Configuring ADFS for 25Live



Similar documents
Active Directory integration with CloudByte ElastiStor

ADFS for. LogMeIn and join.me authentication

VMware Identity Manager Integration with Active Directory Federation Services 2.0

ADFS Integration Guidelines

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

CA Nimsoft Service Desk

LAB 1: Installing Active Directory Federation Services

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

How to Logon with Domain Credentials to a Server in a Workgroup

NSi Mobile Installation Guide. Version 6.2

How to add your Weebly website to a TotalCloud hosted Server

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

System Administration Training Guide. S100 Installation and Site Management

360 Online authentication

SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

How To - Implement Single Sign On Authentication with Active Directory

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Flexible Identity Federation

VMware Identity Manager Administration

Configuring User Identification via Active Directory

Setting Up Resources in VMware Identity Manager

IIS, FTP Server and Windows

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

WHITE PAPER Citrix Secure Gateway Startup Guide

EVault Endpoint Protection 7.0 Single Sign-On Configuration

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

AWS Management Portal for vcenter. User Guide

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Installation Guide for Pulse on Windows Server 2012

VMware Identity Manager Administration

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

HOTPin Integration Guide: DirectAccess

Configure Microsoft Dynamics AX Connector for Mobile Applications

Kaseya 2. User Guide. Version 6.1

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Installing and Configuring Login PI

XenDesktop Implementation Guide

MultiSite Manager. Setup Guide

SECURE MOBILE ACCESS MODULE USER GUIDE EFT 2013

NovaBACKUP xsp Version 15.0 Upgrade Guide

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SafeNet Authentication Service

Configuring EPM System for SAML2-based Federation Services SSO

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

Secure IIS Web Server with SSL

Sophos Mobile Control Installation guide. Product version: 3

Active Directory Federation Services

Desktop Surveillance Help

RoomWizard Synchronization Software Manual Installation Instructions

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Security Assertion Markup Language (SAML) Site Manager Setup

FTP, IIS, and Firewall Reference and Troubleshooting

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

CRM Migration Manager for Microsoft Dynamics CRM. User Guide

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Copyright 2013, 3CX Ltd.

Mobile Device Management Version 8. Last updated:

Managing Qualys Scanners

Setting up Hyper-V for 2X VirtualDesktopServer Manual

MadCap Software. Upgrading Guide. Pulse

Sage 200 Web Time & Expenses Guide

OneLogin Integration User Guide

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

WhatsUp Gold v16.1 Installation and Configuration Guide

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

App Orchestration 2.5

Introduction to Directory Services

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Microsoft Corporation. Project Server 2010 Installation Guide

Migrating Exchange Server to Office 365

AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Deploy Remote Desktop Gateway on the AWS Cloud

Getting Started with Clearlogin A Guide for Administrators V1.01

Configuration Guide. BES12 Cloud

Reconfiguration of VMware vcenter Update Manager

Installing and Configuring vcloud Connector

Installation Guide v3.0

WhatsUp Gold v16.3 Installation and Configuration Guide

App Orchestration 2.0

VMware Identity Manager Connector Installation and Configuration

Installing Policy Patrol on a separate machine

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Web Deployment on Windows 2012 Server. Updated: August 28, 2013

NovaBACKUP xsp Version 12.2 Upgrade Guide

Single Sign On for ShareFile with NetScaler. Deployment Guide

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Windows Server Update Services 3.0 SP2 Step By Step Guide

Deploying NetScaler Gateway in ICA Proxy Mode

Setup Guide for AD FS 3.0 on the Apprenda Platform

Transcription:

Page 1 of 10: ConfiguringADFSFor25Live.docx Configuring ADFS for 25Live Contents Description... 1 Prerequisites: (for ADFS 3.0)... 2 Install the Public SSL Cert on both the ADFS and the DMZ Web Application Server... 2 Install ADFS using the Add roles and features wizard or via Windows PowerShell... 2 Configure the first federation server in a new federation server farm using the Active Directory Federation Service Configuration Wizard... 3 To install the Web Application Proxy role service on the DMZ server... 3 To configure Web Application Proxy... 4 Testing your ADFS Setup... 4 Retrieve the Federation Meta Data Information for your ADFS environment... 5 Decide on Attributes to be used... 6 Create Relying Party Trust for ADFS to CollegeNet... 6 Add Claims rules to 25Live.collegenet.com Relying Party Trust.... 7 Restricting Authentication To Specific AD Groups... 9 Adding Additional Claim Values From SQL... 9 Testing Claim Values Returned... 9 Errors... 9 Definitions... 10 Modifications... 10 Description This document describes how to set-up Single-Sign On (SSO) between ADFS and Campus Clarity. Documentation Credit goes to Joey Rego, and the folks at LYNN University for compiling data, sources, links, and the hard work in being the pioneer for getting this working.

