Online Help

SafeNet Trusted Access for Active Directory Federation Services

Overview

Configuring SafeNet Trusted Access for Active Directory Federation Services is a three-step process:

1.Active Directory Federation Services setup

2.SafeNet Trusted Access setup

3.Verify authentication

Active Directory Federation Services Setup

As prerequisites:

AD FS 2016 service should be fully installed and configured.

Download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

Configuring SafeNet Trusted Access as your Identity Provider in Active Directory Federation Services requires:

Verifying endpoints and certificates

Adding Claims Provider trusts

Adding Relying Party trusts (End Applications)

Customizing Home Realm Discovery in AD FS (Optional)

Configuring AD FS as identity provider in Relying Party (End Application)

Verifying Endpoints and Certificates

Perform the following steps to verify endpoints and certificates:

1.On the AD FS server, open the AD FS Management application.

2.In the left pane, under AD FS, click Service > Endpoints, and in the right pane under Token Issuance, ensure that the /adfs/ls/ endpoint for SAML 2.0 exists and is enabled.

3.Under AD FS, click Service > Certificates and in the right pane, ensure that, Service communications, Token-decrypting, and Token-signing certificates exist.

Adding Claims Provider Trusts

Perform the following steps to add claims provider trusts:

1.Under AD FS, click Service > Claims Provider Trusts.

2.In the Actions pane, click Add Claims Provider Trust.

3.In Add Claims Provider Trust Wizard, perform the following steps:

a.On the Welcome page, click Start.

b.On the Select Data Source page, select the Import data about the claims provider from a file option.

c.Click Browse to search and select SafeNet Trusted Access metadata that you have downloaded earlier, and click Next >.

d.On the AD FS Management window, click OK.

e.On the Specify Display Name page, in the Display name field, enter a name for the identity provider (for example, SafeNet IDP) and click Next >.

f.On the Ready to Add Trust page, verify all the configurations, and click Next >.

g.On the Finish page, ensure that the Open the Edit Claim Rules dialog for this claims provider trust when the wizard closes checkbox is selected, and click Close.

4.On the Edit Claim Rules for <Claims Provider Display Name> window, on the Acceptance Transform Rules tab, click Add Rule.

5.In Add Transform Claim Rule Wizard, perform the following steps:

a.On the Choose Rule Type page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and click Next >.

b.On the Configure Claim Rule page, perform the following steps :

In the Claim rule name field, enter a name for the claim rule ( for example, Pass through Name ID from SafeNet IDP to ADFS).

In the Incoming claim type field, select Name ID.

In the Incoming name ID format field, ensure that Unspecified is selected.

Click Finish.

6.On the AD FS Management window, click Yes.

7.If the relying party (or end application) requires return attributes in SAML Assertion, then perform the following steps, else go to step 8:

a.On the Edit Claim Rules for <Claim Provider Display Name> page, click Add Rule.

b.In Add Transform Claim Rule Wizard, perform the following steps:

On the Choose Rule Type page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and click Next >.

On the Configure Claim Rule page, complete the following fields and click Finish:

Field Value
Claim rule name Enter a name for the claim rule (for example, Pass through Return Attribute from SafeNet IDP to ADFS).
Incoming claim type Enter the return attribute name you want to pass from SafeNet IDP to ADFS (for example, userid).

c.On the AD FS Management window, click Yes.

8.On the Edit Claim Rules for <Claim Provider Display Name> window, click Apply, and click OK. Under Claims Provider Trusts, the identity provider is added.

9.Perform the following steps to enable Authentication Request Signing, which AD FS sends to SafeNet Trusted Access during single sign-on (SSO):

a.Under Claims Provider Trusts, double-click on the Identity Provider (for example, SafeNet IDP) that you added in previous step to view its properties.

b.On <Claim Provider Display Name> Properties window, click the Endpoints tab.

c.Under SAML Single Sign-On Endpoints, select the Redirect binding URL, and click Remove.

d.On the AD FS Management dialog box, click Yes.

e.On the <Claims Provider Display Name> Properties window, click Apply, and click OK.

Adding Relying Party Trusts (End Applications)

Perform the following steps to add relying party trusts (end applications):

1.On the AD FS Management application, in the left pane, click Service > Relying Party Trusts.

