Configuring ADFS for Academic Works

Size: px

Start display at page:

Download "Configuring ADFS for Academic Works"

Bryce Rose
6 years ago
Views:

1 Page 1 of 10: ConfiguringADFSForAcademicWorks.docx Configuring ADFS for Academic Works Contents Description... 1 Prerequisites: (for ADFS 3.0)... 2 Install the Public SSL Cert on both the ADFS and the DMZ Web Application Server... 2 Install ADFS using the Add roles and features wizard or via Windows PowerShell... 2 Configure the first federation server in a new federation server farm using the Active Directory Federation Service Configuration Wizard... 3 To install the Web Application Proxy role service on the DMZ server... 3 To configure Web Application Proxy... 4 Testing your ADFS Setup... 4 Retrieve the Federation Meta Data Information for your ADFS environment... 5 Decide on Attributes to be used... 6 Create Relying Party Trust for ADFS to AcademicWorks... 6 Add Claims rules to AcademicWorks Relying Party Trust Restricting Authentication To Specific AD Groups... 9 Adding Additional Claim Values From SQL... 9 Testing Claim Values Returned... 9 Errors... 9 Definitions Modifications Description This document describes how to set-up Single-Sign On (SSO) between ADFS and Academic Works. Documentation Credit goes to Joey Rego, and the folks at LYNN University for compiling data, sources, links, and the hard work in being the pioneer for getting this working.

2 Page 2 of 10: ConfiguringADFSForAcademicWorks.docx Prerequisites: (for ADFS 3.0) Server 2012 R2 for Internal ADFS Server o Open port 443 in the windows firewall Server 2012 R2 for DMZ Web Application Proxy Server(Optional but recommended) o Open port 443 in the windows firewall Server 2012 R2 with SQL 2012 or later for ADFS Database (Optional but recommended) Service account used to run the ADFS service. Public SSL Cert added to the Personal Certificate Store All information provided below has been adapted from Install the Public SSL Cert on both the ADFS and the DMZ Web Application Server 1. Copy the SSL cert to the server that ends in.pfx 2. Right click the cert and choose Install PFX 3. Select the Local Machine Option and click next 4. On the File to import page the path to the selected.pfx file should already be set. Click Next 5. If there is a password on the file enter it now. Also if you want this key to be exportable you can select that option as well. We will leave the Include all extended properties checkbox enabled and click next 6. Select the Place all certificates in the following store option and choose Personal as the location to store the cert. Click next and then Finish. Install ADFS using the Add roles and features wizard or via Windows PowerShell 1. Open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu. 2. On the Before you begin page, click Next. 3. On the Select installation type page, click Role-based or Feature-based installation, and click Next. 4. On the Select destination server page, click Select a server from the server pool, verify that the target computer is highlighted, and then click Next. 5. On the Select server roles page, click Active Directory Federation Services, and then click Next. 6. On the Select features page, click Next. The required prerequisites are pre-selected for you. You do not need to select any other features. 7. On the Active Directory Federation Service (AD FS) page, click Next. 8. After you verify the information on the Confirm installation selections page, click Install. 9. On the Installation progress page, verify that everything installed correctly, and then click Close

3 Page 3 of 10: ConfiguringADFSForAcademicWorks.docx Configure the first federation server in a new federation server farm using the Active Directory Federation Service Configuration Wizard ***Make sure you have domain administrator permissions or have domain administrator credentials available before you perform this procedure. Just to be clear, the account only needs to have this right for the install. So do not grant the service account you created with domain admin rights. Just use an existing domain admin account already set up in your environment to run the install. 1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched. 2. On the Welcome page, select Create the first federation server in a federation server farm and click Next. 3. On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next. 4. On the Specify Service Properties page, do the following and then click Next: a. Select the certificate that you previously installed from the list b. Provide a name for your federation service. For example, sts.contoso.com. This name must match one of the subject or subject alternative names in the certificate. c. Provide a display name for your federation service. For example, Contoso Corporation Identity Federation Service. This name will be shown to users at the AD FS sign-in page. 5. On the Specify Service Account page, specify the service account that you already created as a prerequisite. 6. On the Specify Configuration Database page, specify an AD FS configuration database and then click Next. You can either create a database on this computer using Windows Internal Database (WID) or you can specify the location and the instance name of the SQL server. 7. On the Review Options page, verify your configuration selections and click Next. 8. On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure. 9. On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment. For more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard. To install the Web Application Proxy role service on the DMZ server 1. On the DMZ Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features. 2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen. 3. On the Select server roles dialog, select Remote Access, and then click Next. 4. Click Next twice.

