ADFS, Active Directory, and SharePoint servers and client are set up as described in the ADFS guide from Microsoft. See “Step-by-Step Guide for Active Directory Federation Services”.
Access Manager is set up with a site configuration that is using SSL in Identity Server's base URL. See Section 19.0, Enabling SSL Communication.
The Liberty Personal Profile is enabled.
Click Identity Servers > Edit > Liberty > Web Service Provider. Select the Personal Profile, then click Enable > Apply. Update Identity Server.
Access Manager ships with only SAML 1.1, Liberty, and SAML 2.0 enabled by default. To use the WS Federation protocol, it must be enabled on Identity Server.
Click Devices > Identity Servers > Edit.
In the Enabled Protocols section of the General Configuration page, select WS Federation.
Click OK.
Update Identity Server.
To establish a trust relationship, you need to set up the Adatum site (adfsaccount.adatum.com) as an identity provider for Identity Server.
Adatum is the default name for the identity provider. If you have used another name, substitute it when following these instructions. To create an identity provider, you need to know the following information about the Adatum site:
Table 5-15 Adatum Values
|
Option |
Default Value and Description |
|---|---|
|
Provider ID |
Default Value: urn:federation:adatum The ADFS server provides this value to the service provider in the realm parameter in the assertion. Set this value in Properties of the Trust Policy on the ADFS server. The label is Federation Service URI. |
|
Sign-on URL |
Default Value: https://adfsaccount.adatum.com/adfs/ls/ The service provider uses this value to redirect the user for login. This URL is listed in Properties of the Trust Policy on the ADFS server. The label is Federation Services endpoint URL. |
|
Logout URL |
Default Value: https://adfsresource.treyresearch.net/adfs/ls/ The ADFS server makes no distinction between the login and logout URL. Access Manager has separate URLs for login and logout, but from an Access Manager Identity Server to an ADFS server, they are the same. |
|
Signing Certificate |
This is the certificate that the ADFS server uses for signing. You need to export it from the ADFS server. It can be retrieved from the properties of the Trust Policy on the ADFS Server on the Verification Certificates tab.This certificate is a self-signed certificate that you generated when following the step-by-step guide. |
To create an identity provider, perform the following steps:
Click Devices > Identity Servers > Edit > WS Federation.
Click New, select Identity Provider, and specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name that identifies the identity provider, such as Adatum. |
|
Provider ID |
Specify the federation service URI of the identity provider. For example, urn:federation:adatum. |
|
Sign-on URL |
Specify the login URL. For example, https://adfsaccount.adatum.com/adfs/ls/. |
|
Logout URL |
Specify the logout URL. For example, https://adfsresource.treyresearch.net/adfs/ls/ |
|
Identity Provider |
Specify the path to the signing certificate of the ADFS server. |
Confirm the certificate, then click Next.
For the authentication card, specify the following values:
|
Field |
Description |
|---|---|
|
ID |
Leave this field blank. |
|
Text |
Specify a description that is shown to a user when the user places a mouse over the card. |
|
Image |
Select an image, such as Customizable, or any other image. |
|
Show Card |
Select this option to display the card as a login option. |
Click Finish.
Continue with Modifying the User Identification Specification.
The default settings for user identification are set to do nothing. The user can authenticated, but the user is not identified as a local user on the system. However, in this scenario, the user must be identified on the local system. Additionally, You need to specify which contract on Access Gateway is satisfied with this identification. If a contract is not specified, Access Gateway resources must be configured to use the Any Contract option, which is not a typical configuration.
On the WS Federation page, click the name of the Adatum identity provider configuration.
Click User Identification.
For Satisfies contract, select Name/Password – Form.
Select Allow federation.
For the User Identification Method, select Authenticate.
Click OK > OK.
Update Identity Server.
Continue with Importing the ADFS Signing Certificate into the NIDP-Truststore.
Identity Server must have the trusted root of the ADFS signing certificate (or the certificate itself) listed in its trust store, and specified in the relationship. This is because most ADFS signing certificates have a chain, and the certificate that goes into the metadata is not the same as the trusted root of that certificate. However, as the Active Directory step-by-step guide uses self-signed certificates for signing, it is the same certificate in both the trust store and in the relationship.
To import the ADFS signing certificate’s trusted root (or the certificate itself) into the NIDP-Truststore, perform the following steps:
Click Devices > Identity Servers > Edit > Security > NIDP Trust Store > Add.
Next to Trusted Root(s), click the Select Trusted Root(s) icon.
This adds the trusted root of the ADFS signing certificate to the Trust Store.
On the Select Trusted Roots page, select the trusted root or certificate that you want to import, then click Add Trusted Roots to Trust Stores.
If there is no trusted root or certificate in the list, click Import. This enables you to import a trusted root or certificate.
Next to Trust store(s), click the Select Keystore icon.
Select the trust stores where you want to add the trusted root or certificate and click OK > OK.
Update Identity Server.
Continue with Configuring the ADFS Server as an Identity Provider.