Versions Compared

Old Version 22

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 23

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Div
classbreadcrumbs

/wiki/spaces/E2D/pages/29982926  /  Single Sign-On and MFA  /  Configuring SSO Connections  /  Identity Provider Connections  /  Current: Configuring ADFS 2 as an Identity Provider

The EmpowerID SSO framework allows you to configure Identity Provider (IdP) SSO connections for third-party identity providers that support the use of WS-Federation for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any WS-Federation application in which you establish a trust relationship.

This topic demonstrates how to configure an SSO connection for WS-Federation Identity Provider applications by creating an SSO connection for AD FS 2

Users can use ADFS as their Identity Provider to authenticate themselves to EmpowerID. This topic demonstrates how to setup EmpowerID as Service Provider in ADFS and is divided into the following activities:

  • Registering EmpowerID as a Service Provider (Relying Party application) in AD FS 2ADFS
  • Adding the ADFS Certificates to the appropriate certificate stores on the EmpowerID Web server
  • Creating a WS-Fed Connection for AD FS 2 ADFS in EmpowerID
  • Testing the AD FS 2 SSO ADSF connection


Info

Prerequisites- As a prerequisite to creating an SSO Connection for AD FS 2.0configuring ADFS as an Identity Provider for EmpowerID, you must install the AD FS ADFS role service on your EmpowerID server. For information on installing the AD FS ADFS role service, see Microsoft's topic at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-the-ad-fs-role-service.

Once the SSO Connection IdP connections has been set up for AD FSADFS, you can create a link similar to the one below to allow users to login to EmpowerID using AD FSADFS.

Code Block
languagexml
themeDJango
https://sso.empowersso.com/WebIdPForms/Login/EmpowerIDWebSite/ADFS?returnUrl=%2FWebIdPForms%2F


Warning

Be sure to replace "sso.empowersso.com" with the FQDN of the EmpowerID Web server in your environment and ADFS with the name of the SSO connection you create for AD FS ADFS in EmpowerID.




To register EmpowerID as a

Relying Party

Service Provider application in

AD FS 2

ADFS

  1. On the server with the ADFS installation, open the AD FS 2 ADFS management console.
  2. From the AD FS 2 ADFS management console, expand the Trust Relationships node, right-click Relying Party Trusts and select Add Relying Party Trust from the context menu.

    Image Added


    This opens the Add Relying Party Trust Wizard.
    Image Removed
    Image Added


  3. In the Relying Party Trust Wizard that appears, click Start and then do the following:Image Removed
    1. From the Select Data Source screenSource pane, select Enter data about the relying party manually and then click Next.

      Image Added


    2. From the Specify Display Name screen, type an appropriate display name for EmpowerID in the Display Name field and then click Next.

      Image Added


    3. From the Choose Profile screen, select AD FS 2.0 profile and then click Next.

      Image Added

    4. From the Configure Certificate screen, browse to and select the public key for the certificate you are using in your EmpowerID deployment and then click Next. AD FS will use this certificate to encrypt claims sent to EmpowerID.

      Image Added


    5. From the Configure URL screen, select Enable support for the WS-Federation Passive protocol and in the Relying party WS-Federation Passive protocol , type URL field enter the URL to your EmpowerID Assertion Consumer (EmpowerID ACS) endpoint using the https scheme. The URL should look similar to https://sso.empowerid.com<YourEmpowerIDWebServer/WebIdPWSFederation/ACS, replacing "sso.empowerid.com" with where "<YourEmpowerIDWebServer>" is the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment and click .

      Image Added

    6. Click Next.Image Removed
    7. From the Configure Identifiers screen, type https://sso.empowerid.com in the Relying party trust identifier field, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment and enter the EmpowerID Service Provider and then click Add. You should see two entries, similar to those depicted below, in the Relying party trust identifiers pane.
      Image Removed
      Image Added

    8. Click Next and in the Choose Issuance Authorization Rules screen, ensure that Permit all users to access this relying party is selected and then click Next.
    9. From the Ready to Add Trust screen, review your settings and then Next to add the trust for EmpowerID.
      10. Ensure that Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is selected and then click Close.
    In the Edit Claim Rules for <the name you just gave the relying party application> dialog that appears, click Add rule.

    This opens the Add Transform Claim Rule Wizard. The wizard allows us to specify which AD attributes should be sent to EmpowerID as identity claims. We want to send the UPN and the Name attributes.

    1. Next and proceed through each screen of the wizard to complete setting up the RP trust.

  4. After creating the Relying Party trust, right-click it and select either Edit Claim Rules or Edit Claim Issuance Policy from the context menu.

    Image Added


  5. In the Edit Claim Rules window that appears, click Add Rule.

    Image Added


  6. From the Add Transform Claim Rule Wizard, select Send LDAP Attributes as Claims Pass Through or Filter an Incoming Claim from the Claim rule template drop-down and then click Next.

    Image Added

  7. Type a name, such as Default_ClaimsName, in the Claim rule name field and select Active Directory from the Attribute store drop-down.Underneath Mapping of LDAP attributes to outgoing claim types, do the following:
  8. Select User_Principal_Name from the LDAP Attribute drop-down and UPN from the Outgoing Claim Type drop-down.
    9. Select SAM-Account-Name from the LDAP Attribute drop-down and Name from the Outgoing Claim Type drop-down and then click Finish to close the wizard.
    Image Removed
    Back in the Edit Claim Rules dialog, click Apply.
    Image Removed
    Click OK to close the Edit Claim Rules dialog, select Name from the Incoming claim type drop-down and then click either Finish.