4 Page 4 of 10: ConfiguringADFSForAcademicWorks.docx 5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next. 6. On the Confirm installation selections dialog, click Install. 7. On the Installation progress dialog, verify that the installation was successful, and then click Close. To configure Web Application Proxy 1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. 2. In the navigation pane, click Web Application Proxy. 3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard. 4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next. 5. On the Federation Server dialog, do the following, and then click Next: a. In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.contoso.com. b. In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers. 6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next. a. The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.contoso.com. If you plan on using Workplace Join, this must be a SAN certificate with the SANs described in Configure CAs and certificates. 7. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure. 8. On the Results dialog, verify that the configuration was successful, and then click Close. Testing your ADFS Setup 1. Now to test our ADFS Setup there are a few things we need to do. If you have already updated your environments DNS to point to your newly set up server then there is nothing you need to do and you should be able to browse to the URL. If you haven t and you are still in the testing phase, you can edit your local host file that can be found on your test windows machine found in c:\windows\system32\drivers\etc. Open the file with Notepad. Add the ip address and the fqdn of the server that has ADFS installed for now. We will do this twice. Once for the ADFS server directly and a second time to simulate accessing ADFS through the Application Web Proxy.

5 Page 5 of 10: ConfiguringADFSForAcademicWorks.docx o Doing this will allow us to manually configure your computer to be able to access the url with the name instead of just the IP address. 2. Now we can go to the following URL. Be sure to substitute your FQDN for your environment. Be sure to remove the <> as well. a Now we should be able to test our login using one of the three options. All should work but it s good to test them all to make sure. a. username@domain.local i. Be sure to substitute your user for username ii. Be sure to change the domain.local to the fqdn of your environment b. Domain\username i. Be sure to substitute your user for username ii. Be sure to change the domain to the NETBIOS name of your domain c. DomainFQDN\username i. Be sure to substitute your user for username ii. Be sure to change the DomainFQDN to the fqdn of your domain 4. Once we are sure this is working we can go back to our hosts file that we edited in step 1 and change only the IP address so that the new ip address is that of the DMZ web application server. a. Once you have done this you can ping the fqdn to make sure that your computer is now resolving to the DMZ Web Application Proxy ip address and 5. Now we can perform steps 2 and 3 again. a. This will allow us to now test that we are sending requests to the DMZ Web Application Proxy and then the Proxy is forwarding the request to the backend ADFS box. 6. Once all of this is completed we have confirmed we can log in. Retrieve the Federation Meta Data Information for your ADFS environment 1. We need to download the Metadata xml information so that we can send it to AcademicWorks tech support so they know what attributes they can use for their Shibboleth implementation 2. Using Chrome or Firefox Go to - (your site may vary) a. Be sure to remove the <> and enter the FQDN of your environment b. Save the file. c. Now you can send this information to AcademicWorks support i. If tech support says that the file needs to be adjusted, follow the link below for more information. You may need to adjust the.xml file that you downloaded in a few sections with notepad.exe or something similar, save it, and then send that file back to support ii. Here is another reference. See the section To Create edited AD FS 2.0 metadata

6 Page 6 of 10: ConfiguringADFSForAcademicWorks.docx 1. tinterop Decide on Attributes to be used 1. (Windows account name) : a. ame 2. (Given Name) : a (Surname) : a ( Address) : a. Create Relying Party Trust for ADFS to AcademicWorks 1. Open ADFS Console 2. Expand Trust Relationships 3. Right click on Relying Party Trusts 4. Select Add Relying Party Trust 5. Click Start 6. Choose the Import data about the relying party published online or on a local network. 7. Paste in the URL for your site. Note: replace... with your institution name a Click Next 9. You may get a message saying: Some of the content in the federation metadata was skipped. (See Error 1 below for reference) 10. Enter Display Name you desire 11. Click Next 12. Select I do not want to configure multifactor authentication 13. Click Next 14. Select Permit all users to access the relying party 15. Click Next 16. Click Next on the Ready to add Trust Section page 17. Leave or check checkbox for Open the Edit Claim Rules dialog Click Close on the Finish page. 19. Now you will need to add the claims rule like below.

