Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Div | ||
---|---|---|
| ||
/wiki/spaces/E2D/pages/29982926 / Single Sign-On and MFA / Configuring SSO Connections / Identity Provider Connections / Current: Configuring ADFS 2 as an Identity Provider |
The EmpowerID SSO framework allows you to configure Identity Provider (IdP) SSO connections for third-party identity providers that support the use of WS-Federation for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any WS-Federation application in which you establish a trust relationship.
This topic demonstrates how to configure an SSO connection for WS-Federation Identity Provider applications by creating an SSO connection for AD FS 2Users can use ADFS as their Identity Provider to authenticate themselves to EmpowerID. This topic demonstrates how to setup EmpowerID as Service Provider in ADFS and is divided into the following activities:
- Registering EmpowerID as a Service Provider (Relying Party application) in AD FS 2ADFS
- Adding the ADFS Certificates to the appropriate certificate stores on the EmpowerID Web server
- Creating a WS-Fed Connection for AD FS 2 ADFS in EmpowerID
- Testing the AD FS 2 SSO ADSF connection
Info | |||||||||
---|---|---|---|---|---|---|---|---|---|
Prerequisites- As a prerequisite to creating an SSO Connection for AD FS 2.0configuring ADFS as an Identity Provider for EmpowerID, you must install the AD FS ADFS role service on your EmpowerID server. For information on installing the AD FS ADFS role service, see Microsoft's topic at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-the-ad-fs-role-service. Once the SSO Connection IdP connections has been set up for AD FSADFS, you can create a link similar to the one below to allow users to login to EmpowerID using AD FSADFS.
|
To register EmpowerID as a
Relying PartyService Provider application in
AD FS 2ADFS
- On the server with the ADFS installation, open the AD FS 2 ADFS management console.
- From the AD FS 2 ADFS management console, expand the Trust Relationships node, right-click Relying Party Trusts and select Add Relying Party Trust from the context menu.
Image Added
This opens the Add Relying Party Trust Wizard.
Image Removed
Image Added - In the Relying Party Trust Wizard that appears, click Start and then do the following:
- From the Select Data Source screenSource pane, select Enter data about the relying party manually and then click Next.
Image Added - From the Specify Display Name screen, type an appropriate display name for EmpowerID in the Display Name field and then click Next.
Image Added - From the Choose Profile screen, select AD FS 2.0 profile and then click Next.
Image Added - From the Configure Certificate screen, browse to and select the public key for the certificate you are using in your EmpowerID deployment and then click Next. AD FS will use this certificate to encrypt claims sent to EmpowerID.
Image Added - From the Configure URL screen, select Enable support for the WS-Federation Passive protocol, type protocol and in the Relying party WS-Federation Passive protocol URL field enter the URL to your EmpowerID Assertion Consumer (EmpowerID ACS) endpoint using the https scheme. The URL should look similar to https://sso.empowerid.com<YourEmpowerIDWebServer/WebIdPWSFederation/ACS, replacing "sso.empowerid.com" with where "<YourEmpowerIDWebServer>" is the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment and click .
Image Added - Click Next.
Image Removed - From the Configure Identifiers screen, type https://sso.empowerid.comin the Relying party trust identifier field, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment and enter the EmpowerID Service Provider and then click Add. You should see two entries, similar to those depicted below, in the Relying party trust identifiers pane.
Image Removed
Image Added - ClickClick Next and in theChoose Issuance Authorization Rulesscreen, ensure thatPermit all users to access this relying partyis selected and then clickNext.
- From theReady to Add Trustscreen, review your settings and thenNextto add the trust for EmpowerID. Ensure thatOpen the Edit Claim Rules dialog for this relying party trustwhen the wizard closes is selected and then clickClose.
This opens theAdd Transform Claim Rule Wizard. The wizard allows us to specify which AD attributes should be sent to EmpowerID as identity claims. We want to send the UPN and the Name attributes.
Image Removed
- From the Select Data Source screenSource pane, select Enter data about the relying party manually and then click Next.
- From theAdd Transform Claim Rule Wizard, selectSend LDAP Attributes as Claims from the Claim rule templatedrop-down and then clickNext.
- Type a name, such asDefault_Claims, in theClaim rule namefield and selectActive Directory from the Attribute storedrop-down. UnderneathMapping of LDAP attributes to outgoing claim types, do the following:
- SelectUser_Principal_Namefrom theLDAP Attributedrop-down andUPNfrom theOutgoing Claim Typedrop-down. SelectSAM-Account-Namefrom theLDAP Attributedrop-down andNamefrom theOutgoing Claim Typedrop-down and then clickFinishto close the wizard.
- Click OK to close the Edit Claim Rules dialog.
Image Removed
Back in the Edit Claim Rules dialog, click Apply.
Image Removed
- proceed through each screen of the wizard to complete setting up the RP trust.
- proceed through each screen of the wizard to complete setting up the RP trust.
- After creating the Relying Party trust, right-click it and select either Edit Claim Rules or Edit Claim Issuance Policy from the context menu.
Image Added - In the Edit Claim Rules window that appears, click Add Rule.
Image Added - From the Add Transform Claim Rule Wizard, select Pass Through or Filter an Incoming Claim from the Claim rule template drop-down and then click Next.
