Guide
TrainingSupportCommunity

Set up Active Directory Federation Services (AD FS) as a third-party SAML identity provider

Suggest Edits

Before you begin

  1. Select a fully qualified domain name (FQDN) for your AD FS portal. For example,

    https://<federation-service-name>/adfs/ls

    where <federation-service-name> can appear in the format adfs.yourdomain.com

  2. Install and configure AD FS in a Microsoft Windows operating system (2016 version). For more information, see AD FS product documentation.

Active Directory Federation Services is software installed on a Microsoft Windows Server operating system. It provides SSO and identity management, allowing authorized users to access websites and applications.

To set up AD FS as a third-party SAML IdP:

  1. Add AD FS as a third-party SAML identity provider.

  2. Add AD to ​SIA​. Make sure you import groups into ​SIA​. For more information, see Add a directory.

  3. Download and deploy an identity connector. For more information, see Create and download an identity connector.

  4. Associate the identity connector with the AD you created. For more information, see Associate an identity connector with a directory.

  5. Assign the AD that you created in ​SIA​ to the AD FS IdP. For more information, see Assign AD to AD FS identity provider.

  6. Add the URL of the AD FS server to an exception list. For more information, see Add identity provider domains to an exception list.

  7. Authenticate ​SIA​ with AD FS. This process involves these steps:

    1. Configuring ​Akamai​ Enterprise IdP as an AD FS endpoint. See Set up relying party trust in AD FS.

    2. Configuring which AD attributes are sent from AD FS to ​SIA​. The ​SIA​ administrator creates claim rules and adds them to the relying party trust. In AD FS, you can create claim rules that use the default claims template to send attributes like the email or username. You can also use custom claims to send group members from AD FS to ​SIA​. See Use claims to send LDAP attributes from AD FS to ​SIA​ and Use custom claim description to send group membership from AD FS to ​SIA​.

  8. Upload AD FS metadata to ​SIA​ IdP.

  9. Enable signed SAML requests between ​SIA​ and AD FS. This is an optional step. It is required only if you want to use signed SAML requests.

  10. Enable encrypted SAML responses between ​SIA​ and AD FS. This is an optional step. It is required only if you want to encrypt SAML responses for additional security

Add AD FS as a third-party SAML identity provider

To add AD FS as a third-party SAML IdP:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. Click the plus sign icon.

  3. Configure basic IdP settings:

    1. In the Name and Description fields, enter a name and description of the IdP.

    2. In the Provider Type menu, select Third-Party SAML.

    3. Click Continue.

  4. Complete these steps to configure general IdP settings:

    1. Go to the General settings section or click the General tab.

    2. For Identity Intercept, select Use ​Akamai​ domain. Enter a hostname. The identity intercept is the URL for the authentication page that is presented to users.

    3. In the ​Akamai​ Cloud Zone, select a cloud zone that is closest to the user base.

  5. Complete these steps in the Session section:

    1. For the Session Idle Expiry setting, enter a time that is 35 minutes or more.
    2. Use the default settings for the Limit Session Life and Max Session Duration settings.

  6. To enable client certificate authentication, select the checkbox and configure the required parameters.

  7. In the URL field of the Authentication section, enter the URL of the AD FS portal:

    https://<federation-service-name>/adfs/ls

    where <federation-service-name> is the fully qualified domain of the AD FS portal.

  8. In the Advanced Settings section, select Enable Authorization.

  9. Click Save.

Next steps

  1. Add AD to ​SIA​. Make sure you import groups into ​SIA​. For instructions, see Add a directory.

  2. Download and deploy an identity connector. For instructions, see Create and download an identity connector.

  3. Associate the identity connector with the AD you created. For more information, see Associate an identity connector with a directory.

  4. Assign AD to the AD FS IdP. For more information, see Assign AD to AD FS identity provider.

Associate an identity connector with a directory

Before you begin

Create, download, and set up an identity connector. For more information, see Create and download an identity connector.

An identity connector allows ​SIA​ to synchronize with your directory service. You may want to associate more than one identity connector to a directory for redundancy and scaling.

How to

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the directory that you want to edit and associate with a new identity connector.

  3. Click the Connectors tab.

  4. Click the plus (IMAGE_STUB) sign in the upper right. Then select one or more connectors and click Associate.

  5. Click Save.

Assign AD to AD FS identity provider

Before you begin

Confirm that you:

  1. Added AD to ​SIA​. For instructions, see Add a directory.

  2. Downloaded and deployed an identity connector. For instructions, see Create and download an identity connector.

  3. Associated the identity connector to AD. For instructions, see Associate an identity connector with a directory.

To review the overall setup process for adding AD FS as a third-party SAML IdP, see Set up Active Directory Federation Services (AD FS) as a third-party SAML identity provider.

To assign your AD to your AD FS third-party SAML IdP:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. Click the name of the AD FS IdP.

  3. Click the Directories tab.

  4. Click the link icon and select the AD that you added.

  5. Click Associate.

Next steps

  1. Add the URL of the AD FS server to the ​SIA​ network configuration. For more information, see Add identity provider domains to an exception list.

