Guide
TrainingSupportCommunity

Integrate Active Directory Federation Service (AD FS)

Suggest Edits

Integrate Active Directory Federation Service (AD FS)

Active Directory Federation Services (AD FS) is a software installed on a Microsoft Windows Server operating system. It provides single sign-on (SSO) and identity management, and allows authorized users to access multiple applications located on-premise, or in the cloud.

Integration between AD FS and Enterprise Application Access (EAA) allows to create applications inside Enterprise Application Access which are authenticated with AD FS. You can deploy an Enterprise Application Access application which uses your newly created AD FS identity provider (IdP). When you access this application, you are redirected to your AD FS server to complete authentication.

Your integration between AD FS and Enterprise Application Access depends on the type of LDAP attributes you need to send between AD FS and Enterprise Application Access:

  • Send simple LDAP attributes like user's email.

  • Send complex LDAP attributes like user's group membership.

Prerequisites:

  1. Select a fully qualified domain name (FQDN) for your Active Directory Federation Services (AD FS) portal, for example, https://<federation-service-name>/adfs/ls where <federation-service-name> is as follows: adfs.yourdomain.com.

  2. Install and configure AD FS in Microsoft Windows operating system (2016 version).

Send simple LDAP attributes from AD FS to EAA

To send user's email from Active Directory Federation Services (AD FS) to Enterprise Application Access (EAA) integrate AD FS with Enterprise Application Access.

Add AD FS as an identity provider in EAA

  1. Add a new identity provider of provider type set to third-party SAML and return to this procedure to configure the general settings.

  2. Complete the following settings:

    1. Identity intercept. Select either Use your domain or Use ​Akamai​ domain. If you select Use your domain it provides a CNAME redirect for the application. Use this to configure the CNAME in your external DNS. Note down the domain (for example eaa-idp-fqdn as https://eaa-idp.login.go.akamai-access.com).

    2. Certificate preference. If you select User your domain, select Use uploaded certificate.

    3. Akamai cloud zone. Select an EAA cloud zone that is closest to the user base.

    4. Certificate authentication (optional). To enable client certificate authentication select the checkbox and configure the required parameters.

  3. To complete the authentication configuration settings in URL (optional) enter the AD FS portal, https://<federation-service-name>/adfs/ls.

  4. Leave the session settings for Session idle expiry, Limit session life, and Max session duration at their default values.

  5. Click Save.

Set up relying party trust in AD FS

To allow Enterprise Application Access (EAA) to redirect users to AD FS login portal to complete authentication, you need to set up Enterprise Application Access as an AD FS endpoint. For that, you need a relying party trust.
Relying party trust is a term used in Microsoft Windows Server system to identify service providers that can communicate with an AD FS endpoint.

  1. From the AD FS Manager, select Relying Party Trusts folder and add a new trust.

  2. In the Add Relying Party Trust Wizard window select Enter data about the relying party manually.

  3. Click Next.

  4. In Specify Display Name configure the following:

    1. In Display name type a name, for example EAA-RPT.

    2. In Notes type optional notes, for example EAA is relying party.

  5. Skip Configure Certificate.

  6. Select Configure URL and configure the following:

    1. Select Enable support for SAML 2.0 Web SSO protocol.

    2. In Relying party SAML 2.0 SSO service URL enter URL https://<eaa-idp-fqdn>/saml/sp/response where eaa-idp-fqdn is the FQDN for the AD FS IdP.

  7. In Configure Identifiers >Relying party trust identifiers enter the same value as in previous step (https://<eaa-idp-fqdn>/saml/sp/response).

  8. Select Choose Access Control Policy. You can configure all users, users of a specific active directory, users of a specific group.
    You can add multiple attributes for different access control policies.

  9. Click Finish.
    EAA is added as a Relying Party Trusts in AD FS using the Add Relying Party Trust Wizard.

To learn more see the Microsoft documentation on Creating a relying party trust.

