Microsoft Active Directory Federation Services - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

This section describes how to integrate Microsoft AD FS with RSA Cloud Authentication Service using My Page SSO to authenticate any third-party application.

Architecture Diagram

Pre-requisites

• To configure SSO, you'll need admin access to your third-party application (Salesforce was used for our testing).
• Perform the below steps and export the Active Directory Federation Services (AD FS) token-signing certificate, as it will be required later to configure the third-party application—in this case, the Salesforce SAML settings.
  1. Open the Microsoft AD FS management console.

1. 2. Select Certificates and double click the token-signing certificate.
   3. Click the Details tab.
   4. Click Copy to File.
   5. Save the certificate in DER format.

Configure Third-Party Application

Perform these steps to configure a third-party application. In this case, we’ll be setting up Salesforce for testing purposes.

Procedure

1. Log in to the Salesforce Administration Console. Navigate to SETTINGS > Identity, and then select Single Sign-On Settings.

2. Click the Edit button.
3. Under Federated Single Sign-On Using SAML section, enable SAML Enabled checkbox, and click Save.

4. In the SAML Single Sign-On Settings section, click New to manually configure the SAML settings.
5. Enter the following values in the corresponding fields:
   1. In the Name field, enter a name.
   2. In the Issuer field, enter the Active Directory Federation Services name appended by /adfs/services/trust in the following format: http://<Active-Directory-Federation-Service-name>/adfs/services/trust

Note: The above URL includes http not https.

1. 3. In the Entity ID field, enter an ID that starts with https://.In this example we used our Salesforce custom domain: https://innovation-page-938.lightning.force.com/
   4. In the Identity Provider Certificate section, click Choose File and select the Microsoft AD FS token-signing certificate referenced in the pre-requisite section.
   5. In SAML Identity Type, select Assertion contains Federation ID from the User object.
   6. In SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement.
   7. In Service Provider Initiated Request Binding, select HTTP POST.
   8. In Identity Provider Login URL field, enter the Active Directory Federation Services name appended by /adfs/ls/ in the following format: https://<Active-Directory-Federation-Service-name>/adfs/ls/

Note: This URL is https and you must include the slash at the end of the URL.

1. 9. Click Save.

6. In the SAML Single Sign-On Settings section, click the name of the configuration you just created.
7. Select Download Metadata. This will be needed later to configure Microsoft AD FS Relying Party Trust.

8. Navigate to ADMINISTRATION > Users > Users.

9. Click the New button to add a new user.
10. Send an invitation to add users to your team by entering their email and selecting the appropriate profile.

11. After sending an invite to a user, click the arrow on the left side next to their name, then select Edit User.

12. Fill in all the required fields and enter the user's email address in the Federation ID field, and then click Save.

13. Navigate to SETTINGS > Company Settings > My Domain.

14. Navigate to My Domain > My Domain Settings > My Domain Details and enter the desired login URL for your Salesforce domain. Click Check Availability, and once confirmed, click Save.

15. In My Domain Settings > Policies, make sure Prevent login from https://login.salesforce.com is unchecked.

Note: The above step helps avoid lockouts if SSO is misconfigured.

16. In the My Domain Settings > Authentication Configuration, click Edit.
17. In Authentication Configuration > Authentication Service, uncheck the Login Form checkbox and select the name of the SSO setting you just created (e.g., Microsoft ADFS in this example), then click Save.

Configure Microsoft AD FS to Send Claims

Perform the following steps to configure a third-party application as a Relying Party Trust in Microsoft AD FS for sending claims.

Procedure

1. Open the Microsoft AD FS management console.

2. In the Actions pane on the right-hand side, Click Add Relying Party Trust.

3. The configuration wizard will launch, check that Claims aware radio option is selected then click Start.

4. Select Import data about the relying party from a file.
5. Browse the third-party application metadata file—in this case, the Salesforce metadata file you downloaded earlier and click Next.

6. Enter a Display name and click Next.
7. On the Choose Access Control Policy page, select Permit everyone and click Next.
8. Verify that all information is accurate, then click Next, followed by Finish to complete the process.
9. Right-click the Relying Party Trust just created, then select Edit Claim Issuance Policy.
10. On the Edit Claim Issuance Policy page click Add Rule.
11. From the Claim rule template dropdown select Send LDAP Attributes as Claims, then click Next.
12. Enter a Claim rule name and from the Attribute store select Active Directory.
13. In the Mapping of LDAP attributes to outgoing claim types window use the pull down to select E-Mail-Addresses and for Outgoing Claim Type select Name ID, then click Finish.

14. Double-click the Relying Party Trust created for Salesforce (in this case), and navigate to the Advanced tab.
15. Select the Secure hash algorithm pulldown option SHA-1, then click Ok.

Note: For SP-initiated login to work, we need to set Active Directory Federation Services Secure Hash Algorithm parameter to SHA-1

Verify that AD FS now protects Salesforce

1. Browse to https://<Active-Directory-Federation-Service-name>/adfs/ls/IdpInitiatedSignon.aspx
2. Enter the user credentials.