Page 2 of 10: ConfiguringADFSFor25Live.docx Prerequisites: (for ADFS 3.0) Server 2012 R2 for Internal ADFS Server o Open port 443 in the windows firewall Server 2012 R2 for DMZ Web Application Proxy Server(Optional but recommended) o Open port 443 in the windows firewall Server 2012 R2 with SQL 2012 or later for ADFS Database (Optional but recommended) Service account used to run the ADFS service. Public SSL Cert added to the Personal Certificate Store All information provided below has been adapted from https://msdn.microsoft.com/en-us/library/azure/dn528856.aspx Install the Public SSL Cert on both the ADFS and the DMZ Web Application Server 1. Copy the SSL cert to the server that ends in.pfx 2. Right click the cert and choose Install PFX 3. Select the Local Machine Option and click next 4. On the File to import page the path to the selected.pfx file should already be set. Click Next 5. If there is a password on the file enter it now. Also if you want this key to be exportable you can select that option as well. We will leave the Include all extended properties checkbox enabled and click next 6. Select the Place all certificates in the following store option and choose Personal as the location to store the cert. Click next and then Finish. Install ADFS using the Add roles and features wizard or via Windows PowerShell 1. Open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu. 2. On the Before you begin page, click Next. 3. On the Select installation type page, click Role-based or Feature-based installation, and click Next. 4. On the Select destination server page, click Select a server from the server pool, verify that the target computer is highlighted, and then click Next. 5. On the Select server roles page, click Active Directory Federation Services, and then click Next. 6. On the Select features page, click Next. The required prerequisites are pre-selected for you. You do not need to select any other features. 7. On the Active Directory Federation Service (AD FS) page, click Next. 8. After you verify the information on the Confirm installation selections page, click Install. 9. On the Installation progress page, verify that everything installed correctly, and then click Close

Page 3 of 10: ConfiguringADFSFor25Live.docx Configure the first federation server in a new federation server farm using the Active Directory Federation Service Configuration Wizard ***Make sure you have domain administrator permissions or have domain administrator credentials available before you perform this procedure. Just to be clear, the account only needs to have this right for the install. So do not grant the service account you created with domain admin rights. Just use an existing domain admin account already set up in your environment to run the install. 1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched. 2. On the Welcome page, select Create the first federation server in a federation server farm and click Next. 3. On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next. 4. On the Specify Service Properties page, do the following and then click Next: a. Select the certificate that you previously installed from the list b. Provide a name for your federation service. For example, sts.contoso.com. This name must match one of the subject or subject alternative names in the certificate. c. Provide a display name for your federation service. For example, Contoso Corporation Identity Federation Service. This name will be shown to users at the AD FS sign-in page. 5. On the Specify Service Account page, specify the service account that you already created as a prerequisite. 6. On the Specify Configuration Database page, specify an AD FS configuration database and then click Next. You can either create a database on this computer using Windows Internal Database (WID) or you can specify the location and the instance name of the SQL server. 7. On the Review Options page, verify your configuration selections and click Next. 8. On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure. 9. On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment. For more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard. To install the Web Application Proxy role service on the DMZ server 1. On the DMZ Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features. 2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen. 3. On the Select server roles dialog, select Remote Access, and then click Next. 4. Click Next twice.

Page 4 of 10: ConfiguringADFSFor25Live.docx 5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next. 6. On the Confirm installation selections dialog, click Install. 7. On the Installation progress dialog, verify that the installation was successful, and then click Close. To configure Web Application Proxy 1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. 2. In the navigation pane, click Web Application Proxy. 3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard. 4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next. 5. On the Federation Server dialog, do the following, and then click Next: a. In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.contoso.com. b. In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers. 6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next. a. The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.contoso.com. If you plan on using Workplace Join, this must be a SAN certificate with the SANs described in Configure CAs and certificates. 7. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure. 8. On the Results dialog, verify that the configuration was successful, and then click Close. Testing your ADFS Setup 1. Now to test our ADFS Setup there are a few things we need to do. If you have already updated your environments DNS to point to your newly set up server then there is nothing you need to do and you should be able to browse to the URL. If you haven t and you are still in the testing phase, you can edit your local host file that can be found on your test windows machine found in c:\windows\system32\drivers\etc. Open the file with Notepad. Add the ip address and the fqdn of the server that has ADFS installed for now. We will do this twice. Once for the ADFS server directly and a second time to simulate accessing ADFS through the Application Web Proxy.

