ADFS Integration Guide

 
This guide assumes that you have knowledge of installing and configuring Windows Server 2016, Active Directory and ADFS 2016. This document also assumes a fresh installation.

For more information on installing ADFS, please see https://technet.microsoft.com/en- us/windows-server-docs/identity/ad-fs/deployment/ad-fs-deployment-guide.

Also it's assumed that you have provided your ADFS Token Signing certificate to Trusona. For more information on ADFS certificates, please see https://technet.microsoft.com/en- us/library/dn781426(v=ws.11).aspx
 

Step - 1 Select Claims Provider Trusts

Select Claims Providers Trusts

Select Claims Providers Trusts

 

ADFS > Service > Claims Provider Trusts

Step - 2 Add Claims Provider Trusts

 
Claims Provider Trust

Claims Provider Trust

 

Step - 3 Import Data About the Claims Provider

Claims Provider Trust Wizard

Claims Provider Trust Wizard

Select Import data about the claims provider published online or on a local network

Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://trulab.gateway.trusona.net/saml/metadata where trulab represents the handle used to identify your instance.

For provisioning, contact integration@trusona.com
 

Step - 4 Specify Display Name as "Trusona"

Enter Trusona

Enter Trusona

Complete the wizard with the remaining default values. ADFS should configure itself from the metadata document.

 

Step - 5 Open PowerShell to Complete Configuration

Configure ADFS to enable the IDP Initiated SAML Flow.

Set-AdfsProperties -EnableIdpInitiatedSignonPage 1
Enter "Set-AdfsProperties -EnableIdpInitiatedSignonPage 1"

Enter "Set-AdfsProperties -EnableIdpInitiatedSignonPage 1"

Configure ADFS to send the ConsumerAssertionUrl in the Authn Request. This is required by the Trusona Gateway. The Identifier is always the same and is populated from the metadata document.

Get-AdfsClaimsProviderTrust -Identifier
'https://gateway.trusona.net/saml/metadata' | Set-AdfsClaimsProviderTrust -
SamlAuthenticationRequestParameters Url
Power Shell.png

You may want to configure ADFS to resolve attributes from Active Directory for users authenticating with Trusona. If your upstream SP's require information from Active Directory such as group membership information, you should complete this section below.

Before doing so, ensure the following requirements are met.

  • TruGateway is configured to resolve an email address against a configured set of domains.
  • Email addresses are stored in ActiveDirectory in the E-Mail Field
 

Step - 1 Edit Claim Rules

Edit Claim Rules

Edit Claim Rules

In the ADFS Management console, right click on the Trusona Claim Provider Trust and select Edit Claim Rules

 

Step - 2 Create Rule "Pass All Trusona Claims"

Edit Rule.png

Create a new rule using the Send Claims Using a Custom Rule template and title it Pass all Trusona claims

c:[]
 => issue(claim = c);

Step - 3 Create Rule "Resolve AD Attributes"

 
Resolve AD Attributes.png

Create a new rule using the Send Claims Using a Custom Rule template and title it Resolve AD attributes

c:[Type ==
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/form
at"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
 => issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
"http://schemas.xmlsoap.org/claims/Group"), query = "mail=
{0};userPrincipalName,sAMAccountName,tokenGroups;LAB\adfs_sa", param =
c.Value);

In the query section replace LAB\adfs_sa with the name of your domain. In our example, LAB is the name of our domain. Since we are querying against Active Directory the username needs to be present but there's no requirement on it being valid or present in Active Directory. This may not be the case if you were querying against a differend LDAP store.

This rule does the following.

1. Gets the Subject Name ID where the format of the Name ID is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from incoming assertion

2. IssuesclaimsfromActiveDirectoryfields userPrincipalName,sAMAccountName,tokenGroups and sets the values on the corresponding types in order

More information about the ADFS rule syntax is available at https://technet.microsoft.com/en- us/windows-server-docs/identity/ad-fs/technical-reference/the-role-of-the-claim-rule- language

ADFS will now populate the following variables upon receiving an assertion from Trusona which can then be used to resolve additional information from other systems or passed on as part of another assertion.

  • Windows account name
  • Groups (All AD groups are nested attribute values)
  • UPN

This was tested using the AWS Management Console as the SP as part of an IDP initiated flow.

For information on configuring AWS IAM and ADFS please see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html

 
Daniel Fischpan