VIEVU Solution AD Sync and ADFS Guide Introduction This guide describes how to operate the VIEVU Solution AD Sync utility and configure Active Directory Federation Services (ADFS). Additional support material is available at www.vievu.com/vievu-solution-support. Contact Us If you need assistance or have any questions, please visit www.vievu.com/vievu-solution-support, contact us by phone at 888-285-4548 or email support@vievu.c Version 1.16.0.0 11062017
ACTIVE DIRECTORY SYNC VIEVU Solution AD Sync Guide OVERVIEW The VIEVU Solution AD Sync utility functions as a client application installed on a local computer which synchronizes your local Active Directory user accounts with the VIEVU Solution. CONNECTION Input the domain controller s information and specify an account with access to the domain. The Base DN can connect to an Active Directory OU or Domain. The Sync can be configured from 1-24 hours. Version 1.16.0.0 11062017 2
CONFIGURATION Once connected to Active Directory, you can choose to synchronize based on AD Group(s) or User Attribute(s), depending on how your Active Directory is structured. Match the VIEVU Solution fields to the appropriate Active Directory Attributes. Users also have the ability to not synchronize roles between VIEVU Solution and AD Sync. In cases when VIEVU Solution roles are managed differently from the Active Directory (AD) groups or attributes, the admin can clear the Sync Roles check box (shown below) so that AD roles are not copied to VIEVU Solution. All VIEVU Solution users are required to have a role assigned, so for new users, a default role (AD Sync) is created in VIEVU Solution when the Sync Roles check box is cleared. If the Sync Roles check box is cleared (as shown), roles of users already in VIEVU Solution are not changed or updated. Version 1.16.0.0 11062017 3
SYNCING For this example, Role is AD Group is selected, as in the previous window. When you run the sync operation, the program searches for an existing Role with the same name in VIEVU Solution. If a Role does not exist, the operation creates a new one in VIEVU Solution. Next, the program searches for a user that currently exists with the same login. If a user does not exist, a new user is created and automatically placed into that Role. Note: Users residing in multiple AD Groups inherit the first synchronized Group for that user. Version 1.16.0.0 11062017 4
FINISH AD Sync has been successfully configured. To Sync immediately, select the corresponding check box and click Finish. Version 1.16.0.0 11062017 5
If you selected Synchronize Immediately, the following window is displayed until Synchronization is complete. Version 1.16.0.0 11062017 6
Active Directory Federation Services (ADFS) OVERVIEW Before configuring ADFS, it is recommended that at least one (1) Administrator Account is not currently being synchronized with AD Sync. This ensures that you can retain access to login on the VIEVU Solution website to make changes if necessary. ADFS AUTHENTICATION PROCESS WEB-Site + AD FS (using SAML) VIEVU Solution Customer s side A user enters name/password The user is signed in User s browser VIEVU VIEVU Web-Site DB SOAP request for a SAML token AD FS AD through HTTS connection. https://somename.vievusolution.com/ Endpoint: https://<adfs>/adfs/services/trust/13/ VIEVU Login page usernamemixed, The request contains name\password name\password Calls SignOn for the asp.net user, redirect on Videos page any authenticated request If SAML token valid: API.Net Identity searches for a user by the username from attributes the user is found SAML token or fault, if credentials are invalid AD FS authenticates the user ADFS SETUP AND CONFIGURATION Enable UserNameMixed Endpoint 1. Open the ADFS Management Console. 2. Expand Service. 3. Select Endpoints. 4. Confirm /adfs/services/trust/13/usernamemixed is enabled. If not, enable the endpoint. Version 1.16.0.0 11062017 7
Add ADFS Relying Party 1. From the ADFS Management Console, expand the Trust Relationships directory. 2. Select Relying Part Trusts. 3. Click Add Relying Party Trust on the right. 4. Click Start. 5. Select Enter data about the relying party manually and click Next. 6. Enter the display name VIEVU RP. In the notes section, you can enter anything descriptive that you would like listed. Then click Next. 7. Select AD FS profile and click Next. 8. At the token certificate page, click Next. Version 1.16.0.0 11062017 8
9. Uncheck all options on the protocols page and click Next. VIEVU s implementation uses WS-Trust. VIEVU Solution AD Sync Guide 10. In the Relying party trust identifier field, enter the website address for your VIEVU Solution account. Version 1.16.0.0 11062017 9
11. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click Next. 12. Select Permit all users to access this relying party and click Next. 13. Review the settings and when ready, click Next. 14. Place a checkmark in Open the edit claim rules dialog for this relying party trust when the wizard closes and click Close. 15. The Claim Rules window is displayed. Click Add Rule. 16. Select Send LDAP Attributes as Claims and click Next. 17. In the Claim rule name field, enter a name for the Claim Rule. On the left, select the Attribute that is being used to match the Login field in the VIEVU Solution. Typically, SAM-Account-Name is matched to the outgoing claim type of Name. 18. Click Finish. Version 1.16.0.0 11062017 10
19. Login to the VIEVU Solution webpage and go to the Settings page. 20. Click Active Directory on the left. 21. In the Active Directory Federation Services section, toggle Active Directory Federation to Yes. 22. Enter the ADFS Service Endpoint as the publicly available URI for your ADFS environment. The format is as follows: https://myadfs.mydomain.com/adfs/services/trust/13/username mixed The section listed in bold must be your ADFS environment URI. 23. Input the ADFS URI as the website address for your VIEVU Solution account. This must be identical to the web address you entered in Step 10. 24. Enter the ADFS Domain as your Active Directory domain name. 25. Click Save. 26. Click Test Connection, then enter your login/password information and click Test Connection. Enter an Active Directory user account and click Test Connection. The username format is simply a login and does not include domain information. Note: The username format is simply a login and does not include domain information. Version 1.16.0.0 11062017 11