Page Comparison

The EmpowerID SSO framework allows you to configure Identity Provider (IdP) SSO connections for third-party identity providers that support the use of WS-Federation for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any WS-Federation application in which you establish a trust relationship.

This topic demonstrates how to configure an SSO connection for WS-Federation Identity Provider applications by creating an SSO connection for AD FS 2 and is divided into the following activities:

• Registering EmpowerID as a Relying Party application in AD FS 2
• Adding the ADFS Certificates to the appropriate certificate stores on the EmpowerID Web server
• Creating a WS-Fed Connection for AD FS 2 in EmpowerID
• Testing the AD FS 2 SSO connection
  
  
  

To register EmpowerID as a Relying Party application in AD FS 2

1. On the server with the ADFS installation, open the AD FS 2 management console.
2. From the AD FS 2 management console, expand the Trust Relationships node, right-click Relying Party Trusts and select Add Relying Party Trust from the context menu.
   
   
   
   
3. In the Relying Party Trust Wizard that appears, click Start and then do the following:
   1. From the Select Data Source screen, select Enter data about the relying party manually and then click Next.
   2. From the Specify Display Name screen, type an appropriate display name for EmpowerID in the Display Name field and then click Next.
   3. From the Choose Profile screen, select AD FS 2.0 profile and then click Next.
   4. From the Configure Certificate screen, browse to and select the public key for the certificate you are using in your EmpowerID deployment and then click Next. AD FS will use this certificate to encrypt claims sent to EmpowerID.
   5. From the Configure URL screen, select Enable support for the WS-Federation Passive protocol, type https://sso.empowerid.com/WebIdPWSFederation/ACS, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment and click Next.
      
      
      
      
   6. From the Configure Identifiers screen, type https://sso.empowerid.comin the Relying party trust identifier field, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment and then click Add. You should see two entries, similar to those depicted below, in the Relying party trust identifiers pane.
      
      
      
      
   7. ClickNextand in theChoose Issuance Authorization Rulesscreen, ensure thatPermit all users to access this relying partyis selected and then clickNext.
   8. From theReady to Add Trustscreen, review your settings and thenNextto add the trust for EmpowerID.
   9. Ensure thatOpen the Edit Claim Rules dialog for this relying party trustwhen the wizard closes is selected and then clickClose.
      
      
4. In theEdit Claim Rules for <the name you just gave the relying party application>dialog that appears, clickAdd rule.
   
   

   This opens theAdd Transform Claim Rule Wizard. The wizard allows us to specify which AD attributes should be sent to EmpowerID as identity claims. We want to send the UPN and the Name attributes.

   

5. From thethe Add Transform Claim Rule Wizard, selectselect Send LDAP Attributes as Claims from the Claim rule templatetemplate drop-down and then clickclick Next.
6. Type a name, such asas Default_Claims, in thethe Claim rule namename field and selectselect Active Directory from the Attribute storestore drop-down.
7. UnderneathUnderneath Mapping of LDAP attributes to outgoing claim types, do the following:
   1. SelectSelect User_Principal_NameName from thethe LDAP AttributeAttribute drop-down andUPNand UPN from thethe Outgoing Claim TypeType drop-down.
   2. SelectSelect SAM-Account-NameName from thethe LDAP AttributeAttribute drop-down andNameand Name from thethe Outgoing Claim TypeType drop-down and then clickFinishclick Finish to close the wizard.
      
      
      
      
      
8. Back in the Edit Claim Rules dialog, click Apply.
   
   
   
   
   
9. Click OK to close the Edit Claim Rules dialog.

Next, add the Service communications, token-signing and token-decrypting certificates on the ADFS server to thePersonalandTrusted Peoplethe Personal and Trusted People certificate stores on the EmpowerID web server in your environment.

To add the certificates to the certificates stores

1. From the certificates node of the ADFS 2.0 management console, right-click the Service communications certificate and select View Certificate from the context menu.
   
   
   
   
   
2. In the Certificate window that appears, click the Details tab and then click Copy to File.
   
   
   
   
   
3. In thethe Certificate Export WizardWizard that appears, clickclick Next.
4. SelectSelect No, do not export the private keyand then clickclick Next.
5. SelectSelect Base-64 encoded X.509 (.Cer) and clickclick Next.
6. Browse for an export location and clickclick Next.
7. ClickNextClick Next and follow the wizard through to complete the export of the certificate.
8. Repeat the above steps for the token-decrypting and token-signing certificates (you will not be presented with an option to export the private key for these certificates).
9. Next, open MMC and add the Certificates snap-in for the local computer if needed.
10. Expand theCertificatesthe Certificates node, right-clickclick Personal, point toto All TasksTasks and clickclick Import.
11. In thethe Certificate Import WizardWizard that appears, clickclick Next.
12. ClickBrowseClick Browse and locate your certificates.
13. In the Open window that appears, select one of your certificates and clickclick Open.
14. Continue through the Certificate Import Wizard, until completed.
15. Repeat for each of your certificates until each of them is in both thePersonalandTrusted Peoplethe Personal and Trusted People certificate stores.

To create a WS-Federation Connection for ADFS in EmpowerID

1. From the Navigation Sidebar, navigate to the thethe find protected application resource pagepage by expandingApplicationexpanding Application and clickingclicking Manage Applications.
2. From theActionsthe Actions pane of Application Manager, click thethe Create WS-Federation ConnectionConnection action link.
   
   
   
   
   
3. From theGeneralthe General tab of thethe Connection DetailsDetails form, selectselect Identity ProviderProvider as thethe Connection Type.
   
   
   
   
   
4. In thethe Connection DetailsDetails section of the form do the following:
1. Type an appropriate name, display name and description for the connection in the Name,Display Name and Description fields, respectively.
2. In theTile Image URLfield, type ~/Resources/Content/Images/Logos/ADFS2Logo.png. This tells EmpowerID the relative location of the logo that is to be placed on the ADFS 2 login tile for any domains associated with the connection.
3. In the Initiating URL field, type https://sso.empowerid.com/WebIdPWSFederation/SignIn, replacing sso.empowerid.com with the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment.
4. In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for ADFS. This value should be similar to fs.tdnfdemo.com/adfs/ls/ where "fs.tdnfdemo.com" is the FQDN or resolvable DNS of the ADFS server with which you are federating.
5. In the Realm field, type base URL for your EmpowerID Web server, such as "https://sso.empowerid.com", where "sso.empowerid.com" is the FQDN or resolvable DNS of your EmpowerID server.
6. In the Map To Account Claim Type field, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This specifies that EmpowerID look for the Name attribute in the token sent to it by ADFS.
   
   

   When you have completed the above, the General section of the form should look similar to the following image:
   
   
   

   
   

   
   
   
5. In the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
   
   
   
   
   
6. Click the Domains tab. From this tab, you can select the domains in which you want a login tile for ADFS to appear to users as a login option for accessing your EmpowerID site.
7. From the Domains tab, click the Add (+) button in the Assigned Domains section.
   
   
   
   
   
8. In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
   
   
   
   
   
9. Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.

Now that you created the SSO connection for ADFS, you can test the connection as demonstrated below.

To test the ADFS IDP connection

1. Launch your web browser, pointing it to the domain name you configured for the ADFS IdP connection.
2. UnderneathUnderneath Login using one of your other accounts, click theADFSthe ADFS button.
3. This redirects your browser to the ADFS login page and presents you with an Authentication Required dialog. Type your Windows credentials in thethe Authentication RequiredRequired dialog and clickclick OK.
   
   
   
   
   EmpowerID verifies the claims and grants you access.