Active Directory Federation Services (AD FS)
The AD FS setup is separated into two parts. Firstly the steps that need to be performed on ISL Conference Proxy (ICP) are shown, followed by the steps that need to be performed in the AD FS system. Please refer to the relevant part:
- Setup - ISL Conference Proxy
- Setup - AD FS
- Sign In - Web
- Sign In - Application
Setup - ISL Conference Proxy
Generate Service Provider (ICP) key-pair (public certificate file and private key). This keys will be used when Service Provider (ICP) communicates with Identity Provider (AD FS). The simplest way of generating the key par is using the openssl tool and issuing the commands bellow. In the second command replace the isl.example.com with your server address
openssl genrsa -out sso_saml_sp.key -aes128 2048 openssl req -x509 -key sso_saml_sp.key -out sso_saml_sp.cert -days 3650 -subj "/CN=isl.example.com"
Obtain Identity Provider metadata XML and save it to XML file (e.g. sso_saml_idp.xml). For AD FS the metadata file can be accessed via an endpoint on your AD FS server (as described here: Configuring ADFS as an identity provider - step 2). The endpoint for file download should look something like: https://<your_adfs_server>/FederationMetadata/2007-06/FederationMetadata.xml
Important: Replacing Identity Provider metadata XML file on your ISL Conference Proxy requires restart of module apps. Navigate to “ISL Conference Proxy web administration" -> "Activity monitor" -> "Servers", select each server and click "Restart module apps" one by one.
Upload the key-pair (from Step 1) and metadata XML (from Step 2) to ICP Private File storage. You can access Private File storage by opening “ISL Conference Proxy web administration" -> "Configuration" -> "Advanced" -> "File storage" -> "Private”.
Configure ICP to use the uploaded files in Step 3 for SAML communication. Settings are found under "Configuration" -> "Security". To access files placed in Private storage you have to append "objects/" before the filename.
Important: For the "SAML service provider PEM key file passphrase" enter the passphrase you entered when generating key-pair in Step 1.
Step 5 (Optional)
Enable additional logs in Core Login module for easier debugging. Under "Configuration" -> "Logs" set the following settings to log anything with severity greater than 6 (info):
- Log subsystem [Core Login] Application web login severity report level:
- Log subsystem [Core Login] Login dialog severity report level:
- Log subsystem [Core Login] Single sign-on: SAML severity report level:
Create an additional domain for Single sign-on users. New domain can be created under "User management" -> "Domains", process is further described in this topic: Domains. In this example we created a Domain "sso".
Set SAML login setting rules under "Configuration" -> "Security". This settings specify how credentials obtained via SAML are mapped to ICP credentials and settings. An example configuration looks like this:
[ ["key", "domain", "sso"] ,["key-from-attr", "username", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] ,["key", "user_profile::password", "0"] ,["key-from-attr", "realname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] ,["key", "user_profile::name", "0"] ,["key-from-attr", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] ,["key", "user_profile::email", "0"] ,["groups-from-attr", "http://schemas.xmlsoap.org/claims/Group"] ]
Settings are described in depth in the following topic: Security
As the final step in ICP enable Single Sign On under "Configuration" -> "Security" to force the logins to be redirected to the Identity Provider and thus enable the Single Sign On functionality.
Setup - AD FS
Step 1 (Adding Relying Party Trust)
Open AD FS management console and click on "Add Relying Party Trust".
Select Claims aware click "Start".
Select how the metadata of Data Source (ICP) should be imported. ICP's metadata file is available at the following address: https://<your-icp-server-address>/sso/saml/sp/metadata.xml. You can download the file from ICP and upload it to AD FS or provide the url to the AD FS.
Note: If you wish to provide the url to AD FS you need to have SSL connections configured correctly on your ICP, since AD FS only supports encrypted (https) connection when obtaining the metadata file. Steps on how to enable SSL for ICP webpages are shown in this topic: Web Pages.
Enter the display name of the relying party.
Choose the access control policy. For the basic setup select "Permit everyone", allowing anybody that has credentials in the Active Directory to log in.
Review the information you entered then click "Next" to add the Relying Party Trust.
Relying Party Trust is now added and you can move on to configuring it.
Step 1 (Edit Claim Issuance Policy)
With Relying Party Trust added (and selected - in gray), click on "Edit Claim Issuance Policy" to configure which claims (parameters) will be sent to ICP when user logs in. We will add two rules, one will be responsible for sending name, username and email address and the other rule will send the information in which group the user is present.
Click on "Add Rule".
Select "Send LDAP Attributes as Claims" and click "Next".
Select the LDAP attribute on the left that you wish to send over as a claim to ICP. For ICP select User-Pricipal-Name, Display-Name and E-Mail-Adresses and send them over as UPN, Name and E-Mail Address claims.
Step 5 (Optional - Group membership)
Click on "Add Rule" again, to configure sending the group membership as a claim over to ICP. Sending of the groups is optional and you can skip this steps.
Step 6 (Optional - Group membership)
For Claim rule template select "Send Group Membership as a Claim" then click "Next".
Step 7 (Optional - Group membership)
Select the group for which you wish to send membership information, in our case the group is islGroup. Then click "Finish".
Note: Group membership sent as a claim only specifies if a user is a member of a group for which you created the rule - e.g. is user member of islGroup group. This means that you will have to repeat Steps 5 - 7 for each group for which you wish to send membership information.
Click "OK" when you have configured all the rules.
Sign In - Web
Click "Login" on the ICP web page. If the setup was successful you will be redirected to the Single Sign On page.
Note: Redirection behavior can be different depending on your browser. In Microsoft edge you will not be redirected, rather the browser will display a pop-up window where you will enter your AD FS credentials.
Enter your AD FS credentials and click "Sign in". You will be redirected back to ICP if login succeeds.
You are now logged in and can use all the functionalities of ICP normally. Note that the user is a part of the sso (\\sso\) domain we created during the setup.
Sign In - Application
Login procedure for ISL Online applications differs with Single Sign On as well. Username and password prompt is removed only thing left is the "Login" button.
AD FS login will open in your browser window. If login succeeds you will be redirected back to the application.
Step 3 - Browser
Enter your AD FS credentials and click "Sign in". You will be redirected back to application if login succeeds.
Note: If the token received from AD FS is still active in your default browser you won't have to enter your AD FS credentials again.
Step 3 - ISL Conference Proxy
Click on "Grant Access" and you will be logged in and redirected back to the application.
You are now logged in and can use the application normally.