Microsoft ADFS Configuration Side 1 af 12
1 Information 1.1 ADFS KMD Secure ISMS supports ADFS for integration with Microsoft Active Directory by implementing WS-Federation and SAML 2. The integration allows for both manual federated login as well as automatic single sign on. 1.2 Federation service configuration You must install the Microsoft ADFS role to your directory servers, and add a valid certificate for creating secure web HTTPS connections. This guide contains screenshots from Windows Server 2012 R2 with ADFS 3.0. Please contact Microsoft if you need to set up ADFS 2 or earlier. Use the Start Page to locate and start the ADFS Management console application. You need the administrative access rights to the server to be able to manage ADFS. 1.3 Adding a new Relying Party Thrust Browse to ADFS -> Trust Relationships -> Relying Party Trust Right click the folder or use the Action menu to the right, and select Add Relying Party Trust This will start the Add Relying Party Trust Wizard. The welcome page shows information on what a relying true party is. Side 2 af 12
In the Select Data Source page, select "Enter data about the relying party manually" In the "Specify Display Name" page you name the relying party trust according to your naming requirements. It is also good practice to write a short information description. In "Choose Profile" you must select the "AD FS profile" Side 3 af 12
In the "Configure Certificate" we use the default certificate. In the "Configuration URL" page we enable support for SAML 2.0 WebSSO protocol. The service URL for the relying party is: https://<name>.saas.neupart.com/authenticate If you have another host name for your server - you can use this, but remember to use the secure https protocol. On the "Configure Identifiers" you add the same URL as in the previous page. Type the URL and click the Add button Side 4 af 12
We do not configure multi-factor authentication in this guide. We now allow all users access to use this federation trust. If you need a more strict selection of users you can deny all as default and add users later. We are now ready to create the relying party trust Side 5 af 12
The Relying Party Trust is now created, and we need to set the Claim Rules for it. When you click Close, the Claim Rules Dialog will be shown. In the Claim Rules editor you must add a new Issuance Transform Rule. Click the Add Rule button. If you selected the Deny All users option, please remember to add a Issuance Authorization rule to allow some users to use the federation. Select "Send LDAP Attributes as Claims" Side 6 af 12
Call the Claim "ISMS" and select Active Directory as Attribute store. Add these fields: objectguid Display-Name SAM-Account-Name E-Mail-Addresses Token-Groups - Unqualified Names Name ID Name Windows account name E-Mail Address Group SID If your e-mail addresses are stored in another field, please select this instead. If you are using multiple domains, you can select the Token-Groups - Domain qualified Names instead to have an easy way to separate groups in the different domains. After you saved the claims, select the Relying Party Trust "ISMS Login" and select properties in the right side action menu (or use right click) Find the Advanced panel and select the Secure hash algorithm: SHA-1 Side 7 af 12
Locate the Root folder "ADFS" and select "Edit Federation Service Properties " Note the Federation Service Name, we need this later when configuring the ISMS. Locate and select the ADFS -> Service -> Certificates folder. Select the Token-signing certificate and select View certificate from the action menu to the right (or right click) Side 8 af 12
Select the Details panel Then click Copy to File This will start the export wizard Side 9 af 12
Select to export the format: Base-64 encoded X.509 (.CER) This format does only contain the public part of the certificate Select a folder to export the file to and provide a name like adfs.cer Complete the export by clicking Finish Side 10 af 12
Find the certificate and right click Select to open the certificate with Notepad Copy the certificate part between the start and end markers. This certificate string will be used when configuring KMD Secure ISMS 1.4 KMD Secure ISMS configuration In ISMS, go to Settings -> Directories. Select "+ Create" and "+ ADFS" from the drop down menu. Directory Name, can be any name you like. Identity Provider Url is the Federation Service name found in Federation Service properties. Response Url and Service Provider fields must contain the URL used to log into the ISMS. The Identity Certificate field must contain the text you copied from the certificate (in Notepad). Side 11 af 12
1.5 Managing the provider Now you have the following provider options: Edit, Test, Login button, SSO and Delete. With the Edit button you can edit the information you have entered when creating the provider. The Test button creates a login request to the ADFS server, using your current account. If approved by your ADFS you will see a success message. Otherwise you will see a detailed error message. Please ensure that the provider is working before enabling it with a login button or with single sign on. The login button controls whether the forms login contains an ADFS login button. The button on the login form lets users select ADFS as an alternative login method. The Single Sign On button enables auto redirect from the authentication form to your ADFS server. Only enable this when you successfully tested the provider with the test and login button options. If ADFS fails the request, users will be redirected back to the ISMS, and the user is able to use the other available login methods. Side 12 af 12