Chat now with support
Chat with Support

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring SAML 2.0 authentication

You can configure SAML 2.0 authentication using the Site authentication settings wizard of the Active Roles Configuration Center. For more information about how SAML 2.0 authentication works in Active Roles, see SAML 2.0 authentication in Active Roles in the Active Roles Feature Guide.

Prerequisites

To configure SAML 2.0 authentication, the following prerequisites must be met:

  • You must configure your SAML identity provider before configuring SAML 2.0 authentication in Active Roles. For more information, see Examples of configuring SAML identity providers.

  • To use SAML 2.0 authentication, you must have a valid SSL/TLS certificate configured for Active Roles.

To configure SAML 2.0 authentication in the Active Roles Configuration Center

  1. In the Active Roles Configuration Center main window, click Web Interface.

    The Web Interface page displays all the Active RolesWeb Interface sites that are deployed on the web server running the Active RolesWeb Interface.

  2. To configure the authentication settings, click Authentication.

    The Site authentication settings page appears.

    NOTE: By default, the Windows authentication setting is configured.

  3. To configure SAML 2.0 authentication, select SAML 2.0 and other protocols used for federated authentication, then click Next.

  4. To complete the initial configuration of the Redistributable Secure Token Server (RSTS), enter a password in the Password and Confirm password fields, then click Configure RSTS.

    NOTE:Port number and Administrator website URL are filled automatically.

    NOTE: If RSTS is running, but not responsive, you can:

    • Click Try to fix.

    • Restart the Configuration Center.

    TIP: To change the password, select Create new secret, enter a new password in the Password and Confirm Password fields, and click Configure RSTS.

  5. To configure the identity provider, in Configure Provider, click Add.

    NOTE: By default, Active Directory is available as an identity provider and it cannot be removed or modified.

    1. For Authentication provider type, select External Federation.

      NOTE: For Authentication provider type, the two options available are Active Directory and External Federation.

    2. Enter the Display name for the SAML provider.

    3. In Realm, enter the email suffix(es) of the user(s) who will authenticate with this provider, separated by space. For example: mysuffix.com mysuffix.net.

      NOTE: This setting is only used if you have multiple External Federation providers configured, with none set as the Default Provider. This will allow RSTS to route users to the correct provider based on their email address.

    4. (Optional) Enter the Application ID override.

      NOTE: Application ID override is only required if you cannot enter the RSTS Entity ID (urn:RSTS/identity) in your SAML Application. In that case, set Application ID override to match the Entity ID of your SAML Application.

    5. Enter the Federation metadata XML from your SAML provider. Using the toggle (set to From URL by default), you can specify whether to load the metadata from a URL, from a file, or paste it directly to the text box.

      • From URL: In Federation metadata URL, copy-paste the metadata URL.

        NOTE: One Identity recommends linking the metadata from a URL, so that RSTS will automatically refresh it and keep the IdP signing certificate up-to-date.

      • From File: After selecting this option, click Load from file to load the metadata XML file, or copy-paste the metadata string into the text box.

      NOTE: You can get the federation metadata after configuring the application in your SAML identity provider. For more information, see Examples of configuring SAML identity providers.

    6. (Optional) To test the connection, click Test metadata. If the connection is successful, a confirmation message appears.

    7. In the Associated Active Directory drop-down, keep Default Active Directory selected.

    8. (Optional) To have all users authenticate with this SAML provider, select Set as default.

      NOTE: One Identity recommends enabling this setting to require all users to authenticate with the SAML provider.

      NOTE: If there is no default provider set, users will be redirected to a login page where they can select their provider.

    9. To save your settings, click Save.

  6. Click Next.

  7. In Configure Claims, click Add.

    1. For the Claim type, select GUID.

    2. For the Claim value, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.

      The Display Name will appear as IUser.Id.

      NOTE: The claims that Active Roles receives from RSTS come from the AD user account, not the SAML provider. The NameIdentifier claim will always contain the user’s objectGUID. One Identity recommends always using this mapping.

    3. To save your settings, click Save.

  8. Click Modify.

  9. When the operation completes, click Finish.

Examples of configuring SAML identity providers

See the following examples of configuring the SAML identity providers when using federated authentication:

NOTE: For the Custom identity provider option, Active Roles supports the WS-Federation standard. However, One Identity Support cannot assist with custom WS-Federation-related configurations of third-party identity providers. For assistance in configuring Active Roles with a custom WS-Federation-related configuration of a third-party identity provider, contact One Identity Professional Services.

Configuring Duo for federated authentication

If you use Duo as your SAML identity provider, you must configure it before configuring SAML 2.0 authentication in Active Roles. For more information on configuring SAML 2.0 authentication in Active Roles, see Configuring SAML 2.0 authentication.

To configure Duo for federated authentication

  1. Click Protect Application and select Generic SAML Service Provider with a protection type of 2FA with SSO hosted by Duo (Single Sign-On).

  2. When configuring SAML in Active Roles, download the SAML metadata XML file to use.

  3. Configure the following:

    Entity ID

    urn:RSTS/identity

    Assertion Consumer Services (ACS) URL

    https://<active-roles-server>/RSTS/Login

    NameID format

    Unspecified

    NameID attribute

    Any Duo attribute that includes the user’s ADobjectGUID, ADuserPrincipalName, or ADsAMAccountName.

    NOTE: For NameID attribute, you may need to use a Duo Single Sign-On bridge attribute. By default, Duo sends the AD objectGUID in base64 encoding, which will not work with Active Roles.

  4. If required, modify a name for the application, apply any appropriate policies, and save the application.

Configuring Google for federated authentication

If you use Google as your SAML identity provider, you must configure it before configuring SAML 2.0 authentication in Active Roles. For more information on configuring SAML 2.0 authentication in Active Roles, see Configuring SAML 2.0 authentication.

To configure Google for federated authentication

  1. Navigate to Apps > Web and mobile apps > Add custom SAML app.

  2. In App details, enter a Name and click Continue.

  3. In Google identity provider details, click Continue.

  4. In Service provider details, configure the following.

    ACS URL

    https://<active-roles-server>/RSTS/Login

    Entity ID

    urn:RSTS/identity

    Name ID format

    UNSPECIFIED

    Name ID

    Any Google attribute that includes the user’s ADobjectGUID, ADuserPrincipalName, or ADsAMAccountName.

    NOTE:ACS URL and Entity ID are case-sensitive. Make sure the URL ends with RSTS/Login and the Entity ID exactly matches urn:RSTS/identity.

    NOTE: For Name ID, you may need to use a custom attribute.

  5. On the Attribute mapping page, click Finish.

  6. Provide the User access appropriately.

  7. When configuring SAML in Active Roles, download the SAML metadata XML file to use.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating