How to connect Safewhere Identify to AD FS provider

The following article describes the process for connecting Safewhere Identify to AD FS provider. It is recommended that you read the following document before starting:

• Microsoft's AD FS installation guideline.

SAML2.0

The following example is in the context that identify1 (identify1.safewhere.local) is a service provider for AD FS (fed.safewhere.local) using SAML2.0 protocol.

AD FS configuration

1. Use AD FS Management create a Relying Party Trust: Add a Relying Party Trust Using SAML2.0 Metadata URL: https://identify1.safewhere.local/runtime/saml2auth/metadata.idp.
2. Create some claims rules as section Claim settings
3. Update Signature Algorithm setting to to be the Secure Hash Algorithm (SHA) that you want to use: right-click on Relying Party Trust > Properties > On the Advanced tab, in the Secure hash algorithm list, select either SHA-1 or SHA-256, and then click OK. (If  the AD FS version is from 3.0, its selected default is SHA-256 and you can skip updating this setting)
4. Use Windows PowerShell to remove the Revocation Check when using self-certificates (Depending on the AD FS-version, the first command may cause an exception; just ignore that and continue running the other commands)

add-pssnapin microsoft.ADFS.powershell

set-AdfsRelyingPartyTrust -targetname "SP_Name" -SigningCertificateRevocationCheck None

set-AdfsRelyingPartyTrust -targetname "SP_Name" -EncryptionCertificateRevocationCheck None

set-AdfsRelyingPartyTrust -targetname "SP_Name" -SignedSamlRequestsRequired $True

Identify configuration

Go to Safewhere Admin to create a SAML2.0 identity provider:

• If you do not want to map the login to Identify store, check Do not map logins to user store
• Select an Identity bearing name.
• Fill https://fed.safewhere.local/FederationMetadata/2007-06/federationmetadata.xml in Metadata field and save it

WS-Federation

The following example is in the context that identify1 (identify1.safewhere.local) is a service provider for AD FS (fed.safewhere.local) using WS-Federation protocol.

AD FS Configuration

1. Use AD FS Management create a Relying Party Trust: Add a Relying Party Trust Using WS-Fedederation Metadata URL: https://identify1.safewhere.local/runtime/wsfedauth/metadata.idp.
2. Create some claims rules as section Claim settings
3. Update Signature Algorithm setting to to be the Secure Hash Algorithm (SHA) that you want to use: right-click> Properties > On the Advanced tab, in the Secure hash algorithm list, select either SHA-1 or SHA-256,and then click OK. (If the AD FS version is from 3.0, its selected default is SHA-256 and you can skip updating this setting)
4. Use Windows PowerShell to remove the Revocation Check when using self-certificates (Depending on the AD FS-version, the first command may cause an exception; just ignore that and continue running the other commands)

add-pssnapin microsoft.ADFS.powershell

set-AdfsRelyingPartyTrust -targetname "SP_Name" -SigningCertificateRevocationCheck None

set-AdfsRelyingPartyTrust -targetname "SP_Name" -EncryptionCertificateRevocationCheck None

Identify Configuration

Go to Safewhere Admin to create a WS-Federation identity provider:

• If you do not want to map the login to Identify store, check Do not map logins to user store
• Select an Identity bearing name
• Fill https://fed.safewhere.local/FederationMetadata/2007-06/federationmetadata.xml in Metadata field and save it

Claim settings

The following is a minimal set of claims which AD FS needs to issue to Identify. They include, notice the rule template of each claim rule:

• A name claim
• A Upn claim
• A NameId claim which is transformed from the UPN claim