How to connect Safewhere Identify to AD FS provider

The following article describes the process for connecting Safewhere Identify to AD FS provider. It is recommended that you read the following document before starting:

• Microsoft's AD FS installation guideline.

SAML2.0

The following example is in the context that identify1 (identify1.safewhere.local) is a service provider for AD FS (fed.safewhere.local) using SAML2.0 protocol.

AD FS configuration

1. Use AD FS Management create a Relying Party Trust:

• Select Relying Party Trusts.
• In the Actions pane, click Add Relying Party Trust.
• Choose Import data about the relying party published online or on a local network, then enter a SAML 2.0 metadata URL:https://identify1.safewhere.local/runtime/saml2auth/metadata.idp).

2. Create some claims rules as section Claim settings.
3. Specify the secure hash algorithm to use for the relying party trust: right-click on Relying Party Trust > Properties > On the Advanced tab, in the Secure hash algorithm list, select SHA-256, and then click OK. (When the AD FS version is from 3.0, its selected default is SHA-256 and you can skip updating this setting)
4. Use Windows PowerShell to remove the Revocation Check when using self-certificates (Depending on the AD FS-version, the first command may cause an exception; just ignore that and continue running the other commands)

add-pssnapin microsoft.ADFS.powershell

set-AdfsRelyingPartyTrust -targetname "SP_Name" -SigningCertificateRevocationCheck None

set-AdfsRelyingPartyTrust -targetname "SP_Name" -EncryptionCertificateRevocationCheck None

set-AdfsRelyingPartyTrust -targetname "SP_Name" -SignedSamlRequestsRequired $True

Identify configuration

Go to Safewhere Admin to create a SAML2.0 identity provider:

• If you do not want to map the login to Identify store, check Do not map logins to user store
• Fill https://fed.safewhere.local/FederationMetadata/2007-06/federationmetadata.xml in Metadata field and save it

WS-Federation

The following example is in the context that identify1 (identify1.safewhere.local) is a service provider for AD FS (fed.safewhere.local) using WS-Federation protocol.

AD FS Configuration

1. Use AD FS Management create a Relying Party Trust:

• Select Relying Party Trusts.
• In the Actions pane, click Add Relying Party Trust.
• Choose Import data about the relying party published online or on a local network, then enter a WS-Fedederation metadata URL: https://identify1.safewhere.local/runtime/wsfedauth/metadata.idp.

2. Create some claims rules as section Claim settings.
3. Specify the secure hash algorithm to use for the relying party trust: right-click on Relying Party Trust > Properties > On the Advanced tab, in the Secure hash algorithm list, select SHA-256, and then click OK. (When the AD FS version is from 3.0, its selected default is SHA-256 and you can skip updating this setting)
4. Use Windows PowerShell to remove the Revocation Check when using self-certificates (Depending on the AD FS-version, the first command may cause an exception; just ignore that and continue running the other commands)

add-pssnapin microsoft.ADFS.powershell

set-AdfsRelyingPartyTrust -targetname "SP_Name" -SigningCertificateRevocationCheck None

set-AdfsRelyingPartyTrust -targetname "SP_Name" -EncryptionCertificateRevocationCheck None

Identify Configuration

Go to Safewhere Admin to create a WS-Federation identity provider:

• If you do not want to map the login to Identify store, check Do not map logins to user store
• Fill https://fed.safewhere.local/FederationMetadata/2007-06/federationmetadata.xml in Metadata field and save it

Claim settings

The following is a minimal set of claims which AD FS needs to issue to Identify. They include, notice the rule template of each claim rule:

• A name claim
• A Upn claim
• A NameId claim which is transformed from the UPN claim