You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
ADFS
- Phillip Hanegan
- Anonymous
Users can use ADFS as their Identity Provider to authenticate themselves to EmpowerID. This topic demonstrates how to setup EmpowerID as Service Provider in ADFS and is divided into the following activities:
- Registering EmpowerID as a Service Provider (Relying Party application) in ADFS
- Adding the ADFS Certificates to the appropriate certificate stores on the EmpowerID Web server
- Creating a WS-Fed Connection for ADFS in EmpowerID
- Testing the ADSF connection
Prerequisites- As a prerequisite to configuring ADFS as an Identity Provider for EmpowerID, you must install the ADFS role service on your EmpowerID server. For information on installing the ADFS role service, see Microsoft's topic at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-the-ad-fs-role-service.
Once the IdP connections has been set up for ADFS, you can create a link similar to the one below to allow users to login to EmpowerID using ADFS.
https://sso.empowersso.com/WebIdPForms/Login/EmpowerIDWebSite/ADFS?returnUrl=%2FWebIdPForms%2F
Be sure to replace "sso.empowersso.com" with the FQDN of the EmpowerID Web server in your environment and ADFS with the name of the connection you create for ADFS in EmpowerID.
To register EmpowerID as a Service Provider application in ADFS
- On the server with the ADFS installation, open the ADFS management console.
- From the ADFS management console, expand the Trust Relationships node, right-click Relying Party Trusts and select Add Relying Party Trust from the context menu.
This opens the Add Relying Party Trust Wizard. - In the Relying Party Trust Wizard that appears, click Start and then do the following:
- From the Select Data Source pane, select Enter data about the relying party manually and then click Next.
- From the Specify Display Name screen, type an appropriate display name for EmpowerID in the Display Name field and then click Next.
- From the Choose Profile screen, select AD FS profile and then click Next.
- From the Configure Certificate screen, browse to and select the public key for the certificate you are using in your EmpowerID deployment and then click Next. AD FS will use this certificate to encrypt claims sent to EmpowerID.
- From the Configure URL screen, select Enable support for the WS-Federation Passive protocol and in the Relying party WS-Federation Passive protocol URL field enter the URL to your EmpowerID Assertion Consumer (EmpowerID ACS) endpoint using the https scheme. The URL should look similar to https://<YourEmpowerIDWebServer/WebIdPWSFederation/ACS, where "<YourEmpowerIDWebServer>" is the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment.
- Click Next.
- From the Configure Identifiers screen, enter the EmpowerID Service Provider and then click Add. You should see two entries, similar to those depicted below, in the Relying party trust identifiers pane.
- Click Next and proceed through each screen of the wizard to complete setting up the RP trust.
- From the Select Data Source pane, select Enter data about the relying party manually and then click Next.
- After creating the Relying Party trust, right-click it and select either Edit Claim Rules or Edit Claim Issuance Policy from the context menu.
- In the Edit Claim Rules window that appears, click Add Rule.
- From the Add Transform Claim Rule Wizard, select Pass Through or Filter an Incoming Claim from the Claim rule template drop-down and then click Next.
- Type a name, such as Name, in the Claim rule name field, select Name from the Incoming claim type drop-down and then click either Finish.
- Click Apply and then OK to close the Edit Claim Rules for EmpowerID wizard.
Next, add the token-signing certificate on the ADFS server to the Personal and Trusted People certificate stores on the EmpowerID web server in your environment.
To add the token-signing certificate to the certificates stores
- From the certificates node of the ADFS 2.0 management console, right-click the token-signing certificate and select View Certificate from the context menu.
- In the Certificate window that appears, click the Details tab and then click Copy to File.
- In the Certificate Export Wizard that appears, click Next.
- Select No, do not export the private keyand then click Next.
- Select Base-64 encoded X.509 (.Cer) and click Next.
- Browse for an export location and click Next.
- Click Next and follow the wizard through to complete the export of the certificate.
- Next, open MMC and add the Certificates snap-in for the local computer if needed.
- Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
- In the Certificate Import Wizard that appears, click Next.
- Click Browse and locate your certificate.
- In the Open window that appears, select the certificate and click Open.
- Continue through the Certificate Import Wizard, until completed. The certificate should be added to the Personal certificate store.
To create a WS-Federation Connection for ADFS in EmpowerID
- From the Navigation Sidebar, navigate to the the find protected application resource page by expanding Application and clicking Manage Applications.
- From the Actions pane of the find protected application resource page, click the Create WS-Federation Connection action link.
- From the General tab of the Connection Details form, select Identity Provider as the Connection Type.
- In the Connection Details section of the form do the following:
- Type an appropriate name, display name and description for the connection in the Name,Display Name and Description fields, respectively.
- In theTile Image URLfield, type ~/Resources/Content/Images/Logos/ADFS2Logo.png. This tells EmpowerID the relative location of the logo that is to be placed on the ADFS 2 login tile for any domains associated with the connection.
- Select the previously inventoried Account Directory for your ADFS Server and click Save to create the WS Federation Connection.
- Enter the EmpowerID Relying Party Trust Identifier in ADFS as the Realm in EmpowerID, i.e. https://sso.empowersso.com/WebIdPWSFederation/ACS
- Enter the ADFS passive endpoint as the External IDP URL, i.e. https://empowersso.com/adfs/ls, assuming com is your ADFS server.
- Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name in the Map To Account Claim Type field or specified the Identity Claim Type as appropriate.
- Enter https://sso.empowersso.com/WebIdPWSFederation/SignIn in the Initiating URL field.
To set up a tile for ADFS IDP in EmpowerID
- From the navigation sidebar, click SSO Components and from the IdP Domains tab, click Add.
- On the IdP Domain Details page that appears, enter the domain you wish to add.
- While on the IdP Domain Details page, go to the SAML Identify Providers tab and select EmpowerID from the list of IDPs listed.
- While on the IdP Domain Details page, go to the WS-Fed Identify Providers tab and check your ADFS identity provider from the list of IDPs.
- Click Save.
To test the ADFS IDP connection
- Log out of EmpowerID, recycle IIS, and then log back in to EmpowerID.
The ADFS tile should now appear on the login screen. You can click it to log in to EmpowerID using ADFS.