Configuring ADFS for Academic Works

Similar documents
Active Directory Federation Services (ADFS) Customer Implementation Guide Version 2.2

Microsoft ADFS Configuration

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

Configuration Guide - Single-Sign On for OneDesk

AD FS CONFIGURATION GUIDE

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

NETOP PORTAL ADFS & AZURE AD INTEGRATION

Configuring Alfresco Cloud with ADFS 3.0

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: June 2014

Module 1 Web Application Proxy (WAP) Estimated Time: 120 minutes

Quick Start Guide for SAML SSO Access

Cloud Access Manager Configuration Guide

ArcGIS Enterprise Administration

D9.2.2 AD FS via SAML2

Quick Start Guide for SAML SSO Access

Copyright

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Qualys SAML & Microsoft Active Directory Federation Services Integration

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Integrating YuJa Active Learning into ADFS via SAML

Setting Up Resources in VMware Identity Manager

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Cloud Secure Integration with ADFS. Deployment Guide

VMware Identity Manager Administration

Colligo Console. Administrator Guide

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Five9 Plus Adapter for Agent Desktop Toolkit

Unity Connection Version 10.5 SAML SSO Configuration Example

Integrating YuJa Active Learning with ADFS (SAML)

Configuring Microsoft ADFS for Oracle Fusion Expenses Mobile Single Sign-On

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

SAML-Based SSO Configuration

Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2)

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Setup Guide for AD FS 3.0 on the Apprenda Platform

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

for SharePoint On-prem (v5)

VIEVU Solution AD Sync and ADFS Guide

AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation

Getting Started with VMware View View 3.1

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

O365 Solutions. Three Phase Approach. Page 1 34

Configure the Identity Provider for Cisco Identity Service to enable SSO

Installation Guide. Mobile Print for Business version 1.0. July 2014 Issue 1.0

Configuring SAML-based Single Sign-on for Informatica Web Applications

Extranet User Manager


TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Table of Contents. Installing the AD FS Running the PowerShell Script 16. Troubleshooting log in issues 19

App Orchestration 2.6

Health Professional & ADFS Integration Guide

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

Status Web Evaluator s Guide Software Pursuits, Inc.

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

UMANTIS CLOUD SSO (ADFS) CONFIGURATION GUIDE

Configuring ADFS 2.1 or 3.0 in Windows Server 2012 or 2012 R2 for Nosco Web SSO

Integration Guide. SafeNet Authentication Service. NetDocuments

Privileged Identity App Launcher and Session Recording

Installation on Windows Server 2008

October 14, SAML 2 Quick Start Guide

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

SAML 2.0 SSO Implementation for Oracle Financial Services Lending and Leasing

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Using vrealize Operations Tenant App as a Service Provider

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

SafeNet Authentication Service

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

SafeNet Authentication Client

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

TUT Integrating Access Manager into a Microsoft Environment November 2014

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Configuring the vrealize Automation Plug-in for ServiceNow

Privileged Access Agent on a Remote Desktop Services Gateway

Single Sign-On Technical Reference Guide Version 1.3

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Single Sign-On. Non-SSO - Continue to use existing Active Directory-based and local authentication, without SSO.

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Entrust Connector (econnector) Venafi Trust Protection Platform

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

SecurEnvoy Microsoft Server Agent Installation and Admin Guide v9.3

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Installation Guide for Pulse on Windows Server 2012

VMware Identity Manager Integration with Office 365

Five9 Plus Adapter for Microsoft Dynamics CRM

VMware Identity Manager Integration with Office 365

Exam Code: Exam Code: Exam Name:Managing Office 365 Identities and Requirements.

Transcription:

Page 1 of 10: ConfiguringADFSForAcademicWorks.docx Configuring ADFS for Academic Works Contents Description... 1 Prerequisites: (for ADFS 3.0)... 2 Install the Public SSL Cert on both the ADFS and the DMZ Web Application Server... 2 Install ADFS using the Add roles and features wizard or via Windows PowerShell... 2 Configure the first federation server in a new federation server farm using the Active Directory Federation Service Configuration Wizard... 3 To install the Web Application Proxy role service on the DMZ server... 3 To configure Web Application Proxy... 4 Testing your ADFS Setup... 4 Retrieve the Federation Meta Data Information for your ADFS environment... 5 Decide on Attributes to be used... 6 Create Relying Party Trust for ADFS to AcademicWorks... 6 Add Claims rules to AcademicWorks Relying Party Trust.... 7 Restricting Authentication To Specific AD Groups... 9 Adding Additional Claim Values From SQL... 9 Testing Claim Values Returned... 9 Errors... 9 Definitions... 10 Modifications... 10 Description This document describes how to set-up Single-Sign On (SSO) between ADFS and Academic Works. Documentation Credit goes to Joey Rego, and the folks at LYNN University for compiling data, sources, links, and the hard work in being the pioneer for getting this working.

