Configuring AD FS 2.0 as the Claims or Identity Provider and Access Manager as the Relying Party or Service Provider

This section explains how to configure an application through AD FS 2.0 that gets federated access to an application by using Access Manager. The setup uses the SAML 2.0 POST profile.

Configuring Access Manager

The AD FS metadata is used to add an Identity Provider to Access Manager.

Getting the AD FS 2.0 Metadata

  1. Access the AD FS server metadata by accessing https://<<ADFS hostname or IP/FederationMetadata/2007-06/FederationMetadata.xml.

  2. Save the AD FS metadata data.

  3. Open the AD FS metadata file in a text editor (Notepad, WordPad, or an XML editor).

  4. Remove the <RoleDescriptor> tags from the metadata.

    For example, remove the following tags:

      "<RoleDescriptor xsi:type="fed:ApplicationServiceType"
              protocolSupportEnumeration=http://..................... ……> ……….</RoleDescriptor>
      "<RoleDescriptor xsi:type="fed:SecurityTokenServiceType"
              protocolSupportEnumeration=http://.....  ………> </RoleDescriptor>

  5. Save the changes.

Using the Metadata to Add a New Identity Provider Connection

  1. Click Devices > Identity Server > Edit > SAML 2.0.

  2. Click New > Identity Provider.

  3. Specify the name as ADFS in Name.

  4. Select Metadata Text from Source.

  5. Specify the ADFS metadata that you copied in Step 5 in Text.

  6. Click Next.

  7. Specify an alphanumeric value that identifies the card in ID.

  8. Specify the image to be displayed on the card in Image.

  9. Update Identity Server.

Adding the AD FS Server Trusted Certificate

  1. Retrieve the AD FS server's CA trusted root certificate.

  2. Select Security > Certificates.

  3. Select Trusted Roots.

  4. Click Import.

  5. Specify the certificate name, and browse for the AD FS certificate authority.

  6. Click OK.

  7. Click uploaded AD FS CA.

  8. Click Add to Trusted Store and select config store.

  9. Update Identity Server.

Configuring the Identity Provider in Access Manager

  1. Select the AD FS Identity Provider in the SAML 2.0 tab.

  2. Click Authentication Card > Authentication Request.

  3. Select Response Protocol Binding to POST.

  4. Select NAME Identifier Format as Transient.

  5. Click OK.

  6. Update Identity Server.

Configuring AD FS 2.0

Using the Metadata to Add a Relying Party

The metadata import capability of AD FS 2.0 is used to create a relying party. The metadata includes the public key that is used to validate security tokens signed by Access Manager.

  1. In AD FS 2.0, right-click the Relying Party Trusts folder and click Add Relying Party Trust.

  2. Click Start.

  3. On the Select Data Source page, select Import data about the claims provider from a file.

  4. In the Federation metadata file location section, click Browse.

  5. Navigate to the location where you saved nam_metadata.xml earlier, select the file, then click Open > Next.

  6. On the Specify Display Name page, specify NAM Example.

  7. Click Next > Next > Close.

Editing Claim Rules for a Relying Party Trust

The data from AD FS is used in the security token that is sent to Access Manager.

  1. The Edit Claim Rules dialog box must already be open. If not, in the AD FS 2.0 center pane, under Relying Party Trusts, right-click NAM Example, then click Edit Claim Rules.

  2. On the Issuance Transform Rules tab, click Add Rule.

  3. On the Select Rule Template page, leave the Send LDAP Attributes as Claims option selected, then click Next.

  4. On the Configure Claim Rule page, specify Get attributes in the Claim rule name field.

  5. Select Active Directory from the Attribute Store list.

  6. In the Mapping of LDAP attributes section, create the following mappings:

    LDAP Attribute

    Outgoing Claim Type

    User-Principal-Name

    UPN

    E-Mail-Address

    E-Mail Address

  7. Click OK.

  8. Click Apply > OK.

  9. On the Issurance Transform Rules tab, click Add Rules.

  10. On the Select Rule Template page, select Transform an Incoming Claim, then click Next.

  11. On the Configure Claim Rule page, use the following values:

    Name

    Value

    Claim rule name

    Mapping To Transient Name Identifier

    Incoming Claim Type

    UPN

    Outgoing Claim Type

    Name ID

    Outgoing name ID format

    Transient Identifier

  12. Select Pass Through All Claims, then click OK.

  13. Click Apply > OK.

Disabling the Certificate Revocation List

For information about signing and encryption certificates, see Using Certificates and Certificate Revocation Lists.

Disabling the CRL Checking Option in Identity Server

  1. Modify the tomcat.conf file.

    For information about how to modify a file, see Modifying Configurations.

  2. Add JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"

Disabling the CRL Checking Option in AD FS 2.0

  1. Click Start > Administrative Tools > Windows PowerShell Modules.

  2. Run the following command in the PowerShell command prompt:

    set-ADFSRelyingPartyTrust -TargetName "NAM Example"

    -SigningCertificateRevocationCheck None

AD FS 2.0 Encryption Strength

In AD FS 2.0, encryption of the outbound assertions is enabled by default. Assertion encryption occurs for any relying party or service provider for which AD FS 2.0 possesses an encryption certificate. AD FS 2.0 uses 256-bit Advanced Encryption Standard (AES) keys or AES-256 for encryption. In contrast, Failing to reconcile these conflicting defaults can result in the failed SSO attempts. To resolve this issue, disable the encryption in AD FS 2.0.

  1. In AD FS 2.0, click Start > Administrative Tools > Windows PowerShell Modules.

  2. Run the following command in the PowerShell command prompt:

    set-ADFSRelyingPartyTrust -TargetName "NAM Example"

    -EncryptClaims $False