    Image Added

  9. Click Apply and then OK to close the Edit Claim Rules for EmpowerID wizard.

Next, add the Service communications, token-signing and token-decrypting certificates certificate on the ADFS server to the Personal and Trusted People certificate stores on the EmpowerID web server in your environment.

To add the

certificates

token-signing certificate to the certificates stores

  1. From the certificates node of the ADFS 2.0 management console, right-click the Service communications token-signing certificate and select View Certificate from the context menu.
    Image Removed
    Image Added


  2. In the Certificate window that appears, click the Details tab and then click Copy to File.
    Image Removed
    Image Added


  3. In the Certificate Export Wizard that appears, click Next.
  4. Select No, do not export the private keyand then click Next.
  5. Select Base-64 encoded X.509 (.Cer) and click Next.
  6. Browse for an export location and click Next.
  7. Click Next and follow the wizard through to complete the export of the certificate.
  8. Repeat the above steps for the token-decrypting and token-signing certificates (you will not be presented with an option to export the private key for these certificates).
  9. Next, open MMC and add the Certificates snap-in for the local computer if needed.
  10. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
  11. In the Certificate Import Wizard that appears, click Next.
  12. Click Browse and locate your certificatescertificate.
  13. In the Open window that appears, select one of your certificates the certificate and click Open.
  14. Continue through the Certificate Import Wizard, until completed. Repeat for each of your certificates until each of them is in both the Personal and Trusted People certificate storesThe certificate should be added to the Personal certificate store.

To create a WS-Federation Connection for ADFS in EmpowerID

  1. From the Navigation Sidebar, navigate to the the find protected application resource page by expanding Application and clicking Manage Applications.
  2. From the Actions pane of Application Managerthe find protected application resource page, click the Create WS-Federation Connection action link.
    Image Removed
  3. From the General tab of the Connection Details form, select Identity Provider as the Connection Type.




  4. In the Connection Details section of the form do the following:
    1. Type an appropriate name, display name and description for the connection in the Name,Display Name and Description fields, respectively.
    2. In theTile Image URLfield, type ~/Resources/Content/Images/Logos/ADFS2Logo.png. This tells EmpowerID the relative location of the logo that is to be placed on the ADFS 2 login tile for any domains associated with the connection.In the Initiating URL field, type .
    3. Select the previously inventoried Account Directory for your ADFS Server and click Save to create the WS Federation Connection.
    4. Enter the EmpowerID Relying Party Trust Identifier in ADFS as the Realm in EmpowerID, i.e. https://sso.empoweridempowersso.com/WebIdPWSFederation/SignIn, replacing sso.empowerid.com with the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment.
    5. In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for ADFS. This value should be similar to fs.tdnfdemo.com/adfs/ls/ where "fs.tdnfdemo.com" is the FQDN or resolvable DNS of the ADFS server with which you are federating.
    6. In the Realm field, type base URL for your EmpowerID Web server, such as "https://sso.empowerid.com", where "sso.empowerid.com" is the FQDN or resolvable DNS of your EmpowerID server.
    7. In the Map To Account Claim Type field, type ACS
    8. Enter the ADFS passive endpoint as the External IDP URL, i.e. https://empowersso.com/adfs/ls, assuming com is your ADFS server.
    9. Enterhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This specifies that EmpowerID look for the Name attribute in the token sent to it by ADFS.
      When you have completed the above, the General section of the form should look similar to the following image:
      Image Removed
    In the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
    Image Removed
  5. Click the Domains tab. From this tab, you can select the domains in which you want a login tile for ADFS to appear to users as a login option for accessing your EmpowerID site.
    6. From the Domains tab, click the Add (+) button in the Assigned Domains section.
    Image Removed
    In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
    Image Removed
  6. Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.
Now that you created the SSO connection for ADFS, you can test the connection as demonstrated below
    1. in the Map To Account Claim Type field or specified the Identity Claim Type as appropriate.
    2. Enter https://sso.empowersso.com/WebIdPWSFederation/SignIn in the Initiating URL field.

      Image Added


To set up a tile for ADFS IDP in EmpowerID

  1. From the navigation sidebar, click SSO Components and from the IdP Domains tab, click Add.

    Image Added

  2. On the IdP Domain Details page that appears, enter the domain you wish to add.

    Image Added

  3. While on the IdP Domain Details page, go to the SAML Identify Providers tab and select EmpowerID from the list of IDPs listed.

    Image Added

  4. While on the IdP Domain Details page, go to the WS-Fed Identify Providers tab and check your ADFS identity provider from the list of IDPs.

    Image Added

  5. Click Save.

To test the ADFS IDP connection

  1. Launch your web browser, pointing it to the domain name you configured for the ADFS IdP connection.
  2. Underneath Login using one of your other accounts, click the ADFS button.
  3. This redirects your browser to the ADFS login page and presents you with an Authentication Required dialog. Type your Windows credentials in the Authentication Required dialog and click OK.
    Image Removed
    EmpowerID verifies the claims and grants you access.Log out of EmpowerID, recycle IIS, and then log back in to EmpowerID.

    The ADFS tile should now appear on the login screen. You can click it to log in to EmpowerID using ADFS.

    Image Added




Div
stylemargin-top: 25px;
classrelatedContent


Rw ui expands macro


Rw ui expand macro
titleRelated Content









Div
style position: -webkit-sticky; position: sticky; top: 0;
classtopicTOC

Table of Contents