2.In the Actions pane, click Add Relying Party Trust.

3.In Add Relying Party Trust Wizard, on the Welcome page, ensure that the Claims aware option is selected, and click Start.

4.If the relying party is providing its metadata, perform the following steps, else go to the next step (step 5).

a.On the Select Data Source page, select the Import data about the relying party from a file option.

b.Click Browse to search and select the relying party metadata file that is provided by your relying party.

c.Click Next >.

d.On the Specify Display Name page, in the Display name field, enter the name of the end application (for example, Salesforce).

e.Click Next >.

5.If the relying party is not providing it's metadata, perform the following steps, else skip this step:

a.On the Select Data Source page, select the Enter data about the relying party manually option, and click Next.

b.On the Specify Display Name page, in the Display name field, enter the name of end application (for example, Salesforce), and click Next.

c.On the Configure Certificate page, click Next >.

Note:  If the encryption certificate is provided by the relying party, click Browse to search and select the certificate.

d.On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol checkbox.

e.In the Relying Party SAML 2.0 SSO service URL field, enter the ACS URL of your relying party, and click Next >.

f.On the Configure Identifiers page, in the Relying party trust identifier field, enter the Entity ID of your end application.

g.Click Add and click Next >.

6.On the Choose Access Control Policy page, select the default access control policy setting that is, Permit Everyone, and ensure that the I do not want to configure access control policies at this time. No user will be permitted access for this application checkbox is not selected.

7.Click Next >.

8.On the Ready to Add Trust page, verify the configuration details, and click Next >.

9.On the Finish page, ensure that Configure claims issuance policy for this application checkbox is selected.

10.Click Close.

11.On the Edit Claim Issuance Policy for <Relying Party Display Name> window, on the Issuance Transform Rules tab, click Add Rule.

12. In SAML Assertion, if the relying party requires Name ID value in the Unspecified format, perform the following steps, else go to step 13:

a.In Add Transform Claim Rule Wizard, on the Choose Rule Type page, under Claim rule template, select Pass Through or Filter an Incoming Claim.

b.Click Next >.

c.On the Configure Claim Rule page, perform the following steps:

In the Claim rule name field, enter a name for the claim rule (for example, Pass through Name ID from ADFS to Relying Party).

In the Incoming claim type field, select Name ID.

In the Incoming name ID format field, ensure that Unspecified is selected.

Click Finish.

13.In SAML Assertion, if the relying party requires Name ID value in a format other than Unspecified (for example, Email), perform the following steps, else skip this step:

a.In Add Transform Claim Rule Wizard, on the Choose Rule Type page, under Claim rule template, select Transform an Incoming Claim.

b.Click Next >.

c.On the Configure Claim Rule page, perform the following steps:

In the Claim rule name field, enter a name for the claim rule (for example, Transform Name ID from ADFS to Relying Party).

In the Incoming claim type field, select Name ID.

In the Incoming name ID format field, ensure that Unspecified is selected.

In the Outgoing claim type field, select Name ID.

In the Outgoing name ID format field, select the format relying party requires (for example, Email).

Click Finish.

14.In SAML Assertion, if the relying party (end application) requires return attributes, then perform the following steps, else go to step 15:

a.On the Edit Claim Issuance Policy for <Relying Party Display Name> window, click Add Rule.

b.In Add Transform Claim Rule Wizard, perform the following steps, and click Finish.

On the Choose Rule Type page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and click Next >.

On the Configure Claim Rule page, complete the following fields:

Field Value to be Set
Claim rule name Enter a name for the claim rule (for example, Pass through Return Attribute from ADFS to Relying Party).
Incoming claim type Enter a return attribute name that you want to pass from AD FS to Relying Party (for example, userid).

c.On the AD FS Management window, click Yes.

15.On the Edit Claim Issuance Policy for <Relying Party Display Name> window, click Apply > OK.

Your end application will be added under Relying Party Trusts.

Customizing Home Realm Discovery in AD FS (Optional)

Customizing Home Realm Discovery (HRD) in AD FS is optional. If you want to customize HRD in AD FS, perform the following optional steps as per your preferred configuration:

Option1: In the PowerShell command prompt, run the following command to assign a Claims Provider to the Relying Party, which will bypass the home realm discovery(HRD) during single sign-on(SSO).