Page 5 of 10: ConfiguringADFSFor25Live.docx o Doing this will allow us to manually configure your computer to be able to access the url with the name instead of just the IP address. 2. Now we can go to the following URL. Be sure to substitute your FQDN for your environment. Be sure to remove the <> as well. a. https://<fqdn>/adfs/ls/idpinitiatedsignon.aspx 3. Now we should be able to test our login using one of the three options. All should work but it s good to test them all to make sure. a. username@domain.local i. Be sure to substitute your user for username ii. Be sure to change the domain.local to the fqdn of your environment b. Domain\username i. Be sure to substitute your user for username ii. Be sure to change the domain to the NETBIOS name of your domain c. DomainFQDN\username i. Be sure to substitute your user for username ii. Be sure to change the DomainFQDN to the fqdn of your domain 4. Once we are sure this is working we can go back to our hosts file that we edited in step 1 and change only the IP address so that the new ip address is that of the DMZ web application server. a. Once you have done this you can ping the fqdn to make sure that your computer is now resolving to the DMZ Web Application Proxy ip address and 5. Now we can perform steps 2 and 3 again. a. This will allow us to now test that we are sending requests to the DMZ Web Application Proxy and then the Proxy is forwarding the request to the backend ADFS box. 6. Once all of this is completed we have confirmed we can log in. Retrieve the Federation Meta Data Information for your ADFS environment 1. We need to download the Metadata xml information so that we can send it to 25Live tech support so they know what attributes they can use for their Shibboleth implementation 2. Using Chrome or Firefox Go to https://<fqdn>/federationmetadata/2007-06/federationmetadata.xml - (your site may vary) a. Be sure to remove the <> and enter the FQDN of your environment b. Save the file. c. Now you can send this information to 25Live support i. If tech support says that the file needs to be adjusted, follow the link below for more information. You may need to adjust the.xml file that you downloaded in a few sections with notepad.exe or something similar, save it, and then send that file back to 25Live support. 1. http://blog.kloud.com.au/2014/10/29/shibboleth-serviceprovider-integration-with-adfs/ ii. Here is another reference. See the section To Create edited AD FS 2.0 metadata

Page 6 of 10: ConfiguringADFSFor25Live.docx 1. https://wiki.shibboleth.net/confluence/display/shib2/microsof tinterop Decide on Attributes to be used For more information you can go to the following URL for more information http://knowledge25.collegenet.com/display/wsw/shibboleth#shibboleth-attributes 1. (Windows account name) <!-- x-r25-user -->: a. http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountn ame 2. (Given Name) <!-- x-r25-first-name -->: a. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname 3. (Surname) <!-- x-r25-family-name -->: a. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname 4. (E-Mail Address) <!-- x-r25-email-work -->: a. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Create Relying Party Trust for ADFS to CollegeNet 1. Open ADFS Console 2. Expand Trust Relationships 3. Right click on Relying Party Trusts 4. Select Add Relying Party Trust 5. Click Start 6. Choose the Import data about the relying party published online or on a local network. 7. Paste in the URL for your site. a. https://25live.collegenet.com/<yoursite>/shibboleth.sso/metadata 8. Click Next 9. You may get a message saying: Some of the content in the federation metadata was skipped. Click Ok 10. Enter Display Name you desire 11. Click Next 12. Select I do not want to configure multifactor authentication 13. Click Next 14. Select Permit all users to access the relying party 15. Click Next 16. Click Next on the Ready to add Trust Section page 17. Leave or check checkbox for Open the Edit Claim Rules dialog... 18. Click Close on the Finish page. 19. Now you will need to add the claims rule like below.