3. Verify that the user logins to Salesforce.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure

1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Microsoft AD FS and click Add to add the connector.

2. Choose Cloud on the Basic Information page.
3. Enter the name for the application and click the Next Step button.

4. On the Connection Profile page, Navigate to Initiate SAML Workflow section and choose SP-initiated.
5. In the Connection URL field, enter the URL to the Active Directory Federation Services login page in the following format: https://<Active-Directory-Federation-Service-name>/adfs/ls/idpinitiatedsignon.aspx

6. Scroll down to the Service Provider section and provide the following details:
   1. Assertion Consumer Service (ACS) URL - enter the Active Directory Federation Services name appended by /adfs/ls/ in the following format: https://<Active-Directory-Federation-Service-name>/adfs/ls/

Note: This URL is https, and you must include the slash at the end of the URL.

1. 2. Audience (Service Provider Issuer ID) – enter the Active Directory Federation Services name appended by /adfs/services/trust in the following format: http://<Active-Directory-Federation-Service-name>/adfs/services/trust

Note: The above URL includes http not https.

7. Identity Provider URL is automatically generated. Be sure to take note of its value, as it will be necessary for the Microsoft AD FS configuration.
8. Scroll down to the Message Protection section, Select the checkbox labeled "Override default signing key and certificate."
9. You must import a private/public key pair to sign and validate SAML assertions. If you don’t have one readily available, follow the steps to generate a certificate bundle. Otherwise, continue to the next step.
   1. Click the Generate Certificate Bundle button in the SAML Response Signature section.
   2. Enter a common name in the Common Name (CN) field.
   3. Click the Generate and Download button, save the certificate bundle ZIP file to a secure location and extract its contents. The ZIP file will contain a private key, a public certificate and a certificate signing request.
   4. Verify that Signature Algorithm is set to RSA-SHA256.

10. Select Show Connection Profile Advanced Configuration dropdown and under User Identity section select the Identifier Type and Property values.
    1. Select unspecified from the Identifier Type dropdown list.
    2. Select mail from the Property dropdown list.
11. Click Next Step.
12. On the User Access page, choose the access policy you want to use to determine which users can access the application, then click Next Step.

13. On the Portal Display page, configure the portal display and other settings. Then click Next Step.
14. On the Fulfillment page, configure your preferred settings or leave the Fulfillment toggle button disabled as it is, then click Save and Finish.
15. Locate the application just created in My Applications page and click the dropdown arrow next to Edit > Export Metadata.
16. Click Publish Changes and wait for the operation to be completed.

17. After publishing, your application is now enabled for SSO. 

Configure Microsoft AD FS to Add a Claim Provider Trust

Perform the following steps to configure RSA Cloud Authentication Service as a Claims Provider Trust in Microsoft AD FS for use as an Identity Provider.

Procedure

1. Open the Microsoft AD FS management console.

2. In the Actions pane on the right-hand side, Click Add Claims Provider Trust.

3. The Add Claims Provider Trust Wizard will open, then click Start.
4. On the Select Data Source page, select Import data about the claims provider from a file, click Browse.
5. Select the metadata file that was previously downloaded from the RSA Cloud Administration Service during the configuration of the Microsoft AD FS connector, then click Next.

6. On the Specify Display Name page, enter a Display name and click Next.
7. Verify that all information is accurate, then click Next, followed by Finish to complete the process.
8. Right-click the Claim Provider Trust just created, then select Edit Claim Rules.
9. On the Acceptance Transform Rules tab, click Add Rule.
10. On the Select Rule Template page, choose "Pass Through or Filter an Incoming Claim" from the Claim rule template dropdown menu.

11. On the Configure Claim Rule page, complete the following steps, then click Finish:
    1. Enter a Claim rule name.
    2. Select Name ID from the Incoming claim type pulldown.
    3. Select Unspecified from the Incoming name ID format pulldown.
    4. Select Pass through all claim values.

12. In the left-hand menu, click Relying Party Trusts, then find and select the relying party trust configured earlier for the third-party application — in this case, Salesforce. Right-click on it and select "Edit Claim Issuance Policy.”
13. On Issuance Transform Rules, click Add Rule.
14. On the Select Rule Template page, choose "Pass Through or Filter an Incoming Claim" from the Claim rule template dropdown menu.
15. On the Configure Claim Rule page, complete the following steps, then click Finish:
    1. Enter a Claim rule name.
    2. Select Name ID from the Incoming claim type pulldown.
    3. Select Unspecified from the Incoming name ID format pulldown.
    4. Select Pass through all claim values.

Verify that Microsoft AD FS now redirects to the RSA portal

1. Browse to https://<Active-Directory-Federation-Service-name>/adfs/ls/IdpInitiatedSignon.aspx. From the dropdown menu, select your site—for example, Salesforce.

2. Select the identity source to validate against.

3. Enter your credentials and get logged to your Salesforce home page.

Configuration is complete.