In order to be able to use ADFS as a SAML provider, you need to register a relying party at the ADFS instance. On the ADFS server open the AD FS Management and add a relying party trust.
Preparations
Make sure IS is running and the certificate used for SAML is installed. Otherwise, the FederationMetadata import won't work.
Set the ACL for the ADFS certificate to give full access to the "IIS APPPOOL\FireStart AppPool".
Keep the default settings and click Next until the wizard is finished. Upon completion, you will be asked to add Claim Rules. Add the basic properties as claim. To use the AD search provider, you also need to pass through the SID of the AD user as name ID.
Adaption for companies with users in many groups (causing a header too long error)
INSTEAD of passing the Token-Groups as SIDs you can also add a Custom Rule which adds a static Claim:
This will then trigger a resolve of groups at login time, even if they are not present in the AuthTicket → DO NOT USE BOTH
Configure IdentityServer
In the appsettings.json the SAML provider and the AD search provider need to be enabled, all other (search) providers need to be disabled.
Provider Settings
- Scheme: the scheme name
- EntityId: identifier registered at the SAML Provider for the relying party (preferrably, use https://<your-server> as this needs to be unique on the ADFS)
- SamlCert: certificate used for SAML Tokens
- PartnerIdentityProviderMetadataEndpoint: metadata endpoint of the SAML provider
Search Provider Settings
The search provider settings for Active Directory are the same as described in Using Windows & Active Directory. Make sure you use the Active Directory configured with ADFS and the scheme you selected for SAML.
JSON
|
{ |
© 2020 FireStart GmbH. All rights reserved.