Configuring ADFS 3.0 to Communicate with SAML 2.0
Kumolus allows the use of SAML 2.0 single sign-on (SSO) integration with Microsoft Active Directory Federation Services (ADFS) 3.0.
General ADFS Setup
The following procedure uses ADFS 3.0 and your.kumolus.com as the ADFS website. You will need to replace this with your website address.
- Log into the ADFS server and open the Management Console.
- Right click Service and choose Edit Federation Service Properties.
- Confirm that the General settings match your DNS entries and certificate names.
- Browse to the certificates and export the Token Signing certificate.
a. Right click the certificate and select View Certificate.
b. Select the Details tab.
c. Click Copy to File.
The Certificate Export Wizard launches.
d. Select Next.
e. Ensure No, do not export the private key is selected, and then click Next.
f. Select DER encoded binary X.509 (.cer), and then click Next.
g. Select where you want to save the file and give it a name. Click Next.
h. Select Finish.
- Use the DER/Binary certificate we just created and export it to Standard CRT format.
- Login to the Kumolus Marketplace
Click the Settings menu and Select Appliance
- Enter your
|Login URL||Your ADFS Login URL|
|Logout URL||Your ADFS Login URL|
ADFS Relying Party Configuration
Follow the follow procedure to configure the relying party;
- Open the ADFS Management console and select Relying Party Trusts.
- Select Add Relying Party Trust… from the top right corner of the window.
- The add wizard appears.
- Click Start to begin.
- Give it a display name such as Kumolus and enter any notes you want.
- Select ADFS 3.0 Profile.
- Do not select a token encryption certificate.
- It will use the certificate that is defined on the service that has already been exported. Defining a certificate here will prevent proper communication with Kumolus. Do not enable any settings on the Configure URL. Enter the Kumolus Web site to which you connected as the Relying Party trust identifier. In this case use https://your-ami-ip/ and click Add. Permit all users to access this relying party.
- Click Next and clear the Open the Claims when this finishes check box.
- Close this page.
- The new relying party trust appears in the window.
- Right-click on the relying party trust and select Properties.
- Browse to the Advanced tab and set the Secure hash algorithm to SHA-1.
- Browse to the Endpoints tab and add a SAML Assertion Consumer with a Post binding and a URL of https://your-ami-ip/saml/acs.
ADFS Relying Party Claim Rules
Edit the Claim rules to enable proper communication with Kumolus (i.e. Role, Name and Email Address being provided to Kumolus).
- Right-click on the relying party trust and select Edit Claim Rules.
- On the Issuance Transform Rules tab select Add Rules. We will create two roles.
* **Role 1** * Select **Send LDAP Attribute as Claims** as the claim rule template to use. * Give the claim a name such as **Get Attributes**. * Set the Attribute Store to **Active Directory**, * Setup the follow LDAP Attributes with their Outgoing Claim Type.
|LDAP Attribute||Outgoing Claim Type|
|Token-Group - Unqualified Names||Role|
- Role 2
- Select Add Rule….
- Select Transform an Incoming Claim as the claim rule template to use.
- Give it a name such as Email to Name ID.
- Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID (this is requested in Kumolus policy urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and the Outgoing name ID format is Email. Pass through all claim values and click Finish.
- Select Finish.
Logging into ADFS
- Open Your Browser and browse to https://your.samlportal.com/adfs/ls/idpinitiatedsignon.aspx or login at https://your-ami-ip/login/ and Click SAML login
- This opens a generic page with a drop down list of all Relying Party Trusts configured. Select the one you want to log in to and click on Continue to Sign In. This only work if you have enabled SSO on the Kumolus web page. If it is configured properly, you are logged in.