Setup AD FS for use with Nirmata

This section provides instructions on how to setup Microsoft AD FS (Active Directory Federation Services) as a SAML Identity Provider (IdP). Before you setup ADFS, you must first enable SAML SSO in CompanyName, import the IdP Metadata into CompanyName, and export the SP Metadata. You must also Copy or transfer the SP Metadata XML file to your AD FS server. Setting up ADFS involves three steps (the following steps use Windows Server 2012 R2 and ADFS 3.0): <ol> <li>Import the SP Metadata into ADFS</li> </ol> On your ADFS host open the Server Manager tool and select the AD FS Management option: <img src="/images/adfs-1.png" alt="image"> In the AD FS Management window, navigate to Trust Relationships -> Relying Part Trusts and select Add Relying Party Trust from the right Actions panel: <img src="/images/adfs-2.png" alt="image"> Select the SP Metadata XML file that you exported from CompanyName: <img src="/images/adfs-3.png" alt="image"> Provide a Display Name: <img src="/images/adfs-4.png" alt="image"> If your organization used Multi-factor Authentication (MFA), you can enable it. Otherwise, leave it disabled: <img src="/images/adfs-5.png" alt="image"> On the next screen, select Permit all users to access this relying party: <img src="/images/adfs-6.png" alt="image"> Since we imported the SP settings from the Metadata file, simply click next on the Ready to Add Trust screen: <img src="/images/adfs-7.png" alt="image"> Make sure that the Open the Edit Claim Rules dialog... option is checked and close the wizard: <img src="/images/adfs-8.png" alt="image"> Proceed to configure a SAML claim below. <ol start="2"> <li>Setup a SAML Claim Rule for CompanyName</li> </ol> CompanyName requires that the SAML Name ID field contain the email address of the principal. You can enable this by configuring a SAML Claim Rule in ADFS. Click on Add Rule.. to configure the claim: <img src="/images/adfs-9.png" alt="image"> Select Send LDAP Attributes as Claims and click next: <img src="/images/adfs-10.png" alt="image"> Enter a name for the claim rule, such as “email address”. Then select Active Directory as the Atribute Store. In the mapping section, select E-Mail-Addresses as the LDAP Attribute and Name ID as the Outgoing Claim Type. <img src="/images/adfs-11.png" alt="image"> Click Finish to add the claim and then OK to exit the Edit Claim Rules dialog. <ol start="3"> <li>Allow SAML signature certificates to be self-signed</li> </ol> In a SAML message exchange, X.509 Certificates with public and private key pairs are used to sign and encrypt the data. Since the keys are exchanged via Metadata and the SAML messages are exchanged over a secure (TLS) connection, there is no benefit in using CA signed certificates for signing. CompanyName generates self-signed certificates for SAML signatures and encryption. You must setup AD FS to not require CA certificates for SAML signing and encryption. You can manage these settings using PowerShell as described below. Check you current settings using the PowerShell command: <pre><code>Get-AdfsRelyingPartyTrust | Select-Object Identifier, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck </code></pre> Look for the Identifier <a href="https://www.nirmata.io/security/api">https://www.nirmata.io/security/api</a>. <img src="/images/adfs-12.png" alt="image"> Use this PowerShell command to disable CA certificate checks for CompanyName: <pre><code>Get-AdfsRelyingPartyTrust -Identifier https://www.nirmata.io/security/api/ | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None </code></pre> <img src="/images/adfs-13.png" alt="image"> You should now be able to navigate to your AD FS login page and select CompanyName (CompanyName Cloud Services). This will initiate the SAML SSO exchange and authenticate your users with AD FS. <img src="/images/adfs-14.png" alt="image"> Alternatively, you can also sign in using your email address at: <a href="https://nirmata.io/">https://nirmata.io/</a>.