  2. Set up relying party trust in AD FS.

Set up relying party trust in AD FS

Before you begin

Make sure that you set up AD FS as a third-party SAML IdP, add AD, and deploy an identity connector. For instructions, see Set up Active Directory Federation Services (AD FS) as a third-party SAML identity provider.

To allow ​Akamai​ Enterprise IdP to redirect users to the AD FS login portal for completing authentication, you need to setup ​Akamai​ Enterprise IdP as an AD FS endpoint. This is done with a relying party trust.

Relying party trust is a term used in Microsoft Windows Server system to identify service providers that can communicate with an AD FS endpoint. In this procedure, you configure ​Akamai​ Enterprise IdP as an AD FS endpoint.

To learn more about creating a relying party trust in AD FS, see Microsoft's documentation.

To set up relying party trust in AD FS:

  1. From the AD FS Manager, select the Relying Party Trusts folder and add a new trust.

  2. In the Add Relying Party Trust Wizard window, select Claims aware and click Next.

  3. In the Select Data Source window, select Enter data about the relying party manually, and click Next.

  4. Select Specify Display Name tab. Complete these fields:

    1. Display name. Enter a name. For example, IDP-RPT

    2. Notes. Enter optional notes. For example, IDP is relying party.

  5. Skip the Configure Certificate tab.

  6. Select Configure URL tab. Complete these fields:

    1. Select Enable support for SAML 2.0 Web SSO protocol.

    2. For the Relying party SAML 2.0 SSO service URL, enter the URL as https://<idp-fqdn>/saml/sp/response, where is the FQDN of the IdP you created.

  7. Select the Configure Identifiers tab. Enter the same value as the previous step for Relying party trust identifiers. Enter https://<idp-fqdn>/saml/sp/response.

  8. Select the Choose Access Control Policy tab. You can configure all users, users of a specific AD, and users of a specific group, as shown in this example:

📘

The ​SIA​ administrator can add multiple attributes for different access control policies.

  1. Click the Finish tab. This completes adding ​SIA​ as a Relying party trust in AD FS using the Add Relying Party Trust Wizard.

Next steps

Use claims to send LDAP attributes from AD FS to ​SIA​

Before you begin

Set up relying party trust in AD FS.

To redirect users to the AD FS login portal to complete authentication, you also need to configure the LDAP attributes that are sent from AD FS to ​Akamai​ Enterprise IdP using claims.

Claims rules control which AD attributes are returned to the relying party endpoint once a user authenticates.

To match an LDAP attribute to the Name ID outgoing claim type:

  1. Right-click on the relying party (for example, IDP-RPT) and select Edit Claims Issuance Policy.

  2. Click Add Rule...

  3. Select the default Send LDAP Attributes as Claims template. This template allows the IT administrator to use any of the LDAP attributes for claim rules. The Add Transform Claim Rule wizard appears.

  4. Complete these fields:

    1. Claim rule name. Enter a custom claim rule name.

    2. Attribute store. Select Active Directory.

    3. Map an LDAP attribute to the Name ID Outgoing Claim Type.

    Note the LDAP attribute you select needs to match the login preference that you specified for the directory in ​SIA​. For example, if you selected User Principal Name for the login preference, select User-Principal-Name.

  5. Click Finish.

  6. Click OK to save in the Edit Claim Rules dialog box.

Next steps

Upload AD FS metadata to ​SIA​ IdP.

Use custom claim description to send group membership from AD FS to ​SIA​

Before you begin

Set up relying party trust in AD FS.

To redirect users to AD FS login portal for completing authentication, you also need to configure the LDAP attributes that are sent from AD FS to ​SIA​ using claims.

Claims rules control which AD attributes are returned to the relying party endpoint once a user has been authenticated. For example, it could be the application user's email address or user's AD group membership information. The minimum requirement for ​SIA​ is the user's email address. It needs to be returned as a part of the Name ID attribute.

The IT administrator can create a custom claims description in AD FS, associate it with the correct LDAP attribute, and add it to the relying party trust. This allows AD FS to send the user's group membership to ​SIA​.

To use custom claim description to send group membership from AD FS to ​SIA​:

  1. Go to Server Manager > Tools > AD FS Management.

  2. Expand Service and select Claim Descriptions.

  3. On the right, click Add Claim Description....

  4. Complete these fields in the Add a Claim Description window:

    1. Display name. Enter a display name. For example, Group (​SIA​)

    2. Short name. Enter a short name. For example, groupetp.

    3. Claim identifier. Enter Group.

    4. Description. Enter a description. This is optional.

    5. Click OK.

  5. Right-click on the relying party trust (for example, IDP-RPT) and select Edit Claims Issuance Policy.

  6. Click Add Rule

  7. Select the default Send LDAP Attributes as Claims template. This template allows the IT administrator to use any of the LDAP attributes for claim rules. The Add Transform Claim Rule wizard appears.

  8. Complete these fields:

    1. Claim rule name. Enter a custom claim rule name.

    2. Attribute store. Select Active Directory.

    3. Map an LDAP attribute to an Outgoing Claim Type. Select Token-Groups for LDAP attribute and Group (​SIA​) from step 4a.

      This associates your custom claim description to the Token-Groups LDAP attribute, enabling the handling of group memberships between AD FS and ​Akamai​ Enterprise IdP. In this example, the IT administrator configures a claim rule called "Group Membership Attribute" that fetches the SAML group assertion attribute from the AD and sends it out to relying party trust, which is ​Akamai​ Enterprise IdP.

  9. Click Finish.

  10. Click OK to save in the Edit Claim Rules dialog box.

Next steps

Upload AD FS metadata to ​SIA​ IdP.

Upload AD FS metadata to ​SIA​ IdP

Before you begin

See Set up Active Directory Federation Services (AD FS) as a third-party SAML identity provider.

To upload the IdP metadata from your organization's AD FS domain to the ​SIA​ IdP you created:

  1. Go to your organization's AD FS domain and download the IdP metadata XML file.

    For example, https://<yourdomain.com>/FederationMetadata/2007-06/FederationMetadata.xml.

  2. Return to ​SIA​ and open the IdP you created for AD FS:

    1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

    2. Click the name of the IdP you created for AD FS.

  3. Go to the Authentication section and complete these steps:

    1. Click Choose file next to Upload IDP metadata file.

    2. Browse to the location of the file on your machine.

    3. Click Open.

    4. Click Save.

Next steps

  1. Deploy the IdP configuration:

    • In the ​SIA​ IdP configuration, you can click the icon next to the Ready for Deployment status. A deployment icon also appears next to a failed deployment status in case you need to deploy the IdP again. This action starts the deployment process.

    • Deploy IdP configuration changes in the list of Pending Changes. For more information, see Deploy configuration changes.

  2. Associate the IdP with a policy that's enabled for authentication. For more information, see Require authentication to access a website or web application.

Enable signed SAML requests between ​SIA​ and AD FS

To enable communication with signed SAML requests, configure both ​SIA​ and AD FS. This is an optional configuration:

  1. Configure ​SIA​ for signed SAML requests

  2. Configure AD FS for signed SAML request

Configure ​SIA​ for signed SAML requests

To configure ​SIA​ for signed SAML requests:

  1. Return to your AD FS IdP in ​SIA​.

  2. Under Authentication Configuration settings, select Sign SAML Request.

  3. Copy the certificate text to a new file called cert.pem and convert to a DER encoded certificate called cert.cer. Based on the machine, execute one of these commands based on your OS:

    1. For a Windows machine, open a command window and enter: CertUtil -decode cert.pem cet.cer

    2. For a Linux machine, open a terminal and enter: Openssl x509 -outperform der -in cert.pem -out cert.cer

  4. Click Save.

Next steps

  1. Deploy the IdP configuration:

    • In the ​SIA​ IdP configuration, you can click the icon next to the Ready for Deployment status. A deployment icon also appears next to a failed deployment status in case you need to deploy the IdP again. This action starts the deployment process.

    • Deploy IdP configuration changes in the list of Pending Changes. For more information, see Deploy configuration changes.

  2. Configure AD FS for signed SAML requests.

Configure AD FS for signed SAML requests

To configure AD FS for signed SAML requests:

  1. Return to the relying party trust. For example, IDP-RPT.

  2. In AD FS manager, edit properties of relying party trust.

  3. Under Signature tab, click Add.

  4. Add the cert.cer file.

  5. Click OK.

  6. Since ​SIA​ uses internal CA certificates to sign SAML requests and AD FS does not trust them, disable revocation checking of the SAML response for ​SIA​ in the AD FS server:

    1. Open a PowerShell window.

    2. Type this command to diable AD FS from doing revocation checking for SAML responses from ​SIA​:

      Get-AdfsRelyingPartyTrust -Identifier https://<idp-fqdn>/saml/sp/response | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None

Enable encrypted SAML responses between ​SIA​ and AD FS

To enable communication with encrypted SAML responses, configure both ​SIA​ and AD FS. This is an optional configuration:

  1. Configure ​SIA​ to send encrypted SAML responses.

  2. Configure AD FS for sending encrypted SAML responses.

Configure ​SIA​ to send encrypted SAML responses

To configure ​SIA​ to send encrypted SAML responses:

  1. Return to ​SIA​ and open the IdP you created for AD FS:

    1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

    2. Click the name of the IdP you created for AD FS.

  2. Under Authentication Configuration settings, select Encrypted SAML Response.

  3. Click Save.

Next steps

  1. Deploy the IdP configuration:

    • In the ​SIA​ IdP configuration, you can click the icon next to the Ready for Deployment status. A deployment icon also appears next to a failed deployment status in case you need to deploy the IdP again. This action starts the deployment process.

    • Deploy IdP configuration changes in the list of Pending Changes. For more information, see Deploy configuration changes.

  2. Configure AD FS for sending encrypted SAML responses.

Configure AD FS for sending encrypted SAML responses

To configure AD FS for sending encrypted SAML responses:

  1. Return to the relying party trust. For example, IDP-RPT.

  2. In AD FS manager, edit properties of relying party trust.

  3. Under the Encryption tab, click Browse.

  4. Navigate to the certificate file cert.cer file.

  5. Click OK.

Updated over 1 year ago