Authentication

Settings for Safewhere Identify

At PasswordReset: User can setup the WS Federation authentication at step "Authentication setting" in PasswordReset Configurator or in web.config file.
At Identify Admin, we need create a WS Federation Protocol Connection, and set some below values:
- Entity ID: https://[PWR_applicationid]/WSFederationAuthentication
- Passive requestor endpoint: https://[PWR_applicationid]/WSFederationAuthentication.
- Encrypt certificate: the certificate which was set in Authentication Settings step.

pwr-identify

Setting for ADFS

You must select Add Relying Party Trust Wizard and choose "Enter data about the relying party manually".

pwr-relying-party-trust

Input Display Name and click "Next".

pwr-relying-party-trust-name

Choose the certificate chosen as "WS Federation encrypt certificate" in the authentication setting step of the Configurator.

pwr-relying-party-trust-certificate

At the "Configure URL" step, input the URL of the PasswordReset web site in the form https://[PWR applicationid]/WSFederationAuthentication.

pwr-relying-party-trust-protocol

After clicking "Finish", you must change the AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm 1 (SHA-1). To do this right-click on Properties, then on the Advanced tab, in the Secure hash algorithm list, select SHA-1 and click OK.

pwr-relying-party-trust-hash

Claim settings: In AD FS 2.0 you will needs to set up a claim rule describing the user information that needs to be issued to PasswordReset. The following example maps the attribute "Employee Number" of Active Dicrectory to the claim type called "Name", which will then be issued to PasswordReset as the UserId. PasswordReset will then use this value during the "Mapping" phase.

pwr-relying-party-trust-mapping

To set this claim simply right click on PasswordReset Relying Party Trust, which you created above, and select Edit Claim Rules.