Image Added - Type a name, such as Name, in the Claim rule name field, select Name from the Incoming claim type drop-down and then click either Finish.
Image Added - Click Apply and then OK to close the Edit Claim Rules for EmpowerID wizard.
Next, add the token-signing certificate on the ADFS server to the Personal and Trusted People certificate stores on the EmpowerID web server in your environment.
To add the
certificatestoken-signing certificate to the certificates stores
- From the certificates node of the ADFS 2.0 management console, right-click the Service communications token-signing certificate and select View Certificate from the context menu.
Image Removed
Image Added - In the Certificate window that appears, click the Details tab and then click Copy to File.
Image Removed
Image Added - In thethe Certificate Export WizardWizard that appears, clickclick Next.
- SelectSelect No, do not export the private keyand then clickclick Next.
- SelectSelect Base-64 encoded X.509 (.Cer) and clickclick Next.
- Browse for an export location and clickclick Next.
- ClickNextClick Next and follow the wizard through to complete the export of the certificate.
- Repeat the above steps for the token-decrypting and token-signing certificates (you will not be presented with an option to export the private key for these certificates).
- Next, open MMC and add the Certificates snap-in for the local computer if needed.
- Expand theCertificatesthe Certificates node, right-clickclick Personal, point toto All TasksTasks and clickclick Import.
- In thethe Certificate Import WizardWizard that appears, clickclick Next.
- ClickBrowseClick Browse and locate your certificatescertificate.
- In the Open window that appears, select one of your certificates and clickthe certificate and click Open.
- Continue through the Certificate Import Wizard, until completed. Repeat for each of your certificates until each of them is in both thePersonalandTrusted Peoplecertificate storesThe certificate should be added to the Personal certificate store.
To create a WS-Federation Connection for ADFS in EmpowerID
- From the Navigation Sidebar, navigate to the thethe find protected application resource pagepage by expandingApplicationexpanding Application and clickingclicking Manage Applications.
- From theActionsthe Actions pane of Application Managerthe find protected application resource page, click thethe Create WS-Federation ConnectionConnection action link.
Image Removed - From theGeneralthe General tab of thethe Connection DetailsDetails form, selectselect Identity ProviderProvider as thethe Connection Type.
- In thethe Connection DetailsDetails section of the form do the following:
- Type an appropriate name, display name and description for the connection in the Name,Display Name and Description fields, respectively.
- In theTile Image URLfield, type ~/Resources/Content/Images/Logos/ADFS2Logo.png. This tells EmpowerID the relative location of the logo that is to be placed on the ADFS 2 login tile for any domains associated with the connection.
- Select the previously inventoried Account Directory for your ADFS Server and click Save to create the WS Federation Connection.
- Enter the EmpowerID Relying Party Trust Identifier in ADFS as the Realm in EmpowerID, i.e. https://sso.
- empowersso.com/WebIdPWSFederation/
- In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for ADFS. This value should be similar to fs.tdnfdemo.com/adfs/ls/ where "fs.tdnfdemo.com" is the FQDN or resolvable DNS of the ADFS server with which you are federating.
- In the Realm field, type base URL for your EmpowerID Web server, such as "https://sso.empowerid.com", where "sso.empowerid.com" is the FQDN or resolvable DNS of your EmpowerID server. In the Map To Account Claim Type field, type
- ACS
- Enter the ADFS passive endpoint as the External IDP URL, i.e. https://empowersso.com/adfs/ls, assuming com is your ADFS server.
- Enterhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- Click the Domains tab. From this tab, you can select the domains in which you want a login tile for ADFS to appear to users as a login option for accessing your EmpowerID site. From the Domains tab, click the Add (+) button in the Assigned Domains section.
- Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.
When you have completed the above, the General section of the form should look similar to the following image:
Image RemovedIn the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
Image Removed
Image Removed
In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
Image Removed
- in the Map To Account Claim Type field or specified the Identity Claim Type as appropriate.
- Enter https://sso.empowersso.com/WebIdPWSFederation/SignIn in the Initiating URL field.
Image Added
To set up a tile for ADFS IDP in EmpowerID
- From the navigation sidebar, click SSO Components and from the IdP Domains tab, click Add.
Image Added - On the IdP Domain Details page that appears, enter the domain you wish to add.
Image Added - While on the IdP Domain Details page, go to the SAML Identify Providers tab and select EmpowerID from the list of IDPs listed.
Image Added - While on the IdP Domain Details page, go to the WS-Fed Identify Providers tab and check your ADFS identity provider from the list of IDPs.
Image Added - Click Save.
To test the ADFS IDP connection
- Launch your web browser, pointing it to the domain name you configured for the ADFS IdP connection.
- UnderneathLogin using one of your other accounts, click theADFSbutton.
- This redirects your browser to the ADFS login page and presents you with an Authentication Required dialog. Type your Windows credentials in theAuthentication Requireddialog and clickOK.
Image Removed
EmpowerID verifies the claims and grants you access.Log out of EmpowerID, recycle IIS, and then log back in to EmpowerID.
The ADFS tile should now appear on the login screen. You can click it to log in to EmpowerID using ADFS.
Image Added
Div | |||||||
---|---|---|---|---|---|---|---|
| |||||||
|
Div | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
|