Set-AdfsRelyingPartyTrust -TargetName <Relying Party Display Name> -ClaimsProviderName @(“<Claims Provider Display Name>")

For example, Set-AdfsRelyingPartyTrust -TargetName Salesforce -ClaimsProviderName @(“SafeNet IDP")

 

Option 2: This option can be used to increase the HRD lifetime. Option 1, is valid only for 30 days, which is the default value. Run the following command to increase the HRD lifetime validity to 9999 days:

Set-AdfsWebConfig -HRDCookieLifetime 9999

Option3: This option can be used to customize the external identity provider logo in HRD. In the PowerShell command prompt, run the following commands to customize the external IDP logo in HRD:

a.Creating a new theme based on the default one.

New-AdfsWebTheme –Name <New Theme Name> –SourceName default

For example, New-AdfsWebTheme –Name SafeNetTheme –SourceName default

b.Setting a newly created theme as an active theme.

Set-AdfsWebConfig -ActiveThemeName <New Theme Name>

For example, Set-AdfsWebConfig -ActiveThemeName SafeNetTheme

In future, if you want to switch back to the default theme, enter the <New Theme Name> as default.

c.Creating a directory for exporting newly created theme.

md c:\<New Theme Name>

For example, md c:\SafeNetTheme

d.Exporting the data of the selected theme into the newly created directory.

Export-AdfsWebTheme –Name <New Theme Name> –DirectoryPath c:\<New Theme Name>

For example, Export-AdfsWebTheme –Name SafeNetTheme –DirectoryPath c:\SafeNetTheme

e.Switching from default logo to the newly customized logo for the external identity provider.

Set-AdfsWebTheme -TargetName <New Theme Name> -AdditionalFileResource @{Uri="/adfs/portal/images/idp/idp.png";path="<Path of your newly customized logo>"}

For example, Set-AdfsWebTheme -TargetName SafeNetTheme -AdditionalFileResource @{Uri="/adfs/portal/images/idp/idp.png";path="C:\Integrations\ADFS\idp-safenet.png"}

Obtaining Metadata

In a web browser, enter the URL, https://<Federation Service Name>/federationmetadata/2007-06/federationmetadata.xml

Where, <Federation Service Name> is the Subject in the SSL certificate used by AD FS.

AD FS metadata will be downloaded in the .xml format. Save it in your local machine.

Configuring AD FS as an Identity Provider in Relying Party (End Application)

Refer to the end application documentation to configure AD FS as an identity provider for the end application.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Active Directory Federation Services, the second step is to activate the Active Directory Federation Services application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the Active Directory Federation Services application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Active Directory Federation Services) and proceed to the next step.

2.Under STA Setup, perform the following steps:

a.Click Upload AD FS Metadata.

b.On the Metadata Upload window, click Browse to search and select the AD FS metadata that you downloaded earlier in the Obtaining Metadata section.

c.Under Account Details, the service provider metadata information is displayed.

d.In the NAME ID field, select the value as per the relying party’s requirements.

e.Under Return Attributes, add the return attributes (for example, userid) as per the relying party’s requirements that you have added earlier in step 7(b) of Adding Claims Provider Trusts and step 14(b) of Adding Relying Party Trusts (End Applications).

f.Click Save Configuration to save the details and activate the AD FS application in SafeNet Trusted Access.

Optional use case: Multi-step authentication using domain password (Active Directory) and OTP (SafeNet token)

To implement multi-step authentication using domain password and OTP, you will need to first sync your LDAP with STA users. Then, create a policy in STA to define authentication requirements for the implementation of Domain Password and OTP based authentication. Please refer to the SafeNet Trusted Access product documentation for creation and modification of STA policies.

Verify Authentication

Using STA Console

Navigate to the Relying Party's (End Application) SSO URL.

You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the relying party dashboard after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the Active Directory Federation Services application icon, you should be redirected to the Active Directory Federation Services sign-in page. Under Sign in to one of the following sites, select the Relying Party (End Application) that you want to access, and click Sign in. You will be redirected to the relying party dashboard.

 

© 2019 SafeNet Trusted Access. Various trademarks held by their respective owners.