Configuring the authentication in AD FS with SAML 2.0 |
In this section, a step-by-step guide will be presented to demonstrate the configuration of all parties involved in authentication. To do this, consider as a basis the identity service installed on a Windows Server 2012 R2 server, which has native support for AD FS and the SAML 2.0 authentication protocol:
1.The first step in configuring is to obtain the metadata from the identity provider. The data is contained in a single file called "FederationMetadata.xml". This file contains the information necessary for SE Suite to be able to interpret messages exchanged with the service during the authentication process, such as digital certificates and access addresses. The identity provider provides an access URL so that it is possible to download the file, as exemplified below:
Access URL to download the identity provider metadata file:
Example considering ADFS server address "trevor.contoso.local":
2.After obtaining the FederationMetadata.xml file from the identity service, simply import it into SE Suite by accessing the SE Configuration component Authentication (CM008) Authentication services SAML 2.0 section. If this section is disabled, simply select the SAML 2.0 authentication mode in the "Authentication options" section.
3.Once this is done, generate the certificate and export the SESUITE_metadata.xml file to SE Suite.
The generated file has the information necessary for the identity server (AD FS) to interpret the messages sent by SE Suite during the authentication process, such as the generated certificate and the system access URLs. It will be imported into AD FS.
4.The import of SESUITE_metadata.xml file in AD FS is done by the AD FS Management. Here's how to do it: i.In the Actions panel, located on the right side of the screen, click on Add relying third party trust...
ii.At this point, the wizard opens. Click on the Start option. iii.In the Select data source step, select the "Import data about the relying party from a file" option and in the field below, select the SESUITE_metadata.xml file. Once done, click Next:
iv.In the Specify display name step, enter a name to identify the configuration. Once done, click Next:
v.In the Configure Multi-factor Authentication Now? step, select the "I do not want to configure multi-factor authentication settings for this relying party trust at this time." option. Once done, click Next:
vi.In the Choose Issuance Authorization Rules step, select the "Permit all users to access this relying party" option. Once done, click Next:
vii.Check the information shown on the Endpoints tab of the Ready to Add Trust step by checking whether the URL shown corresponds to the correct SE Suite access URL. Once done, click Next:
viii.In the Finish step, check the "Open the Edit Claim Rules dialog for this third relying party trust when the wizard closes" option and then, click Close:
5.After that, configure the "Edit Claim Rules". If the option to edit the claim rules was not previously checked, it is possible to access the claim rules by accessing the Relying party trusts Edit claim rules menu of the AD FS Management:
i.To add a new rule, on the Issuance transform rules tab of the screen that will open, click Add rule:
ii.In the Choose rule type step, select the "Send LDAP attributes as claims" option and click Next:
iii.In the Configure claim rule step, configure the fields as shown in the following image. After that, click Finish:
iv.Once this has been done, the created rule will be displayed in the Issuance transform rules tab. Click OK to finish editing the claim rules.
6.The last step of configuring integrated authentication via SAML 2.0, before testing the authentication, is to configure the browsers:
|