Page 2 of 10: ConfiguringADFSForAcademicWorks.docx Prerequisites: (for ADFS 3.0) Server 2012 R2 for Internal ADFS Server o Open port 443 in the windows firewall Server 2012 R2 for DMZ Web Application Proxy Server(Optional but recommended) o Open port 443 in the windows firewall Server 2012 R2 with SQL 2012 or later for ADFS Database (Optional but recommended) Service account used to run the ADFS service. Public SSL Cert added to the Personal Certificate Store All information provided below has been adapted from https://msdn.microsoft.com/en-us/library/azure/dn528856.aspx Install the Public SSL Cert on both the ADFS and the DMZ Web Application Server 1. Copy the SSL cert to the server that ends in.pfx 2. Right click the cert and choose Install PFX 3. Select the Local Machine Option and click next 4. On the File to import page the path to the selected.pfx file should already be set. Click Next 5. If there is a password on the file enter it now. Also if you want this key to be exportable you can select that option as well. We will leave the Include all extended properties checkbox enabled and click next 6. Select the Place all certificates in the following store option and choose Personal as the location to store the cert. Click next and then Finish. Install ADFS using the Add roles and features wizard or via Windows PowerShell 1. Open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu. 2. On the Before you begin page, click Next. 3. On the Select installation type page, click Role-based or Feature-based installation, and click Next. 4. On the Select destination server page, click Select a server from the server pool, verify that the target computer is highlighted, and then click Next. 5. On the Select server roles page, click Active Directory Federation Services, and then click Next. 6. On the Select features page, click Next. The required prerequisites are pre-selected for you. You do not need to select any other features. 7. On the Active Directory Federation Service (AD FS) page, click Next. 8. After you verify the information on the Confirm installation selections page, click Install. 9. On the Installation progress page, verify that everything installed correctly, and then click Close

Page 3 of 10: ConfiguringADFSForAcademicWorks.docx Configure the first federation server in a new federation server farm using the Active Directory Federation Service Configuration Wizard ***Make sure you have domain administrator permissions or have domain administrator credentials available before you perform this procedure. Just to be clear, the account only needs to have this right for the install. So do not grant the service account you created with domain admin rights. Just use an existing domain admin account already set up in your environment to run the install. 1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched. 2. On the Welcome page, select Create the first federation server in a federation server farm and click Next. 3. On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next. 4. On the Specify Service Properties page, do the following and then click Next: a. Select the certificate that you previously installed from the list b. Provide a name for your federation service. For example, sts.contoso.com. This name must match one of the subject or subject alternative names in the certificate. c. Provide a display name for your federation service. For example, Contoso Corporation Identity Federation Service. This name will be shown to users at the AD FS sign-in page. 5. On the Specify Service Account page, specify the service account that you already created as a prerequisite. 6. On the Specify Configuration Database page, specify an AD FS configuration database and then click Next. You can either create a database on this computer using Windows Internal Database (WID) or you can specify the location and the instance name of the SQL server. 7. On the Review Options page, verify your configuration selections and click Next. 8. On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure. 9. On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment. For more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard. To install the Web Application Proxy role service on the DMZ server 1. On the DMZ Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features. 2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen. 3. On the Select server roles dialog, select Remote Access, and then click Next. 4. Click Next twice.

