An Example Configuration with ADFS

Perform the following steps to add ADFS as an Identity Provider for the Web Authentication method.

  1. Specify myexample-adfs as the IdP provider name.

  2. Select urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName from Available presets for Name ID Format.

    The selected Name ID Format will be extracted from the SAML AuthnResponse token and saved as an authentication data (unique data which will be associated with the user).

  3. Click Browse to upload the IdP Metadata file from the ADFS server.

  4. Click the save icon.

  5. In the Upload SAML Service Provider signature certificate section, upload a certificate file in the PEM format with a private key.

    If the private key is protected by a password, specify the password in Private key password.

  6. Click Save.

Configuring the ADFS Identity Provider

  1. Save the Service Provider metadata from Advanced Authentication to a file. Use the URL mentioned below to obtain the Service Provider metadata:

    https://AAF_SERVER/webauth/TENANT/metadata

    NOTE:The default TENANT is TOP. Use TOP as TENANT if you are not using multi-tenancy.

    A sample Service Provider metadata is mentioned below:

    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_7a8608ad1cfbc149" entityID="https://www.d18r14.tk/webauth">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>https://www.d18r14.tk/webauth</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
MIIEOzCCAyOgAwIBAgIJAJcsrIQZzcT0MA0GCSqGSIb3DQEBCwUAMIGyMQswCQYD
VQQGEwJDSDEcMBoGA1UECAwTR3JlYXRlciBadXJpY2ggQXJlYTEPMA0GA1UEBwwG
WnVyaWNoMRcwFQYDVQQKDA5NaWNybyBGb2N1cyBBRzERMA8GA1UECwwIQXV0aGFz
YXMxFzAVBgNVBAMMDm1pY3JvZm9jdXMuY29tMS8wLQYJKoZIhvcNAQkBFiBhbGV4
YW5kZXIuZ2FsaWxvdkBtaWNyb2ZvY3VzLmNvbTAgFw0xNjA1MjAwOTMyMzlaGA8y
MTE2MDQyNjA5MzIzOVowgbIxCzAJBgNVBAYTAkNIMRwwGgYDVQQIDBNHcmVhdGVy
IFp1cmljaCBBcmVhMQ8wDQYDVQQHDAZadXJpY2gxFzAVBgNVBAoMDk1pY3JvIEZv
Y3VzIEFHMREwDwYDVQQLDAhBdXRoYXNhczEXMBUGA1UEAwwObWljcm9mb2N1cy5j
b20xLzAtBgkqhkiG9w0BCQEWIGFsZXhhbmRlci5nYWxpbG92QG1pY3JvZm9jdXMu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5ZjKCY2x2ruYkW8e
/IgOa5y9xqSx4bUogYuZnAwLgZH2EIEx54T1YzKKc6a58t9tFU0Xb1Z47ay57g/B
A1oOOV4HOsl6SRG4lJojiOKSpLb1zZMqj3s1dd9hLE9KuScchApcJ5F8GxPf6YHO
VpY4d6e6Z+fS071lK3UHpjbLQ71yoDV+s+wJ+pmgsLxiyV/7A+CurxixibyXKx2x
jHvynZBPWf1P/goi54gbCZ1PjQnRPKfxUzRvWipH8T2xvfT0UAZL3HO8C6JJGZxQ
t82lw/za9tADH0CxPolL/JJyHeEGJAj07uw1wks6mEv8wZY5KkhuDpVv6BUl146+
tL5LSQIDAQABo1AwTjAdBgNVHQ4EFgQUoeHvvSDZn/GIul8Q6T0yleN9q48wHwYD
VR0jBBgwFoAUoeHvvSDZn/GIul8Q6T0yleN9q48wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAQ+T4XForCi/FFSpNLVxb7x/yO1eBi7JujH7CfNTKXUC3
STlTZiJaTLVXzNd9dvxSjzAoDy4NVV/T4KiA4ss7JCTPwGrD3S8k/a+GpogRzRcE
R1i/Z/bx2I4PmQk1g1z4lpuqnic0aIg/OVAE0+kwDBK3E0/pgpoSixAAvxEqM5tw
X9vdt3W/QCoAO3rFABRDboaLkslGbk80Q37tEASKFYm4/0fyB3PEv2uL0S6rP/+E
Fp1Xhlk/5MVRHNb0hLqpZmJxne96dnXpo+ZDeCCn87B3257eRFI1eUeAnxuw79vv
uterPobGSjjPm+y7sY2U3hLKsoVymRvqAohrd9kXSQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML2.0:bindings:HTTP-POST" Location="https://www.d18r14.tk/webauth/logout" ResponseLocation="https://www.d18r14.tk/webauth/logout"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.d18r14.tk/webauth/callback" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

  2. In the ADFS Management console, click Relying Party Trusts > Add relying party trust.

  3. In the Add Relying Party Trust wizard, click Start.

  4. Select Import data about the relying party from a file.

  5. Click Browse to upload the Advanced Authentication’s metadata file that you created in Step 1.

  6. Click Next.

  7. Specify the Display name.

  8. Click Next.

  9. Ensure that Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is selected.

  10. Click Close.

    The Edit Claim Rules wizard is displayed.

  11. Click Add Rule.

  12. Select Transform an Incoming Claim from Claim rule template.

  13. Click Next.

  14. Specify the Claim rule name.

  15. Set Incoming claim type to Windows account name.

  16. Set Outgoing claim type to Name ID and Outgoing name ID format to Windows Qualified Domain Name.

  17. Ensure that Pass through all claim values is selected.

  18. Click Finish.

  19. Click OK.

  20. In the ADFS Management console, click Relying Party Trusts and select the relying party trust you added.

  21. Right-click on the relying party trust and select Properties from the menu.

  22. In Properties, click the Encryption tab and remove the certificate by clicking Remove.

  23. Click OK.

    NOTE:Web authentication method does not support the encrypted tokens.