on Mar 23, 2016This guide is assuming you have done the following steps:
- Install ADFS
- Add SSL certificate to ADFS
- Configure ADFS for your domain
Confirm Active Directory is Under the Attribute Stores
Launch the "ADFS 2.0 Management" Console from the "Start Menu" -> "All Programs" -> "Administrative Tools":
Once launched expand "Trust Relationships" and click on "Attribute Stores" and you should see "Active Directory" under the list:
Confirm Active Directory is Added to the Claims Provider Trusts
In the ADFS 2.0 Management Console, check on "Claims Provider Trusts" and make sure AD is in the list:
Export the Token Signing ADFS Certificate
We will upload this Cert when setting up ADFS as an IdP and it will used to sign SAML responses/requests. Launch the ADFS 2.0 Management Console and Expand "Service" and then click on "Certificates":
Right click on the "Token-Signing" certificate and select "View Certificate":
Then click on the "Details" tab and click on "Copy to File":
At this point a wizard will start:
Click next and select the format to be "Base-64 encoded X.509 (.CER)":
Follow the rest of the prompts to place the exported certificate on the Desktop. If for some reason someone exports the cert in DER encoded format we will have to convert the certificate to PEM format. Copy the file to a *nix system and run the following to convert it to regular PEM format:
$ openssl x509 -in adfs_pub_token_sign_cert.cer -inform DER -out adfs_pub_token_sign_cert.pem -outform PEM
Add IDR to the ADFS Relying Party Trusts
From the ADFS 2.0 Management Console, right click on "Relying Party Trusts" and select "Add Relying Party Trust":
At this point you will see the Add Relying Party Trust Wizard:
Click Start and select "Enter data about relying party manually":
Click Next and enter a desired and meaningful name (I chose viasso):
Click Next and select "AD FS 2.0 Profile":
Click Next, since we are going to use the Token-Signing Certificate from ADFS we won't need to upload a token encrypting certificate.
So on this page, just click "Next". Then select "Enable support for the SAMl 2.0 WebSSO protocol" and enter the "Relying party SAML 2.0 SSO service URL". For this URL it will be in the following format:
https://<PORTAL_URL>/SPServlet?sp_id=<Desired_ISSUER_ID>The ISSUER_ID has to match Identifier Name that we create later. Here is mine filled out:
Click Next and for the "Relying party trust identifier", make sure this matches the IssuerID you specified in the SSO URL from the previous screen(I called it viasso) and then click Add:
Click Next and select "Permit all users to access this relying party":
Click Next and you will see the Summary page:
Click Next and then leave the "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes" check box selected:
Click Close and the "Edit claim Rules" dialog will show up:
Click Add Rule and make sure the Claim rule template has Send LDAP Attributes as Claims selected:
Click Next, give the Claim Rule a name, select the Attribute store to be our Active Directory. Then for the LDAP Attribute select "SAM-Account-Name" and for theOutgoing Claim Type select "Name ID":
Click Finish and you should see the claim rule added:
Lastly make sure Permit Access to All Users is configured under the "Issuance Authorization Rules" tab is present:
The last thing to do is to make sure we use sha-1 as our hashing algorithm. Right click on our Relying Party and select properties:
And go to the Advanced Tab and change the hashing algorithm to be sha-1:
Confirm Relying Trust Party is Configured and Try an IdP initiated Login from ADFS
From a client machine go to https://ADFS_SERVER/adfs/ls/IDpInitiatedSignOn.aspx and you should see the following:
Upon selecting "Sign in to one of the following site" and then clicking to "Continue to Sign In" you should get logged into the portal (if you are using IE and you are on the domain. If using firefox, you will have to enter your domain credentials).
Configure the ADFS IdP in RSA Via Access Console
In the Access Console go to Users -> Identity Providers -> Add an Identity Provider and select SAML 2.0 IDP:
Give it a useful name:
Then in the configuration I set the following parameters:
- Audience ID - This corresponds to the identifier that we set in the ADFS side
- In my case this is viasso
- Audience URL - this is automatically generated, but we have update it to have the sp_id that we picked during the ADFS configuration
- In my case this will be https://portal.PDN/SPServlet?sp_id=viasso)
- Issuer ID - This will be in this format: http://ADFS_SERVER/adfs/services/trust
- in my case it was the following: http://adfs.MY_DOMAIN/adfs/services/trust
- NOTE: http not https
- Issuer URL - This will be in this format: https://ADFS_SERVER/ls/IDpInitiatedSignOn.aspx?loginToRp=RELYING_PARTY_NAME
- In my case it was the following: https://adfs.MY_DOMAIN/adfs/ls/IDpInitiatedSignOn.aspx?loginToRp=viasso
- Public Certificate - Upload the Token-Signing Certificate that we exported from the ADFS server (the one we have in X.509 Base-64 Encoded format)
Here is how it looked like in the UI:
and here is the imported cert:
Click Next and Save the configuration. Note: you can figure out the IssuerID that ADFS uses by clicking on "Edit Federation Service Properties" from the main screen:
and then you will see the Federation Service Identifier:
Test ADFS IdP From Portal (SP Initiated Login)
Go to the portal and click on the ADFS IdP (on the right side of the ribbon):
You will be logged into the portal. On the ADFS server you can check the audit logs and you should see a Special Logon for you user:
