ADFS Authentication

You can also use the ADFS authentication in Director Console. ADFS (Active Directory Federation Services) allows single sign-on (SSO) authentication for Director Console based on your local Active Directory login.

Note

  • You must have a unique email address attributed to your ADFS account to use the ADFS service. The SAM Account Name must also be unique for each user.

  • When you change the role of any user in the LDAP or ADFS authentication from the respective directory server, the new role only enters into effect from the next login.

Configuring ADFS in Director Console

  1. Log in as the root user.

  2. Go to Authentication >> ADFS.

    ../_images/dc_auth_adfs_configuring_adfs.png

    ADFS Configuration

  3. In the ADFS Configuration section, enter the Application Host URL, the Active Directory Federation Services URL, and the Trust Identifier.

    Note

    We recommend you use the name of the server that is used to generate the token-signing certificate, as the name of the Trust Identifier. It is a unique identifier for the Relying Party Trust added to the ADFS server.

  4. Upload the Certificate pair and the ADFS token-signing certificate.

    Note

    You can obtain the ADFS token signing certificate from the AD FS Server. The ADFS token-signing certificate must have a .cer extension.

    Refer to the Generating AD FS Certificate section for details.

  5. Click Update to save the settings.

    ../_images/dc_auth_adfs_update_adfs.png

    Updated ADFS Configuration Page

  6. Click View Metadata to view the metadata used to configure Relying Party Trusts.

Configuring the Director Console in the AD FS Server

Generating AD FS Certificate

  1. Open Server Manager in your Windows machine.

    ../_images/dc_auth_mech_adfs_configuring_dc_server_manager.png

    Server Manager

  2. Click Tools and select AD FS Management. It opens up the AD FS management console.

    ../_images/dc_auth_mech_adfs_configuring_dc_adfs_mgmt_console.png

    AD FS Management Console

  3. Expand Service and select Certificates.

  4. Select the Token-Signing certificate from the list of certificates.

    ../_images/dc_auth_mech_adfs_configuring_dc_token_signing_cert.png

    Token Signing Certificate

  5. Go to the Details section of the Certificates tab.

    ../_images/dc_auth_mech_adfs_configuring_dc_cert_wizard.png

    Certificate Wizard

  6. Click Copy to File. It opens up the Certificate Export Wizard.

    ../_images/dc_auth_mech_adfs_configuring_dc_cert_export_wizard.png

    Certificate Export Wizard

  7. Click Next.

  8. Select the Base-64 encoded X.509 (.CER) format.

    ../_images/dc_auth_mech_adfs_configuring_dc_cert_export_format.png

    Certificate Export Wizard

  9. Click Next.

  10. Enter a File name and click Next.

  11. Click Browse to select a location to save the file.

    ../_images/dc_auth_mech_adfs_configuring_dc_cert_save_file.png

    Saving the File

  12. Click Finish to complete the export.

    ../_images/dc_auth_mech_adfs_configuring_dc_cert_export_file.png

    Finishing the Export

Adding the Director Console in the AD FS Server

  1. Open the AD FS Management console.

  2. In AD FS >> Relying Party Trusts, right click and select Add Relying Party Trust.

    ../_images/dc_auth_mech_adfs_configuring_dc_add_relying_party_trust.png

    Adding Relying Party Trusts

  3. Click Start on the welcome page of the Add Relying Party Trust Wizard.

    ../_images/dc_auth_mech_adfs_configuring_dc_rpt_start.png

    Click Start

  4. On the Select Data Source page, select the Import data about the relying party from a file option.

    ../_images/dc_auth_mech_adfs_configuring_dc_rpt_add_data_source.png

    Selecting the Data Source

  5. Import the previously created XML file and click Next.

