Reset Search
 

 
Article

KB28618 - Configuring Active Directory Federation Services (ADFS) as a SAML auth server instance

Printable View
« Go Back

Information

 
Last Modified Date6/19/2017 2:43 PM
Synopsis
This article describes the steps involved in configuring Active Directory Federation Service (ADFS) as a Security Assertion Markup Language (SAML) auth server instance.
Problem or Goal
Cause
Solution

Step 1 : Configuring Hostname for SAML entity ID

  1. Log into PCS Admin console and navigate to System > Configuration > SAML
  2. Click on Settings button as shown in the figure below:
  1. Enter the hostname (FQDN) of the PCS device. This FQDN will be used by the PCS device to generate SA Entity Id while configuring SAML auth server instance. Click on Save Changes.
  2. Go back to  System > Configuration > SAML

Step 2 : Configuring Metadata Provider

  1. Click on New Metadata Provider
  1. Enter Name for the Metadata provider
  2. Metadata of the ADFS can uploaded to the SA by two methods:
    • Local : ADFS metadata.xml is downloaded to the workstation and is imported to the SA from the Workstation
    •  Remote: SA fetches the metadata from the ADFS server. Admin need to enter the URL for the ADFS metadata
  
To verify the URL for ADFS metadata.XML, login to the ADFS server.  
-From the Start Menu > Administrative Tools > AD FS 2.0 Management Console.
-On the Console Expand Service and click on Endpoints.  You will find the path for the Metadata
  1. Based on the requirement, enable or disable Accept untrusted server certificate and accept unsigned Metadata.
  2. Under the Metadata Provider Filter Configuration, Select Roles Identity Provider.  This is a input for the PCS device to check what role it has to look in the Metadata.
  3. Click Save Changes.

Step 3 : Configuring SAML Auth Server
  1. Navigate to Authentication > Auth. Servers
  2. Create a New SAML auth server instance
  1. Enter a Name for this auth instance
  2. Select SAML version to 2.0
  3. PCS Entity Id will be auto populated by the PCS device
  4. Under Configuration Mode, select Metadata.
  5. For Identity Provider Entity Id & Identity Provider Single Sign On Service URL, these values will be populated by the PCS from the Metadata received from the ADFS
  6. Under SSL Method Select Post, from the Response Signing certificate drop-down menu, select the certificate that the ADFS is configured for Signing response
  1. Based on your requirements you can configure Device Certificate for Signing and Device Certificate for Encryption
  2. For Metadata Validity enter a value between 1-9999 days.
  3. Click Save changes


Step 4 : Configuring Realm, Role & Sign in URL

  1. Configure a Realm to use the server instance created in the previous step
  2. Configure Role Mapping as required
  3. Configure a sign in url

Step 5 : Configuring Relying Party Trusts

  1. Log into the server running AD FS
  2. From the Start Menu > Administrative Tools > AD FS 2.0 Management Console
  3. Expand Trust Relationships
  4. Go to Relying Party Trusts.
  5. Right click on Relying Party Trusts or from the Actions pane click on Add Relying Party Trust.
User-added image
 
  1. Click Start on Add Relying Party Trust Wizard
 
  1. PCS metadata can be imported in the PCS in three ways. We have configured to import data from a URL. Enter the PCS Entity Id that was generated by the PCS while creating the auth server instance (refer step 3, sub menu 5).
  2. Click Next
 
  1. Configure a Display name to be used.  Click Next.
  2. Under Choose issuance Authorization Rules, select Permit all users to access this relying party.  Click Next
 
  1. Under Ready to Add Trust, click Next
 
  1. Click Close. With the Default settings this will Open Edit Claim Rules Window
 

Step 6 : Configuring Claim Rules

  1. From Claim rule template, select Send LDAP Attributes as Claims. Click Next
  1. Enter a Claim Rule name
  2. From Attribute Store, select Active Directory
  3. Under Mapping of LDAP attributes to outgoing claim Types from the LDAP attributes Dropdown box, select User-principal-Name and for Outgoing Claim Type select UPN.
  4. Click Finish
  1. Under Edit Claim Rules, Add another Rule
  2. From Claim rule template, select Transform an Incoming Claim. Click Next.
  1. Enter a Claim Rule name
  2. Under Rule Template: Transform an incoming claim for
    • Incoming Claim type select UPN
    • Outgoing Claim Type Name ID
    • Outgoing name ID format UPN
  3. Click Finish
  4. Click OK
  5. Once the claim rules are configured, please add the entity ID in the identifiers section by right clicking the relying party > Properties > identifiers:
  6. User-added image

Test the configuration

  1. Enter the sign in url configured on the PCS device
  2. User Will be redirected to ADFS Login Page once authenticated
User will be presented with PCS Bookmark page
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255