Navigation:  Configuring authentication in a directory service > Authentication in AD FS via SAML 2.0 >

Configuring the authentication in AD FS with SAML 2.0

 Top  Previous  Top  Next

In this section, a step-by-step guide will be presented to demonstrate the configuration of all parties involved in authentication. To do this, consider as a basis the identity service installed on a Windows Server 2012 R2 server, which has native support for AD FS and the SAML 2.0 authentication protocol:

 

1.The first step in configuring is to obtain the metadata from the identity provider. The data is contained in a single file called "FederationMetadata.xml". This file contains the information necessary for SE Suite to be able to interpret messages exchanged with the service during the authentication process, such as digital certificates and access addresses. The identity provider provides an access URL so that it is possible to download the file, as exemplified below:

 

Access URL to download the identity provider metadata file:

https://[SERVER ADFS]/FederationMetadata/2007-06/FederationMetadata.xml

 

Example considering ADFS server address "trevor.contoso.local":

https://trevor.contoso.local/FederationMetadata/2007-06/FederationMetadata.xml

 

sda0044

 

2.After obtaining the FederationMetadata.xml file from the identity service, simply import it into SE Suite by accessing the SE Configuration component arrowrgray Authentication (CM008) arrowrgray Authentication services arrowrgray SAML 2.0 section. If this section is disabled, simply select the SAML 2.0 authentication mode in the "Authentication options" section.

 

The FederationMetadata.xml file contains digital certificates that have an expiration date. After the certificates expire, a new configuration may be required. For more details, refer to the Reconfiguring authentication in AD FS with SAML 2.0 section.

 

3.Once this is done, generate the certificate and export the SESUITE_metadata.xml file to SE Suite.

 

The generated file has the information necessary for the identity server (AD FS) to interpret the messages sent by SE Suite during the authentication process, such as the generated certificate and the system access URLs. It will be imported into AD FS.

 

4.The import of SESUITE_metadata.xml file in AD FS is done by the AD FS Management. Here's how to do it:

i.In the Actions panel, located on the right side of the screen, click on Add relying third party trust...

 

sda0045

 

ii.At this point, the wizard opens. Click on the Start option.

iii.In the Select data source step, select the "Import data about the relying party from a file" option and in the field below, select the SESUITE_metadata.xml file. Once done, click Next:

 

sda0046

 

iv.In the Specify display name step, enter a name to identify the configuration. Once done, click Next:

 

sda0047

 

v.In the Configure Multi-factor Authentication Now? step, select the "I do not want to configure multi-factor authentication settings for this relying party trust at this time." option. Once done, click Next:

 

sda0048

 

vi.In the Choose Issuance Authorization Rules step, select the "Permit all users to access this relying party" option. Once done, click Next:

 

sda0049

 

vii.Check the information shown on the Endpoints tab of the Ready to Add Trust step by checking whether the URL shown corresponds to the correct SE Suite access URL. Once done, click Next:

 

sda0050

 

viii.In the Finish step, check the "Open the Edit Claim Rules dialog for this third relying party trust when the wizard closes" option and then, click Close:

 

sda0051

 

5.After that, configure the "Edit Claim Rules". If the option to edit the claim rules was not previously checked, it is possible to access the claim rules by accessing the Relying party trusts arrowrgray Edit claim rules menu of the AD FS Management:

 

sda0052

 

i.To add a new rule, on the Issuance transform rules tab of the screen that will open, click Add rule:

 

sda0053

 

ii.In the Choose rule type step, select the "Send LDAP attributes as claims" option and click Next:

 

sda0054

iii.In the Configure claim rule step, configure the fields as shown in the following image. After that, click Finish:

 

sda0055

 

In some identity providers, it may be necessary to specify the credential ID # in the SAML configuration. To do that, access the "Configuration > Authentication (CM008) > Authentication services > SAML 2.0" menu, edit the configuration record and, in the "Credential ID" field, enter the "Name ID" value.

 

iv.Once this has been done, the created rule will be displayed in the Issuance transform rules tab. Click OK to finish editing the claim rules.

 

6.The last step of configuring integrated authentication via SAML 2.0, before testing the authentication, is to configure the browsers:

hmtoggle_arrow1Google Chrome

It is required to add Google Chrome to the list of browsers with authentication protection on the ADFS authentication server. Here's how to perform this operation:

 

i.Via PowerShell, run the following command to disable authentication protection (momentarily):

Set-ADFSProperties –ExtendedProtectionTokenCheck None

 

ii.Run the following command to list the browsers that support the authentication protection:

Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

 

iii.Select all browsers listed and add the "Mozilla/5.0" browser and run the following command:

Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0")

 

iv.After that, restart the ADFS service. After restarting the service, the authentication protection will be enabled again.

sda0056

 

v.Verify if the commands have been executed correctly, according to the following example:

sda0057

 

To verify if the browser was correctly included in the list, after restarting the service, simply run the command from step ii again, so that browsers that support authentication protection are listed and verify if "Mozilla/5.0" is in the list:

sda0058

 
hmtoggle_arrow1Internet Explorer

In order for Internet Explorer to be used for Single Sign-On with SAML, it is recommended to include the SE Suite access URL on trusted sites. To do that, access the Tools arrowrgray Internet options arrowrgray menu Security tab:

sda0059