To configure OSP to provide authentications to AD FS, you must perform configuration steps for OSP and AD FS. The following procedure contains information to match the users on the email attribute from eDirectory (IDVault) using a local Active directory server. You must change the custom rule examples for your environment.
Ensure that you meet the requirements for this integration. For more information, see Requirements for Configuring OSP to Work with AD FS.
Configure the OSP server to provide SAML authentications to AD FS.
Log in to the server where you have installed OSP (Identity Applications). Ensure that Tomcat is running on the that server.
Launch the configuration update utility. For example, configupdate.sh, from the /opt/netiq/idm/apps/configupdate directory.
Click the Authentication tab.
Click Show Advanced Options at the end of the page.
Under Authentication Method > Method select SAML 2.0.
Use the following information to configure OSP to use SAML 2.0:
Specify the attribute you want to use to map the user accounts. For example, mail.
Select the landing page for your users. The available options are Internal, External, and None. The default value is None.
None: Specifies that the landing page will not be used. Select this option if the IDP URL is indicated.
Internal: Specifies that the internal OSP landing page will be used.
External: Specifies that you will be redirected to an external OSP landing page.
Select URL to use the AD FS metadata.
Specify the AD FS metadata URL in this field.
https://adfs-server/FederationMetadata/2007-06/FederationMetadata.xml
Select this option to load the metadata.
Click OK.
Click Yes to accept the certificate.
Restart Tomcat.
Create a relying party trust in AD FS to the OSP server using the OPS metadata. For more information, see Microsoft documentation.
Use OSP metadata URL to finish the configuration. The default location of the URL is:
https://osp-server:port/osp/a/idm/auth/saml2/spmetadata
At the end of the configuration, ensure that you select Configure claims assurance policy for this application.
(Conditional) If the Configure claims assurance policy configuration does not automatically load, right click on the Relaying Party Trust you created in Step 3, then select Edit Claims Insurance Policy.
Add two custom rules to have AD FS send the email attribute and a local Active Directory server information to the OSP server. For more information, see Microsoft documentation.
Use the following information to create the first custom rule to send the email attribute:
Specify a name for the rule.
The following is a sample rule that you might need to edit for your environment.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("mail", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,userPrincipalName;{0}", param = c.Value);Use the following information to create the second rule to send the attribute to the OSP server via SAML:
Specify a name for the custom rule.
The following is a sample rule that you might need to edit for your environment.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://adfs-server/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://osp-server:osp-port/osp/a/idm/auth/saml2/metadata", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spprovidedid"] = c.Value);