Page Comparison

• Registering EmpowerID as a Service Provider (Relying Party application) in

• ADFS
• Adding the ADFS Certificates to the appropriate certificate stores on the EmpowerID Web server
• Creating a WS-Fed Connection for

• ADFS in EmpowerID
• Testing the

• ADSF connection
  
  
  

To register EmpowerID as a

Service Provider application in

ADFS

1. On the server with the ADFS installation, open the

1. ADFS management console.
2. From the

1. ADFS management console, expand

1. the Trust

1. Relationships node, right-

1. click Relying Party

1. Trusts and

1. select Add Relying Party

1. Trust from the context menu

1. .
   
   Image Added
   
   
   This opens the Add Relying Party Trust Wizard.
   
   Image Added
   
   
   
2. In the Relying Party Trust

1. Wizard that appears

1. , click Start and then do the following:
   1. From

1. 1. the Select Data Source

1. 1.  pane,

1. 1. select Enter data about the relying party

1. 1. manually and then

1. 1. click Next.
      
      Image Added
      
      
      
   2. From

1. 1. the Specify Display

1. 1. Name screen, type an appropriate display name for EmpowerID in

1. 1. the Display

1. 1. Name field and then

1. 1. click Next.
      
      Image Added
      
      
      
   2. From

1. 1. the Choose

1. 1. Profile screen,

1. 1. select AD FS

1. 1. profile and then

1. 1. click Next.
      
      Image Added
      
      
   2. From

1. 1. the Configure

1. 1. Certificate screen, browse to and select the public key for the certificate you are using in your EmpowerID deployment and then

1. 1. click Next. AD FS will use this certificate to encrypt claims sent to EmpowerID.
      
      Image Added
      
      
      
   2. From

1. 1. the Configure

1. 1. URL screen,

1. 1. select Enable support for the WS-Federation Passive

1. 1. protocol and in the Relying party WS-Federation Passive protocol URL field enter the URL to your EmpowerID Assertion Consumer (EmpowerID ACS) endpoint using the https scheme. The URL should look similar to https://

1. 1. <YourEmpowerIDWebServer/WebIdPWSFederation/ACS,

1. 1. where "<YourEmpowerIDWebServer>" is the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment

1. 1. .
      
      Image Added
      
      
   2. Click Next.
   3. From

1. 1. the Configure

1. 1. Identifiers screen, enter the EmpowerID Service Provider and then click Add. You should see two entries, similar to those depicted below, in

1. 1. the Relying party trust

1. 1. identifiers pane.
      

1. 1. 
      Image Added
      
      
   2. Click Next and

1. 1. proceed through each screen of the wizard to complete setting up the RP trust.
      
      
2. After creating the Relying Party trust, right-click it and select either Edit Claim Rules or Edit Claim Issuance Policy from the context menu.
   
   Image Added
   
   
   
3. In the Edit Claim Rules

1. window that appears,

1. click Add

1. Rule.
   
   Image Added
   

   
   

2. From the Add Transform Claim Rule Wizard,

1. select Pass Through or Filter an Incoming Claim from the Claim rule

1. template drop-down and then

1. click Next.
   
   Image Added
   
   
2. Type a name, such

1. as Name, in

1. the Claim rule

1. name field, select Name from the Incoming claim type drop-down and then click either Finish.
   
   Image Added
   
   
2. Click Apply and then OK to close the Edit Claim Rules for EmpowerID wizard.

Next, add the

token-signing

certificate on the ADFS server to

the Personal and Trusted People certificate stores on the EmpowerID web server in your environment.

To add the

token-signing certificate to the certificates stores

1. From

1. the certificates node of the ADFS 2.0 management console, right-click

1. the token-signing certificate and select View Certificate from the context menu.
   
   Image Added
   
   
   
2. In

1. the Certificate window that appears, click

1. the Details tab and then

1. click Copy to File.
   
   Image Added
   
   
   
2. In

1. the Certificate Export

1. Wizard that appears,

1. click Next.

1. Select No, do not export the private keyand then

1. click Next.

1. Select Base-64 encoded X.509 (.Cer) and

1. click Next.
2. Browse for an export location and

1. click Next.

1. Click Next and follow the wizard through to complete the export of the certificate

1. .
2. Next, open MMC and add the Certificates snap-in for the local computer if needed.
3. Expand

1. the Certificates node, right-

1. click Personal, point

1. to All

1. Tasks and

1. click Import.
2. In

1. the Certificate Import

1. Wizard that appears,

1. click Next.

1. Click Browse and locate your

1. certificate.
2. In the Open window that appears, select

1. the certificate and click Open.
2. Continue through the Certificate Import Wizard, until completed.

1. The certificate should be added to the Personal certificate store.

To create a WS-Federation Connection for ADFS in EmpowerID

1. From the Navigation Sidebar, navigate to the

1. the find protected application resource

1. page by

1. expanding Application and

1. clicking Manage Applications.
2. From

1. the Actions pane of

1. the find protected application resource page, click

1. the Create WS-Federation

1. Connection action link.

2. From

1. the General tab of

1. the Connection

1. Details form,

1. select Identity

1. Provider as

1. the Connection Type.

1. 
   
   Image Added
   
   
   
2. In

1. the Connection

1. Details section of the form do the following:
1. Type an appropriate name, display name and description for the connection in

1. the Name,Display

1. Name and Description fields, respectively.
2. In theTile Image URLfield,

1. type ~/Resources/Content/Images/Logos/ADFS2Logo.png. This tells EmpowerID the relative location of the logo that is to be placed on the ADFS 2 login tile for any domains associated with the connection

1. .
2. Select the previously inventoried Account Directory for your ADFS Server and click Save to create the WS Federation Connection.
3. Enter the EmpowerID Relying Party Trust Identifier in ADFS as the Realm in EmpowerID, i.e. https://sso.

1. empowersso.com/

1. WebIdPWSFederation/ACS
2. Enter the ADFS passive endpoint as the External IDP URL, i.e. https://empowersso.com/adfs/ls

1. , assuming com is your ADFS server.
2. Enterhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

1. in the Map To Account Claim Type field or specified the Identity Claim Type as appropriate.
2. Enter https://sso.empowersso.com/WebIdPWSFederation/SignIn in the Initiating URL field.
   
   Image Added
   

   
   

To set up a tile for ADFS IDP in EmpowerID

1. From the navigation sidebar, click SSO Components and from the IdP Domains tab, click Add.
   
   Image Added
   
   
2. On the IdP Domain Details page that appears, enter the domain you wish to add.
   
   Image Added
   
   
3. While on the IdP Domain Details page, go to the SAML Identify Providers tab and select EmpowerID from the list of IDPs listed.
   
   Image Added
   
   
4. While on the IdP Domain Details page, go to the WS-Fed Identify Providers tab and check your ADFS identity provider from the list of IDPs.
   
   Image Added
   
   
5. Click Save.

To test the ADFS IDP connection

1. Log out of EmpowerID, recycle IIS, and then log back in to EmpowerID.
   
   The ADFS tile should now appear on the login screen. You can click it to log in to EmpowerID using ADFS.
   
   Image Added