Karim Elatov

Configure ADFS as an Identity Provider (IdP) for RSA SecurID Access

Blog Post created by Karim Elatov Employee on Mar 23, 2016

This guide is assuming you have done the following steps:

  • Install ADFS
  • Add SSL certificate to ADFS
  • Configure ADFS for your domain

Confirm Active Directory is Under the Attribute Stores

Launch the "ADFS 2.0 Management" Console from the "Start Menu" -> "All Programs" -> "Administrative Tools":
adfs-in-start-menu.png
Once launched expand "Trust Relationships" and click on "Attribute Stores" and you should see "Active Directory" under the list:

adfs-ad-userstore.png

Confirm Active Directory is Added to the Claims Provider Trusts

In the ADFS 2.0 Management Console, check on "Claims Provider Trusts" and make sure AD is in the list:


adfs-ad-claims.png

Export the Token Signing ADFS Certificate

We will upload this Cert when setting up ADFS as an IdP and it will used to sign SAML responses/requests. Launch the ADFS 2.0 Management Console and Expand "Service" and then click on "Certificates":

adfs-certs.png

Right click on the "Token-Signing" certificate and select "View Certificate":
adfs-view-cert.png

Then click on the "Details" tab and click on "Copy to File":

adfs-copy-cert.png

At this point a wizard will start:

Click next and select the format to be "Base-64 encoded X.509 (.CER)":


Follow the rest of the prompts to place the exported certificate on the Desktop. If for some reason someone exports the cert in DER encoded format we will have to convert the certificate to PEM format. Copy the file to a *nix system and run the following to convert it to regular PEM format:

 

$ openssl x509 -in adfs_pub_token_sign_cert.cer -inform DER -out adfs_pub_token_sign_cert.pem -outform PEM

Add IDR to the ADFS Relying Party Trusts

From the ADFS 2.0 Management Console, right click on "Relying Party Trusts" and select "Add Relying Party Trust":

adfs-add-relying-party.png

At this point you will see the Add Relying Party Trust Wizard:

adfs-wiz-1.png

Click Start and select "Enter data about relying party manually":

adfs-wiz-2.png

Click Next and enter a desired and meaningful name (I chose viasso):

display_namerp.png

Click Next and select "AD FS 2.0 Profile":

adfs-wiz-3.png

Click Next, since we are going to use the Token-Signing Certificate from ADFS we won't need to upload a token encrypting certificate.

adfs-wiz-4.png
So on this page, just click "Next". Then select "Enable support for the SAMl 2.0 WebSSO protocol" and enter the "Relying party SAML 2.0 SSO service URL". For this URL it will be in the following format:

 

https://<PORTAL_URL>/SPServlet?sp_id=<Desired_ISSUER_ID>

The ISSUER_ID has to match Identifier Name that we create later. Here is mine filled out:

adfs-rp-acs-url.png

 

 

Click Next and for the "Relying party trust identifier", make sure this matches the IssuerID you specified in the SSO URL from the previous screen(I called it viasso) and then click Add:

adfs-add-identifier.png

Click Next and select "Permit all users to access this relying party":

adfs-wiz-5.png

Click Next and you will see the Summary page:

adfs-wiz-6.png

Click Next and then leave the "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes" check box selected:

adfs-wiz-7.png

Click Close and the "Edit claim Rules" dialog will show up:

rp-blank-claim-rules.png

Click Add Rule and make sure the Claim rule template has Send LDAP Attributes as Claims selected:

adfs-wiz-8.png

Click Next, give the Claim Rule a name, select the Attribute store to be our Active Directory. Then for the LDAP Attribute select "SAM-Account-Name" and for theOutgoing Claim Type select "Name ID":

rp-claim-rule-sam-nameid.png

 

 

Click Finish and you should see the claim rule added:

rp-claim-rule-added.png

 

 

Lastly make sure Permit Access to All Users is configured under the "Issuance Authorization Rules" tab is present:

rp-auth-rules.png

The last thing to do is to make sure we use sha-1 as our hashing algorithm. Right click on our Relying Party and select properties:

rp-proper.png

And go to the Advanced Tab and change the hashing algorithm to be sha-1:

hashing-algo.png

Confirm Relying Trust Party is Configured and Try an IdP initiated Login from ADFS

From a client machine go to https://ADFS_SERVER/adfs/ls/IDpInitiatedSignOn.aspx and you should see the following:

adfs-sign-in-page.png

Upon selecting "Sign in to one of the following site" and then clicking to "Continue to Sign In" you should get logged into the portal (if you are using IE and you are on the domain. If using firefox, you will have to enter your domain credentials).

Configure the ADFS IdP in RSA Via Access Console

In the Access Console go to Users -> Identity Providers -> Add an Identity Provider and select SAML 2.0 IDP:

saml-gen-idp.png

Give it a useful name:

name-saml2-idp.png

Then in the configuration I set the following parameters:

Here is how it looked like in the UI:

saml-20-adfs-config.png
and here is the imported cert:

saml-idp-cert-imported.png
Click Next and Save the configuration. Note: you can figure out the IssuerID that ADFS uses by clicking on "Edit Federation Service Properties" from the main screen:

adfs-mgmt-edit-fed.png

and then you will see the Federation Service Identifier:

adfs-fed-props.png

Test ADFS IdP From Portal (SP Initiated Login)

Go to the portal and click on the ADFS IdP (on the right side of the ribbon):

adfs-idp-in-portal.png

You will be logged into the portal. On the ADFS server you can check the audit logs and you should see a Special Logon for you user:

adfs-special-logon.png

 

Outcomes