Page 4 of 10: ConfiguringADFSForAcademicWorks.docx 5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next. 6. On the Confirm installation selections dialog, click Install. 7. On the Installation progress dialog, verify that the installation was successful, and then click Close. To configure Web Application Proxy 1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. 2. In the navigation pane, click Web Application Proxy. 3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard. 4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next. 5. On the Federation Server dialog, do the following, and then click Next: a. In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.contoso.com. b. In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers. 6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next. a. The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.contoso.com. If you plan on using Workplace Join, this must be a SAN certificate with the SANs described in Configure CAs and certificates. 7. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure. 8. On the Results dialog, verify that the configuration was successful, and then click Close. Testing your ADFS Setup 1. Now to test our ADFS Setup there are a few things we need to do. If you have already updated your environments DNS to point to your newly set up server then there is nothing you need to do and you should be able to browse to the URL. If you haven t and you are still in the testing phase, you can edit your local host file that can be found on your test windows machine found in c:\windows\system32\drivers\etc. Open the file with Notepad. Add the ip address and the fqdn of the server that has ADFS installed for now. We will do this twice. Once for the ADFS server directly and a second time to simulate accessing ADFS through the Application Web Proxy.

Page 5 of 10: ConfiguringADFSForAcademicWorks.docx o Doing this will allow us to manually configure your computer to be able to access the url with the name instead of just the IP address. 2. Now we can go to the following URL. Be sure to substitute your FQDN for your environment. Be sure to remove the <> as well. a. https://<fqdn>/adfs/ls/idpinitiatedsignon.aspx 3. Now we should be able to test our login using one of the three options. All should work but it s good to test them all to make sure. a. username@domain.local i. Be sure to substitute your user for username ii. Be sure to change the domain.local to the fqdn of your environment b. Domain\username i. Be sure to substitute your user for username ii. Be sure to change the domain to the NETBIOS name of your domain c. DomainFQDN\username i. Be sure to substitute your user for username ii. Be sure to change the DomainFQDN to the fqdn of your domain 4. Once we are sure this is working we can go back to our hosts file that we edited in step 1 and change only the IP address so that the new ip address is that of the DMZ web application server. a. Once you have done this you can ping the fqdn to make sure that your computer is now resolving to the DMZ Web Application Proxy ip address and 5. Now we can perform steps 2 and 3 again. a. This will allow us to now test that we are sending requests to the DMZ Web Application Proxy and then the Proxy is forwarding the request to the backend ADFS box. 6. Once all of this is completed we have confirmed we can log in. Retrieve the Federation Meta Data Information for your ADFS environment 1. We need to download the Metadata xml information so that we can send it to AcademicWorks tech support so they know what attributes they can use for their Shibboleth implementation 2. Using Chrome or Firefox Go to https://<fqdn>/federationmetadata/2007-06/federationmetadata.xml - (your site may vary) a. Be sure to remove the <> and enter the FQDN of your environment b. Save the file. c. Now you can send this information to AcademicWorks support i. If tech support says that the file needs to be adjusted, follow the link below for more information. You may need to adjust the.xml file that you downloaded in a few sections with notepad.exe or something similar, save it, and then send that file back to support. 1. http://blog.kloud.com.au/2014/10/29/shibboleth-serviceprovider-integration-with-adfs/ ii. Here is another reference. See the section To Create edited AD FS 2.0 metadata

Page 6 of 10: ConfiguringADFSForAcademicWorks.docx 1. https://wiki.shibboleth.net/confluence/display/shib2/microsof tinterop Decide on Attributes to be used 1. (Windows account name) <!-- x-r25-user -->: a. http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountn ame 2. (Given Name) <!-- x-r25-first-name -->: a. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname 3. (Surname) <!-- x-r25-family-name -->: a. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname 4. (E-Mail Address) <!-- x-r25-email-work -->: a. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Create Relying Party Trust for ADFS to AcademicWorks 1. Open ADFS Console 2. Expand Trust Relationships 3. Right click on Relying Party Trusts 4. Select Add Relying Party Trust 5. Click Start 6. Choose the Import data about the relying party published online or on a local network. 7. Paste in the URL for your site. Note: replace... with your institution name a. https://[...].academicworks.com/saml/metadata 8. Click Next 9. You may get a message saying: Some of the content in the federation metadata was skipped. (See Error 1 below for reference) 10. Enter Display Name you desire 11. Click Next 12. Select I do not want to configure multifactor authentication 13. Click Next 14. Select Permit all users to access the relying party 15. Click Next 16. Click Next on the Ready to add Trust Section page 17. Leave or check checkbox for Open the Edit Claim Rules dialog... 18. Click Close on the Finish page. 19. Now you will need to add the claims rule like below.

