How to: Configure Federated Authentication with Active Directory Federation Service (ADFS) (4297339)

PART 1 - Active Roles

• To set Azure as identity provider configuration

1) In the Configuration Center main window, click Web Interface. The Web Interface page displays all the Web interface sites that are deployed on the Web server running the Web interface. To configure the federated authentication settings, click Authentication. 

2) To configure the federated authentication settings, click Federated.

3) In the Identity provider configuration section, select ADFS as the security Identity provider from the Identity provider drop-down menu.

4) Provide a valid URL in the Federated metadata URL field.

Note that should have the same value as your Active Directory Federation Service.

• Metadata Url: https://ADFS Server name/FederationMetadata/2007-06/FederationMetadata.xml

5) Provide the Realm URL of the requesting realm in the Realm field.

• Realm: https://ARS Web Server Name/arwebadmin/

6) Provide the URL to send a response in the Reply URL field. A URL that identifies the address at which the relying party (RP) application receives replies from the Security Token Service (STS).

• Reply Url: https://ARS Web Server Name/arwebadmin/

Here is an example of configuring the identity providers when using the Federated Authentication feature with ADFS.

• To set claims in the claim editor

IMPORTANT: By default, the priority of the claim is set based on the order the claims are created. The claim created first has the first priority, the claim created next has the secondary priority, and so on. However, you can move the claims based on the required priority

7) In the Claim editor section, to add claims, click Add. Add claim window is displayed.

8) To add UPN as the type of claim from the Claim type drop-down menu. 

• Claim type: UPN
• Claim value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

9)  To add Name as the type of claim from the Claim type drop-down menu. 

• Claim type: UPN
• Claim value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Here is an example of configuring the claim when using the Federated Authentication feature.

• To provide the Domain user login credentials

10) In the Domain user login credentials section, provide the valid credentials in the Username and Password fields. Recommended using Active Roles service account.

11) Click Modify to update the authentication settings. A message is displayed about the successful completion of the operation. After clicking on Modify, the ARSWeb is modified and is ready for federated authentication.

PART 2 - Active Directory Federation Service

12) Log into your primary Active Directory Federation Server

13) Open AD FS Management console 

14) Expand Trust Relationships and right-click on Relying Party Trust and then click on Add Relying Party Trust...

15) On the Add Relying Party Trust Wizard main window, click Start.

16) On the Select Data source select Enter data about the relying party manually and then click Next

17) On the Spicy Display Name, give any name desired and then click next.

18) On the Profile Choose, select AD FS Profile, and click next.

19) On the Configure Certificate click next

20) On the Configure URL enable the check box for the WS-Federation Passive and SAML 2.0 service protocol. Fill up with the environment information such as the ARS Web Interface address and the ADFS.

• Relying party WS-Federation Passive protocol URL: https://pmap02/ARWebAdmin/
• Relying party SAML 2.0 SSO service URL: https://sts.oneidentity.com/adfs/ls

Here is an example of configuring the WS-Federation Passive and SAML service protocol.

21) On the Configure Identifiers, remove the Adfs address and leave only ARS Web Interface

22) On the next page for MFA setting skip that option and click on next

23) Make sure that the option Permit all users to access this relying party is selected and click next

24) On the Ready to Add Trust window click next and finish the wizard

25) With the Edit Claim rule opened click on the Add Rule button for adding the claim set on steps 7 to 9 from the Part 1 - Active Roles

26) On the Transform Claim Rule Template make sure that Send LDAP Attribute as Claims is chosen

27) On the Claim Rule option give any name desired to the claim. On Attribute, store make sure that Active Directory is selected. Add the mapping User-Principal-Name for LDAP Attribute Name & UPN on the Outgoing Claim Type.

After completing these steps the user must be able to authenticate on the ARS Web Interface through the ADFS.