7 Page 7 of 10: ConfiguringADFSForAcademicWorks.docx Add Claims rules to AcademicWorks Relying Party Trust. Claim rules describe how AD FS 3.0 determines what data should reside inside the federation security tokens that it generates. The claim rule in this section describes how data from Active Directory is inserted in the security token that is created for Shibboleth. Shibboleth is preconfigured to assert multiple attributes of the eduperson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:saml:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:saml:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS custom rule language to generate Shibboleth-compliant claims. We will generate an edupersonprincipalname claim, based on the user s UPN, and an edupersonscopedaffiliation claim, based on domain membership. To configure eduperson claims for sending to a relying party trust 1. The Edit Claim Rules dialog box should already be open. If not, In the AD FS center pane, under Relying Party Trusts, right-click the CollegeNet trust, and then click Edit Claim Rules. 2. On the Issuance Transform Rules tab, click Add Rule. 3. On the Select Rule Template page, select Send LDAP Attributes as Claims, and then click Next. 4. On the Configure Rule page, in the Claim rule name box, type Get Data. 5. In the Attribute Store list, select Active Directory. 6. In the Mapping of LDAP attributes section, create the following mappings. Note: not all of these claims need to be provided, they are shown for reference only. In most cases you do not need to share the 'Group' claim, etc. Talk with your SAML vendor to find out what exact claims they require and only configure those. User-Principal-Name UPN (Token-Groups are optional, only if needed/desired) Token-Groups Unqualified Names Group Given-Name Given Name -Addresses Address SAM-Account-Name Windows account name Surname Surname 7. Click Finish.

8 Page 8 of 10: ConfiguringADFSForAcademicWorks.docx 8. [only if supplying the UPN Claim Value] On the Issuance Transform Rules tab, click Add Rule. 9. [only if supplying the UPN Claim Value] On the Select Rule Template page, select Send Claims Using a Custom Rule, and then click Next. 10. [only if supplying the UPN Claim Value] In the Configure Rule page, in the Claim rule name box, type Transform UPN to eppn. 11. [only if supplying the UPN Claim Value] In the Custom Rule window, type or copy and paste the following: c:[type == " => issue(type = "urn:oid: ", Value = c.value, Properties[" e"] = "urn:oasis:names:tc:saml:2.0:attrname-format:uri"); 12. [only if supplying the UPN Claim Value] Click Finish. 13. [only if supplying the Group Claim Value] On the Issuance Transform Rules tab, click Add Rule. 14. [only if supplying the Group Claim Value] On the Select Rule Template page, select Send Claims Using a Custom Rule, and then click Next. 15. [only if supplying the Group Claim Value] On the Configure Rule page, in the Claim rule name box, type Transform Group to epsa. 16. [only if supplying the Group Claim Value] In the Custom Rule window, type or copy and paste the following but be sure to change the domainname (bold/italicized below) to match yours: c:[type == " Value == "Domain Users"] => issue(type = "urn:oid: ", Value = "member@contoso.com", Properties[" e"] = "urn:oasis:names:tc:saml:2.0:attrname-format:uri"); 17. [only if supplying the Group Claim Value] Click Finish

Page 9 of 10: ConfiguringADFSForAcademicWorks.docx 18. click OK. Restricting Authentication To Specific AD Groups Section Added By: David Mielcarek,, 20150803 1. Open: ADFS 2.

9 Page 9 of 10: ConfiguringADFSForAcademicWorks.docx 18. click OK. Restricting Authentication To Specific AD Groups Section Added By: David Mielcarek,, Open: ADFS 2. Expand: Trust Relationships 3. Click: Relying Party Trusts 4. Click: [desired trust] 5. Click: Edit Claim Rules 6. Click: Issuance Authorization Rules (tab) a. (remove any current rules if you want to restrict to new ones) 7. Click: Add Rule 8. Choose: Permit or Deny Users Based on an Incoming Claim 9. Type: Claim Rule Name 10. Choose: (Incoming claim type) Group SID 11. Click: Browse 12. Choose: [desired group] 13. Click: OK 14. Click: Finish (repeat 7-13 for each desired group) 15. Click OK Adding Additional Claim Values From SQL (see same site document: ADFSClaimValueFromSQL.pdf) Testing Claim Values Returned (see same site document: lccadfstestwebclient.pdf) Errors Error 1

10 Page 10 of 10: ConfiguringADFSForAcademicWorks.docx Definitions ADFS - Active Directory Federated Services SSO - Single-Sign On Modifications NAME DATE MODIFICATION David Mielcarek 8/5/2015 Created David Mielcarek 12/10/2015 Changed Token Groups to Unqualified Names End of document

Active Directory Federation Services (ADFS) Customer Implementation Guide Version 2.2

Active Directory Federation Services (ADFS) Customer Implementation Guide 2018-01-02 Version 2.2 TABLE OF CONTENTS Introduction... 2 Exchanging Metadata... 2 Creating a Relying Party Trust in ADFS... 2