Use claims to send LDAP attributes from AD FS to EAA

To allow Enterprise Application Access (EAA) to redirect users to AD FS login portal to complete authentication, you also need to configure the LDAP attributes that are sent from AD FS to Enterprise Application Access using claims.

Claims rules control which Active Directory (AD) attributes are returned to the relying party endpoint once a user has been authenticated. For example, it could be the application user's email or user's AD group membership information. The minimum requirement for Enterprise Application Access is the user's email needs to be returned as a part of the Name ID attribute.

You can create a new claim rule with use of an existing claims rules template in AD FS, and add it to the relying party trust. This allows the application user's email to be returned to Enterprise Application Access from AD FS.

  1. Right-click on the relying party, for our example, EAA-RPT and select Edit Claims Issuance Policy....

  2. Click Add Rule....

  3. Select the default Send LDAP Attributes as Claims template.
    This template allows use any of the LDAP attributes for claim rules.
    The Add Transform Claim Rule wizard appears.

  4. In Claim rule name type a custom claim rule name.

  5. In Attribute store select Active Directory.

  6. Map LDAP attribute to Outgoing Claim Type.

  7. Click Finish.

  8. Click OK to save in the Edit Claim Rules dialog box.

Upload AD FS metadata to EAA IdP

Upload the identity provider (IdP) metadata from your organization's AD FS domain to your EAA IdP.

  1. Go to your organization's AD FS domain and download the IdP metadata XML file. For example, https://<yourdomain.com>/FederationMetadata/2007-06/FederationMetadata.xml.

  2. Return to the Enterprise Center and open the IdP you created for AD FS.

  3. Complete the following authentication configuration settings:

    1. Click Choose file next to Upload IDP metadata file.

    2. Browse to the location of the file on your computer.

    3. Click open.

  4. Click Save.

Verify application user's email is sent from AD FS to EAA

Check if AD FS sends LDAP attributes to Enterprise Application Access.

  1. Add an application to Enterprise Application Access. Use the identity provider (IdP) you created for AD FS.

  2. Access the application from Enterprise Center.
    It redirects to your AD FS server to complete authentication. If the email and password matches the AD FS contents, you are granted access to application.

Send complex attributes like group membership from AD FS to EAA

To send complex LDAP attributes like user's group membership from Active Directory Federation Services (AD FS) to Enterprise Application Access (EAA) integrate AD FS with Enterprise Application Access.

  1. Add AD FS as an identity provider in EAA.
  2. [Set up relying party trust in AD FS] (doc:integrate-active-dir-ad-fs#set-up-relying-party-trust-in-ad-fs).

Next, use custom claim description for sending group membership from AD FS to Enterprise Application Access (EAA).

Use custom claim description for sending group membership from AD FS to EAA

To allow Enterprise Application Access to redirect users to AD FS login portal for completing authentication, you also need to configure the LDAP attributes that are sent from AD FS to EAA using claims.

Claims rules control which Active Directory (AD) attributes are returned to the relying party endpoint once a user has been authenticated. For example, it could be the application user's email or user's AD group membership information. The minimum requirement for Enterprise Application Access is the user's email needs to be returned as a part of the Name ID attribute.

You can create a custom claims description in AD FS, associate it with the correct LDAP attribute, and add it to the relying party trust. This allows the user's group membership to be sent from AD FS to Enterprise Application Access.

  1. Go to Server Manager > Tools > AD FS Management.

  2. Expand Service and select Add Claim Description... from the right pane.

  3. In Add a claim Description configure the following:

    1. Display name, for example Group (EAA)

    2. Short name, for example groupeaa.

    3. Claim identifier, must be Group.

    4. Description, optional, for example Group Attribute suitable for use with EAA.

    5. Click OK.

  4. Right-click on the relying party trust, for our example, EAA-RPT and select Edit Claims Issuance Policy....

  5. Click Add Rule....

  6. Select the default Send LDAP Attributes as Claims template.
    This template allows use any of the LDAP attributes for claim rules.
    The Add Transform Claim Rule wizard appears.

