed Contract.
Click Save.
Continue with Enabling the WS Federation Protocol.
By default, only Liberty and SAML 2.0 are enabled. To use the WS Federation protocol, you must enable it on Identity Server.
On the Home page, click Identity Servers > [cluster name] > Authentication > Configuration > General.
In the Enabled Protocols section, select WS Federation.
Click Save.
Update Identity Server.
Continue with Creating an Attribute Set for WS Federation.
The WS Federation namespace is http://schemas.xmlsoap.org/claims. With WS Federation, you need to decide which attributes you want to share during authentication. This scenario uses the LDAP mail attribute and the All Roles attribute.
On the Home page, click Identity Servers > IDP Global Settings > Attribute Sets > Add Attribute Set icon.
Specify the following details:
Attribute Set Name: Specify a name that identifies the purpose of the set. For example, wsfed_attributes.
Select Set to use as Template: Select None.
Click Next.
To add a mapping for the mail attribute, perform the following steps:
Click the Add Attribute Mapping icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Local Attribute |
Select LDAP Attribute:mail [LDAP Attribute Profile]. |
|
Remote Attribute |
Specify emailAddress. This is the attribute that this scenario uses for user identification. |
|
Remote Namespace |
Select the option and specify the following namespace: http://schemas.xmlsoap.org/claims |
Click Save.
To add a mapping for the All Roles attribute, perform the following steps:
Click the Add Attribute Mapping icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Local Attribute |
Select All Roles. |
|
Remote Attribute |
Specify group. This is the name of the attribute that is used to share roles. |
|
Remote Namespace |
Select the option and specify the following namespace http://schemas.xmlsoap.org/claims |
Click Save.
Click Finish.
Continue with Enabling the Attribute Set.
The WS Federation protocol uses STS. Therefore, you must enable the attribute set for STS to use it in an WS Federation relationship.
On the Home page, click Applications > Select a Cluster > Application Settings > WS Fed Applications > STS Attribute Sets.
Click edit icon and select the required attributes sets.
Click Done > Save.
Update Identity Server.
To establish a trusted relationship with the ADFS server, you need to set up the Trey Research site as a service provider. The trusted relationship allows the service provider to trust Identity Server for user authentication credentials.
Trey Research is the default name for the ADFS resource server. If you have used another name, substitute it when following these instructions. To create a service provider, you must know the following details about the ADFS resource server:
Table 6-14 ADFS Resource Server Information
|
Option |
Default Value |
Description |
|---|---|---|
|
Provider ID |
urn:federation:treyresearch |
This is the value that the ADFS server provides to Identity Server in the realm parameter of the query string. This value is specified in the Properties of the Trust Policy page on the ADFS server. The parameter label is Federation Service URI. |
|
Sign-on URL |
https://adfsresource.treyresearch.net/adfs/ls/ |
The identity provider redirects this value to the user after login. Although it is listed as optional, and is optional between two Access Manager Identity Servers, the ADFS server does not send this value to the identity provider. It is required when setting up a trusted relationship between an ADFS server and a Access Manager Identity Server. This URL is listed in the Properties of the Trust Policy page on the ADFS server. The parameter label is Federation Services endpoint URL. |
|
Logout URL |
https://adfsresource.treyresearch.net/adfs/ls/ |
This parameter is optional. If it is specified, the user is logged out of the ADFS server and Identity Server. |
|
Signing Certificate |
NA |
The ADFS server uses this certificate for signing. You need to export it from the ADFS server. It can be retrieved from the properties of the Trust Policy on the ADFS Server on the Verification Certificates tab.This certificate is a self-signed certificate that you generated when following the Active Directory step-by-step guide. |
To create a service provider configuration, perform the following steps:
On the Home page, click Applications > Select a Cluster > New Application > WS Federation Service Provider.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name that identifies the service provider, such as TreyResearch. |
|
Provider ID |
Specify the provider ID of the ADFS server. The default value is urn:federation:treyresearch. |
|
Sign-on URL |
Specify the URL that the user is redirected to after login. The default value is https://adfsresource.treyresearch.net/adfs/ls/. |
|
Logout URL |
(Optional) Specify the URL that the user can use for logging out. The default value is https://adfsresource.treyresearch.net/adfs/ls. |
|
Signing Certificate |
Specify the path to the signing certificate of the ADFS server. |
Click Next, confirm the certificate, and then click Save.
Continue with Configuring the Name Identifier Format.
The Unspecified Name Identifier format is the default for a newly created WS Federation service provider, but this name identifier format does not work with the ADFS federation server. Additionally, some Group Claims (Adatum ClaimApp Claim and Adatum TokenApp Claim) must be satisfied to gain access to the SharePoint server.
On the WS Federation page, click the name of the TreyResearch service provider.
Click Attributes, then specify the following details:
|
Field |
Description |
|---|---|
|
Attribute set |
Select the WS Federation attribute set you created. |
|
Send with authentication |
Move the All Roles attribute to Send with authentication. |
Click Apply, then click Authentication Response.
Select E-mail for the Name Identifier Format.
Select LDAP Attribute:mail [LDAP Attribute Profile] as the value for the e-mail identifier.
Click OK > OK.
Update Identity Server.
Continue with Setting Up Roles for ClaimApp and TokenApp Claims.
When users access resources on the ADFS server, they need to have two roles assigned: a ClaimApp role and a TokenApp role. The following steps explain how to create these two roles so that they are assigned to all users that log in to Identity Server.
On the Home page, click Policies.
Click New, specify a name for the policy, select Identity Server: Roles, and click OK.
On the Rule 1 page, leave Condition Group 1 blank.
With no conditions to match, this rule matches all authenticated users.
In the Actions section, click New > Activate Role.
Specify ClaimApp.
In the Actions section, click New > Activate Role.
Specify TokenApp.
Click OK > OK.
Click Apply Changes.
Click Close.
On the Roles page, select the role policy you just created, then click Enable.
Click OK.
Update Identity Server.
Continue with Importing the ADFS Signing Certificate into the NIDP-Truststore.
Access Manager Identity Server must have the trusted root of the ADFS signing certificate (or the certificate itself) listed in its trust store, and specified in the relationship. Most ADFS signing certificates are part of a certificate chain, and the certificate that goes into the metadata is not the same as the trusted root of that certificate. Because the Active Directory step-by-step guide uses self-signed certificates for signing, it is the same certificate in both the trust store and in the relationship.
To import the ADFS signing certificate’s trusted root (or the certificate itself) into the NIDP-Truststore, perform the following steps:
On the Home page, click Certificates.
Next to Trusted Root(s), click the Select Trusted Root(s) icon.
This adds the trusted root of the ADFS signing certificate to the trust store.
Select the trusted root or certificate that you want to import and click Add Trusted Roots to Trust Stores. If there is no trusted root or certificate in the list, Import it.
Next to Trust store(s), click the Select Keystore icon.
Select the trust stores where you want to add the trusted root or certificate, then click OK > OK.
Update Identity Serve.
Configuration for Identity Server to trust the ADFS server is completed. The ADFS server must be configured to trust Identity Server. Continue with Configuring the ADFS Server.