Description
To enroll Access Appliance primary server as a service provider to ADFS
Download the Federation Metadata XML by using the following link.
https://<adfs_server_name>/FederationMetadata/2007-06/FederationMetadata.xmlOpen Access Appliance UI, Go to Setting > Directory Services management > Configure AD. Assign Administrator role to any AD user.
Enable SSO. Navigate to Setting > Security management > Single sign-on(SSO) > Add > Upload Federation XML. Enter all the values and click Save.
Download Service provider XML from Access Appliance.
To upload the XML to the ADFS server, open the ADFS management console. Navigate to Start > Server Manager > ADFS > Tools.
- Select Relying Party Trusts option. Click Add Relying Party Trust to open the Add Relying Party Trust Wizard to configure Access Appliance as a service provider.
- On the Welcome screen, select the Claims aware option. Click Start. This enables the ADFS application to consume security tokens to make authentication and authorization decisions.
- Use the Import data about the relying party from a file option to import the SP metadata XML file previously downloaded from the Access Appliance primary server. Enter the Federation Metadata file location using the Browse option.
- Ignore the warning message and provide the name of your configuration in the Display name field. For example: the name of your primary server: trans-com-win. Click Next.
- Give a display name for your relying party trust and click Next.
- Select the Access Control Policy based on the requirements of your organization. If you have configured MFA (multifactor authentication), then select an appropriate option. Else, select for Permit everyone and click Next.
- Complete the configuration by clicking next and then click Close.
- For your relying party, click Edit claim issuance policy.
- Add a rule to enable ADFS to access attribute values of authenticated users from the Active Directory. In the Edit Claim Issuance Policy window, click Add Rule to enable ADFS to access attribute values of authenticated users from the Active Directory. The Add Transform Claim Rule Wizard opens.
- Ensure that you select the Send LDAP Attributes as Claims template in the Choose Rule Type screen. Click Next.
- In the Configure Claim Rule screen, provide any name to identify the claim rule. Ensure that you select the Attribute store as Active Directory.
- Click Finish to apply the rule on the Edit claim issuance policy screen.
- Disable the CRL check on your configuration from PowerShell.
Run the following command from the ADFS server:
- Get-AdfsRelyingPartyTrust "<trust name>" | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck none
- Get-AdfsRelyingPartyTrust "<trust name>" | Set-AdfsRelyingPartyTrust -SamlResponseSignature MessageAndAssertion
In some cases, you have to set NotbeforeSkew to 2 (By default, its value is 0). You can get the NotbeforeSkew values by using the following command:
Get-AdfsRelyingPartyTrust "<trust name>"Now set NotbeforeSkew to 2 by using the following command:
Set-ADFSRelyingPartyTrust -Targetname "<trust name>" -NotBeforeSkew 2
19. Navigate to the Access Appliance UI. Login with SSO.
Related Knowledge Base Articles
How to enroll Access Appliance primary server as a service provider to Okta
How to enroll Access Appliance primary server as a service provider to PingFederate
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.