  7. In Claim rule name type a custom claim rule name.

  8. In Attribute store select Active Directory.

  9. Map an LDAP attribute to an Outgoing Claim Type. Select Token-Groups for LDAP attribute and Group (EAA) from previous steps.
    This associates your custom claim description to the Token-Groups LDAP attribute, to enable handling of group memberships between AD FS and Enterprise Application Access.

  10. Click Finish.

  11. Click OK in the Edit Claim Rules.

Upload AD FS metadata to EAA IdP

Upload the identity provider (IdP) metadata from your organization's AD FS domain to your EAA IdP.

  1. Go to your organization's AD FS domain and download the IdP metadata XML file. For example, https://<yourdomain.com>/FederationMetadata/2007-06/FederationMetadata.xml.

  2. Return to the Enterprise Center and open the IdP you created for AD FS.

  3. Complete the following authentication configuration settings:

    1. Click Choose file next to Upload IDP metadata file.

    2. Browse to the location of the file on your computer.

    3. Click open.

  4. Click Save.

Verify AD FS group membership is sent from AD FS to EAA

Check if AD FS sends group membership attribute to Enterprise Application Access (EAA).

  1. Add an application to Enterprise Application Access.

  2. To configure custom HTTP headers for the application set Attribute to group.

  3. Click Save.

  4. Use the AD FS IdP for the application.

  5. Access the application.
    The group HTTP header passes correctly from AD FS to Enterprise Application Access.

Enable signed SAML requests between EAA and AD FS

You can enable signed SAML requests between Enterprise Application Access (EAA) and AD FS. This is an optional step, required only if you want to use signed SAML requests.

Configure EAA for signed SAML requests

Enable Enterprise Application Access to send signed SAML assertions to AD FS.

  1. Return to your AD FS identity provider (IdP) in Enterprise Center.

  2. Under Authentication configuration settings, select Sign SAML Request.

  3. Copy the certificate text to a new file called cert.pem and convert it to a DER encoded certificate called cert.cer. Execute the following command:

    • In Windows OS, in a command window enter CertUtil -decode cert.pem cet.cer.

    • In Linux OS, in a terminal enter Openssl x509 -outperform der -in cert.pem -out cert.cer.

  4. Click Save.

Configure AD FS for signed SAML requests

  1. Return to the relying party trust. For example, EAA-RPT.

  2. In AD FS manager, edit properties of relying party trust.

  3. In Signature select Add.

  4. Add the cert.cer file.

  5. Click OK.
    Since Enterprise Application Access uses internal certificate authority (CA) certificates to sign SAML requests and AD FS does not trust them, disable revocation check of the SAML response for Enterprise Application Access in the AD FS server.

    1. Open a powershell window and enter Get-AdfsRelyingPartyTrust -Identifier https://<eaa-idp-fqdn>/saml/sp/response | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None.
      This disables AD FS from revocation check for SAML responses from Enterprise Application Access.

Enable encrypted SAML responses between EAA and AD FS

You can enable encrypted SAML responses between Enterprise Application Access (EAA) and AD FS. This is an optional step, required only if you want to have the SAML responses to be encrypted for additional security.

Configure EAA to send encrypted SAML responses

Enables Enterprise Application Access (EAA) to send encrypted SAML responses.

  1. Return to your AD FS IdP in EAA.

  2. Under Authentication configuration settings, select Encrypted SAML Response.

  3. Click Save.

Next, you can configure AD FS to send encrypted SAML responses.

Configure AD FS to send encrypted SAML responses

  1. Return to the relying party trust. For example, EAA-RPT.

  2. In AD FS manager edit properties of relying party trust.

  3. In Encryption select Browse.

  4. Go to the certificate file cert.cer file.

  5. Click OK.

Updated almost 3 years ago