KB9984 - What are 'user records', what causes them to be persistent in Pulse Connect Secure cache, and how can this data be removed by the administrator?

KB22849 - Pulse Connect Secure (PCS) is unable to export the user sessions to the IF MAP server

KB25351 - Can the Pulse Policy Secure's machine account be added in the backend Active Directory for SPNEGO SSO to add the SPN to the user for Active Directory Integration?

KB43937 - System Variables

SA43667 - 2018-03 Out-of-Cycle Advisory: SAML allow authentication bypass via incorrect XML canonicalization

KB22289 - Active Directory troubleshooting procedure

5751 - Need to restrict the managment of the appliance to a single IP address.

< Back to search results

KB28618 - Configuring Active Directory Federation Services (ADFS) as a SAML auth server instance

Printable View

« Go Back

Information

Last Modified Date	6/19/2017 2:43 PM

Synopsis

This article describes the steps involved in configuring Active Directory Federation Service (ADFS) as a Security Assertion Markup Language (SAML) auth server instance.

Problem or Goal

Cause

Solution

Step 1 : Configuring Hostname for SAML entity ID

Log into PCS Admin console and navigate to System > Configuration > SAML
Click on Settings button as shown in the figure below:

Enter the hostname (FQDN) of the PCS device. This FQDN will be used by the PCS device to generate SA Entity Id while configuring SAML auth server instance. Click on Save Changes.
Go back to System > Configuration > SAML

Step 2 : Configuring Metadata Provider

Click on New Metadata Provider

Enter Name for the Metadata provider
Metadata of the ADFS can uploaded to the SA by two methods:
- Local : ADFS metadata.xml is downloaded to the workstation and is imported to the SA from the Workstation
- Remote: SA fetches the metadata from the ADFS server. Admin need to enter the URL for the ADFS metadata

To verify the URL for ADFS metadata.XML, login to the ADFS server.  
-From the Start Menu > Administrative Tools > AD FS 2.0 Management Console.
-On the Console Expand Service and click on Endpoints.  You will find the path for the Metadata

Based on the requirement, enable or disable Accept untrusted server certificate and accept unsigned Metadata.
Under the Metadata Provider Filter Configuration, Select Roles Identity Provider. This is a input for the PCS device to check what role it has to look in the Metadata.
Click Save Changes.

Step 3 : Configuring SAML Auth Server

Navigate to Authentication > Auth. Servers
Create a New SAML auth server instance

Enter a Name for this auth instance
Select SAML version to 2.0
PCS Entity Id will be auto populated by the PCS device
Under Configuration Mode, select Metadata.
For Identity Provider Entity Id & Identity Provider Single Sign On Service URL, these values will be populated by the PCS from the Metadata received from the ADFS
Under SSL Method Select Post, from the Response Signing certificate drop-down menu, select the certificate that the ADFS is configured for Signing response

Based on your requirements you can configure Device Certificate for Signing and Device Certificate for Encryption
For Metadata Validity enter a value between 1-9999 days.
Click Save changes

Step 4 : Configuring Realm, Role & Sign in URL

Configure a Realm to use the server instance created in the previous step
Configure Role Mapping as required
Configure a sign in url

Step 5 : Configuring Relying Party Trusts

Log into the server running AD FS
From the Start Menu > Administrative Tools > AD FS 2.0 Management Console
Expand Trust Relationships
Go to Relying Party Trusts.
Right click on Relying Party Trusts or from the Actions pane click on Add Relying Party Trust.

Click Start on Add Relying Party Trust Wizard

PCS metadata can be imported in the PCS in three ways. We have configured to import data from a URL. Enter the PCS Entity Id that was generated by the PCS while creating the auth server instance (refer step 3, sub menu 5).
Click Next

Configure a Display name to be used. Click Next.
Under Choose issuance Authorization Rules, select Permit all users to access this relying party. Click Next

Under Ready to Add Trust, click Next

Click Close. With the Default settings this will Open Edit Claim Rules Window

Step 6 : Configuring Claim Rules

From Claim rule template, select Send LDAP Attributes as Claims. Click Next

Enter a Claim Rule name
From Attribute Store, select Active Directory
Under Mapping of LDAP attributes to outgoing claim Types from the LDAP attributes Dropdown box, select User-principal-Name and for Outgoing Claim Type select UPN.
Click Finish

Under Edit Claim Rules, Add another Rule
From Claim rule template, select Transform an Incoming Claim. Click Next.

Enter a Claim Rule name
Under Rule Template: Transform an incoming claim for
- Incoming Claim type select UPN
- Outgoing Claim Type Name ID
- Outgoing name ID format UPN
Click Finish
Click OK
Once the claim rules are configured, please add the entity ID in the identifiers section by right clicking the relying party > Properties > identifiers:

Test the configuration

Enter the sign in url configured on the PCS device
User Will be redirected to ADFS Login Page once authenticated

User will be presented with PCS Bookmark page

Related Articles