  6. Enter the Display Name for the application on the Specify Display Name page.

    ../_images/dc_auth_mech_adfs_configuring_dc_rpt_display_name.png

    Display Name

  7. Click Next.

  8. Select an access control policy under Choose an access control policy.

    ../_images/dc_auth_mech_adfs_configuring_dc_rpt_access_policy.png

    Choosing an Access Control Policy

  9. Click Next. This action takes you to the Ready to Add Trust page.

  10. Click Next on the Ready to Add Trust page.

  11. Select the Configure claims insurance policy for this application option on the Finish page.

    ../_images/dc_auth_mech_adfs_configuring_dc_rpt_finish.png

    Finishing the Process

  12. Click Close.

Adding Claim Rules for the Director Console in the AD FS Server

  1. After you have successfully added a Relying Party Trust, click the Edit Claim Issuance Policy option. It opens up the Edit Claim Issuance Policy for Application tab.

    ../_images/dc_auth_mech_adfs_configuring_dc_edit_claim_policy.png

    Editing Claim Issuance Policy

  2. Click Add Rule. It opens up the Add Transform Claim Rule Wizard.

    ../_images/dc_auth_mech_adfs_configuring_dc_add_rule.png

    Adding a New Rule

  3. Click Next.

    ../_images/dc_auth_mech_adfs_configuring_dc_select_rule_template_send_ldap_attr.png

    Selecting a Rule Template

  4. In the Configure Rule page:

    4.1. Enter a Claim rule name.

    4.2. Select Active Directory as the Attribute store.

    4.3. In the Mapping of LDAP attributes to outgoing claim types table, map the following:

    4.3.1. Select User-Principal-Name as an LDAP Attribute and UPN as an Outgoing Claim Type.

    4.3.2. Select User-Principal-Name as an LDAP Attribute and UID as an Outgoing Claim Type.

    4.3.3. Select Is-Member-Of-DL as an LDAP Attribute and Group as an Outgoing Claim Type.

    ../_images/dc_auth_mech_adfs_configuring_dc_map_ldap_attr_upn.png

    Configuring Claim Rule

  5. Click Finish. This action redirects you to the Edit Claim Issuance Policy for Application tab.

  6. Click Add Rule. It opens up the Add Transform Claim Rule Wizard.

  7. Click Next with the default Claim rule template.

  8. In the Configure Rule page:

    8.1. Enter a Claim rule name.

    8.2. Select Active Directory as the Attribute Store.

    8.3. In the Mapping of LDAP attributes to outgoing claim types table, select E-Mail-Addresses as an LDAP Attribute and E-Mail Address as an Outing Claim Type.

    ../_images/dc_auth_mech_adfs_configuring_dc_map_ldap_attr_email.png

    Configuring Claim Rule

  9. Click Finish. This action redirects you to the Edit Claim Issuance Policy for Application tab once again.

  10. Click Add Rule. It opens up the Add Transform Claim Rule Wizard. Select Transform an Incoming Claim as the Claim rule template.

    ../_images/dc_auth_mech_adfs_configuring_dc_select_rule_template_transform_claim.png

    Selecting a Rule Template

  11. Click Next.

  12. In the Configure Rule page:

    12.1. Enter a Claim rule name.

    12.2. Select E-Mail Address as the Incoming claim type.

    12.3. Select Name ID as the Outing claim type.

    12.4. Select Email as the Outgoing name ID format.

    12.5. Select Pass through all claim values.

    ../_images/dc_auth_mech_adfs_configuring_dc_config_claim_rule.png

    Configuring Claim Rules

  13. Click Apply.

    ../_images/dc_auth_mech_adfs_configuring_dc_apply_claim_rule.png

    Edit Claim Issuance Policy for adfs-dc Tab

Logging in using ADFS Credentials

  1. Enter the IP address of the API Server in a web browser.

  2. Select ADFS Sign In from the login page.

    ../_images/dc_auth_mech_adfs_configuring_dc_adfs_login_page.png

    ADFS Login Page

  3. Enter your Username and Password.

  4. Click Sign in.


Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support