Page 7 of 10: ConfiguringADFSFor25Live.docx Add Claims rules to 25Live.collegenet.com Relying Party Trust. Claim rules describe how AD FS 3.0 determines what data should reside inside the federation security tokens that it generates. The claim rule in this section describes how data from Active Directory is inserted in the security token that is created for Shibboleth. Shibboleth is preconfigured to assert multiple attributes of the eduperson object class, which is specially designed for higher education institutions. These are not configured by default in AD FS 2.0. Also, Shibboleth expects inbound SAML attributes names to use a different name format (urn:oasis:names:tc:saml:2.0:attrname-format:uri) than AD FS 2.0 publishes by default (urn:oasis:names:tc:saml:2.0:attrname-format:unspecified). For these reasons, we will use the AD FS custom rule language to generate Shibboleth-compliant claims. We will generate an edupersonprincipalname claim, based on the user s UPN, and an edupersonscopedaffiliation claim, based on domain membership. To configure eduperson claims for sending to a relying party trust 1. The Edit Claim Rules dialog box should already be open. If not, In the AD FS center pane, under Relying Party Trusts, right-click the CollegeNet trust, and then click Edit Claim Rules. 2. On the Issuance Transform Rules tab, click Add Rule. 3. On the Select Rule Template page, select Send LDAP Attributes as Claims, and then click Next. 4. On the Configure Rule page, in the Claim rule name box, type Get Data. 5. In the Attribute Store list, select Active Directory. 6. In the Mapping of LDAP attributes section, create the following mappings. Note: not all of these claims need to be provided, they are shown for reference only. In most cases you do not need to share the 'Group' claim, etc. Talk with your SAML vendor to find out what exact claims they require and only configure those. User-Principal-Name UPN (Token-Groups are optional, only if needed/desired) Token-Groups Unqualified Names Group Given-Name Given Name E-Mail-Addresses E-Mail Address SAM-Account-Name Windows account name Surname Surname 7. Click Finish.

Page 8 of 10: ConfiguringADFSFor25Live.docx 8. [only if supplying the UPN Claim Value] On the Issuance Transform Rules tab, click Add Rule. 9. [only if supplying the UPN Claim Value] On the Select Rule Template page, select Send Claims Using a Custom Rule, and then click Next. 10. [only if supplying the UPN Claim Value] In the Configure Rule page, in the Claim rule name box, type Transform UPN to eppn. 11. [only if supplying the UPN Claim Value] In the Custom Rule window, type or copy and paste the following: c:[type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = c.value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributenam e"] = "urn:oasis:names:tc:saml:2.0:attrname-format:uri"); 12. [only if supplying the UPN Claim Value] Click Finish. 13. [only if supplying the Group Claim Value] On the Issuance Transform Rules tab, click Add Rule. 14. [only if supplying the Group Claim Value] On the Select Rule Template page, select Send Claims Using a Custom Rule, and then click Next. 15. [only if supplying the Group Claim Value] On the Configure Rule page, in the Claim rule name box, type Transform Group to epsa. 16. [only if supplying the Group Claim Value] In the Custom Rule window, type or copy and paste the following but be sure to change the domainname (bold/italicized below) to match yours: c:[type == "http://schemas.xmlsoap.org/claims/group", Value == "Domain Users"] => issue(type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.9", Value = "member@contoso.com", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributenam e"] = "urn:oasis:names:tc:saml:2.0:attrname-format:uri"); 17. [only if supplying the Group Claim Value] Click Finish

Page 9 of 10: ConfiguringADFSFor25Live.docx 18. Click OK. Restricting Authentication To Specific AD Groups Section Added By: David Mielcarek,, 20150803 1. Open: ADFS 2. Expand: Trust Relationships 3. Click: Relying Party Trusts 4. Click: [desired trust] 5. Click: Edit Claim Rules 6. Click: Issuance Authorization Rules (tab) a. (remove any current rules if you want to restrict to new ones) 7. Click: Add Rule 8. Choose: Permit or Deny Users Based on an Incoming Claim 9. Type: Claim Rule Name 10. Choose: (Incoming claim type) Group SID 11. Click: Browse 12. Choose: [desired group] 13. Click: OK 14. Click: Finish (repeat 7-13 for each desired group) 15. Click OK Adding Additional Claim Values From SQL (see same site document: ADFSClaimValueFromSQL.pdf) Testing Claim Values Returned (see same site document: lccadfstestwebclient.pdf) Errors Error 1

Page 10 of 10: ConfiguringADFSFor25Live.docx Definitions ADFS - Active Directory Federated Services SSO - Single-Sign On Modifications NAME DATE MODIFICATION David Mielcarek 8/5/2015 Created David Mielcarek 12/10/2015 Changed Token Groups to Unqualified Names End of document

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information