How to enroll Flex Appliance as a service provider to ADFS

Description

To enroll Flex Appliance as a service provider to ADFS

1. Log on to the ADFS server and start the ADFS Management Console from the Windows Administrative tools.
   
    
2. Click Add Relying Party Trust to open the Add Relying Party Trust Wizard. Use the Add Relying Party Trust Wizard to configure Flex Appliance as a service provider.
3. On the Welcome screen, select the Claims aware option. This option enables the ADFS application to consume security tokens to make authentication and authorization decisions.
   
    
4. Use the Import data about the relying party from a file option to import the SP metadata XML file that you previously downloaded from the Flex Appliance.
   
    
5. Select the Access Control Policy based on the requirement of your organization.
    
6. Add the rules to enable ADFS to access the attribute values of authenticated users from the Active Directory domain. Select the Configure claims issuance policy for this application option, then exit the Add Relying Party Trust Wizard.
   
    
7. In the Edit Claim Issuance Policy window, click Add Rule. The Add Transform Claim Rule Wizard opens.
    
8. Ensure that you select the Send LDAP Attributes as Claims template in the Choose Rule Type screen.
    
9. In the Configure Claim Rule screen, provide any name to identify the claim rule.
    
10. Ensure that you select the Attribute store as Active Directory.
     

11. Define the SAML attributes (Outgoing Claim Types field) that map to the userPrincipalName and the memberOf attributes in the AD or the LDAP directory.

    Note: When you add the IDP configuration to the Flex appliance IDP configuration page, the values that you enter for the User and the Group fields must match the SAML attribute names (Outgoing Claim Types field) that are mapped to the userPrincipalName and the memberOf attributes in the AD or the LDAP directory. Attribute mappings map SAML attributes in the SSO with the corresponding attributes in the AD or the LDAP directory. The SAML attribute mappings are used to generate SAML responses, which are sent to the Flex appliance.
    
12. To validate the authority of the SSO profile, the attribute mappings in the IDP configuration on the appliance are considered first. If they do not match, the Name ID that is included in the assertion is checked. Even if the email ID of the SSO user is not configured on the IDP, the User Principal Name is a required attribute and must be in email format. So, two rules need to be added: one for the attribute mappings and the other for the Name ID. The attribute mappings take priority over the Name ID. To successfully log out from the appliance and the IDP at the same time, you must also add the entity IDs of the service provider (the appliance) and the Identity Provider as Name Qualifiers. To do so, navigate to the Edit Claim Issuance Policy window and click Add Rule. The Add Transform Claim Rule Wizard opens.
     
13. Select the  Send Claims Using a Custom Rule template in the Choose Rule Type screen.
    
14. In the Configure Claim Rule screen, provide any name to identify the claim rule.
     
15. Paste the following rule when you are asked to enter a custom rule:
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "<entity ID of IDP>", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<entity ID of SP>");
    
    Where <entity ID of SP>  is the entityID of the appliance.
    
16. Click OK to define the rule and then click Apply to apply the rules to the Service Provider. Click OK to close the Issuance Policies.
    

To download the IDP metadata XML file

To access the IDP metadata XML file from the ADFS server, enter the following URL in your browser on the ADFS server:

https://<ADFS host name>/FederationMetadata/2007-06/FederationMetadata.xml, where <ADFS host name> is the IP address or host name of the ADFS server.

To disable the CRL check on certificates on the ADFS Server

On the ADFS server, you must disable the CRL check on your configuration from PowerShell for the certificates that Veritas issues because they have no CRL information. Use the following procedure.

1. Run the following command to view the current configuration:
   Get-AdfsRelyingPartyTrust -Identifier https://<SP Identifier>, where <SP Identifier> is the "Identifier" that displays on the ADFS Server for the Relying Party Trust that you added.
   
    
2. Run the following command to set the CRL checks to None:
   Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None -TargetName <SP display_name>, where <SP display_name> is the "Display Name" that displays on the ADFS Server for the Relying Party Trust that you added.
3. Run the command from the second step again to ensure that the CRL checks are "None."