Page 7 of 10: ConfiguringADFSForAcademicWorks.docx Add Claims rules to AcademicWorks Relying Party Trust. Claim rules describe how AD FS 3.0 determines what data should reside inside the federation security tokens that it generates. The claim rule in this section describes how data from Active Directory is inserted in the security token that is created for Shibboleth. Shibboleth is preconfigured to assert multiple attributes of the eduperson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:saml:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:saml:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS custom rule language to generate Shibboleth-compliant claims. We will generate an edupersonprincipalname claim, based on the user s UPN, and an edupersonscopedaffiliation claim, based on domain membership. To configure eduperson claims for sending to a relying party trust 1. The Edit Claim Rules dialog box should already be open. If not, In the AD FS center pane, under Relying Party Trusts, right-click the CollegeNet trust, and then click Edit Claim Rules. 2. On the Issuance Transform Rules tab, click Add Rule. 3. On the Select Rule Template page, select Send LDAP Attributes as Claims, and then click Next. 4. On the Configure Rule page, in the Claim rule name box, type Get Data. 5. In the Attribute Store list, select Active Directory. 6. In the Mapping of LDAP attributes section, create the following mappings. Note: not all of these claims need to be provided, they are shown for reference only. In most cases you do not need to share the 'Group' claim, etc. Talk with your SAML vendor to find out what exact claims they require and only configure those. User-Principal-Name UPN (Token-Groups are optional, only if needed/desired) Token-Groups Unqualified Names Group Given-Name Given Name E-Mail-Addresses E-Mail Address SAM-Account-Name Windows account name Surname Surname 7. Click Finish.

Page 8 of 10: ConfiguringADFSForAcademicWorks.docx 8. [only if supplying the UPN Claim Value] On the Issuance Transform Rules tab, click Add Rule. 9. [only if supplying the UPN Claim Value] On the Select Rule Template page, select Send Claims Using a Custom Rule, and then click Next. 10. [only if supplying the UPN Claim Value] In the Configure Rule page, in the Claim rule name box, type Transform UPN to eppn. 11. [only if supplying the UPN Claim Value] In the Custom Rule window, type or copy and paste the following: c:[type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = c.value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributenam e"] = "urn:oasis:names:tc:saml:2.0:attrname-format:uri"); 12. [only if supplying the UPN Claim Value] Click Finish. 13. [only if supplying the Group Claim Value] On the Issuance Transform Rules tab, click Add Rule. 14. [only if supplying the Group Claim Value] On the Select Rule Template page, select Send Claims Using a Custom Rule, and then click Next. 15. [only if supplying the Group Claim Value] On the Configure Rule page, in the Claim rule name box, type Transform Group to epsa. 16. [only if supplying the Group Claim Value] In the Custom Rule window, type or copy and paste the following but be sure to change the domainname (bold/italicized below) to match yours: c:[type == "http://schemas.xmlsoap.org/claims/group", Value == "Domain Users"] => issue(type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.9", Value = "member@contoso.com", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributenam e"] = "urn:oasis:names:tc:saml:2.0:attrname-format:uri"); 17. [only if supplying the Group Claim Value] Click Finish

Page 9 of 10: ConfiguringADFSForAcademicWorks.docx 18. click OK. Restricting Authentication To Specific AD Groups Section Added By: David Mielcarek,, 20150803 1. Open: ADFS 2. Expand: Trust Relationships 3. Click: Relying Party Trusts 4. Click: [desired trust] 5. Click: Edit Claim Rules 6. Click: Issuance Authorization Rules (tab) a. (remove any current rules if you want to restrict to new ones) 7. Click: Add Rule 8. Choose: Permit or Deny Users Based on an Incoming Claim 9. Type: Claim Rule Name 10. Choose: (Incoming claim type) Group SID 11. Click: Browse 12. Choose: [desired group] 13. Click: OK 14. Click: Finish (repeat 7-13 for each desired group) 15. Click OK Adding Additional Claim Values From SQL (see same site document: ADFSClaimValueFromSQL.pdf) Testing Claim Values Returned (see same site document: lccadfstestwebclient.pdf) Errors Error 1

Page 10 of 10: ConfiguringADFSForAcademicWorks.docx Definitions ADFS - Active Directory Federated Services SSO - Single-Sign On Modifications NAME DATE MODIFICATION David Mielcarek 8/5/2015 Created David Mielcarek 12/10/2015 Changed Token Groups to Unqualified Names End of document

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback