How to connect Safewhere*Identify to AD FS 2.0

How to connect Safewhere Identify to AD FS 2.0

The following article describes the process for connecting Safewhere Identify to AD FS 2.0. It is recommended that you read the following document before starting:

  • Saml2Wif installation guideline: Please take special notice on all the PowerShell information in this document.
  • Microsoft's AD FS 2.0 installation guideline.

SAML2.0 protocol

The following example is in the context that identify1 (identify1.safewhere.local) is a SP for ADFS (fed.safewhere.local) using SAML2.0 protocol.

ADFS Configuration

  1. Using ADFS Management create a Relying Party Trust: Add a Relying Party Trust Using SAML2.0 Metadata URL: https://identify1.safewhere.local/runtime/saml2auth/metadata.idp
  2. Create some claims rules as section Claim settings
  3. Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm (SHA) that you want to use: right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select either SHA-1 or SHA-256 and then click OK. (If  the AD FS version is from 3.0, its selected default is SHA-256 and you can skip updating this setting)
  4. Using Windows PowerShell to remove the Revocation Check when using self-certificates (Depending on the AD FS-version, the first command may cause an exception; just ignore that and continue running the other commands)

Identify Configuration

  1. Go to Connections tab and create a SAML2.0 authentication connection:
  • Check Enable
  • If you don't want to map the login to Identify store, check Do not map logins to user store
  • Select an Identity-bearing name and save.
  1. Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06/federationmetadata.xml

WS-Federation protocol

The following example is in the context that identify1 (identify1.safewhere.local) is a SP for ADFS (fed.safewhere.local) using WS-Federation protocol.

ADFS Configuration

  1. Using ADFS Management create a Relying Party Trust: Add a Relying Party Trust Using WS-Fedederation Metadata URL: https://identify1.safewhere.local/runtime/wsfedauth/metadata.idp
  2. Create some claims rules as section Claim settings
  3. Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm 1 (SHA-1): right-click> Properties > On the Advanced tab, in the Secure hash algorithm list, select either SHA-1 or SHA-256 ,and then click OK. (If the AD FS version is from 3.0, its selected default is SHA-256 and you can skip updating this setting)
  4. Using Windows PowerShell to remove the Revocation Check when using self-certificates (Depending on the AD FS-version, the first command may cause an exception; just ignore that and continue running the other commands)

Identify Configuration

  1. Go to Connections tab and create a WS-Federation authentication connection:
  • check Enable
  • if you don't want to map the login to Identify store, check Do not map logins to user store
  • Select an Identity-bearing name and save.
  1. Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06/federationmetadata.xml

Claim settings

The following is a minimal set of claims which AD FS 2.0 needs to issue to Identify-SP. They include, notice the rule template of each claim rule:

  • A name claim
  • A Upn claim
  • A NameId claim which is transformed from the UPN claim.

edit-claim-rule-idp

edit-rule-name-rule

edit-rule-upn

edit-rule-nameid