Microsoft ADFS
  • 29 Jun 2022
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Microsoft ADFS

  • Dark
    Light
  • PDF

Article Summary

You set up SAML single sign-on support in ADFS and gather the information you need to connect the CTERA Portal to ADFS.

To get the SAML single sign-on information:

  1. Login to the Windows Server ADFS machine as the administrator.
  2. Open AD FS Management.
    Note

    The procedure and screens are based on AD FS running on Windows 2012 server. This might be slightly different on other versions of Windows server.

  3. In the left pane navigation tree, select Trust Relationships and right-click Relying Party Trusts.
  4. Click Add Relying Party Trust.
    image.png
  5. Click Start.
    image.png
  6. Choose the Enter data about the relying party manually option and click Next.
  7. Enter a display name for the relying party and optionally add notes about the party and click Next.
    image.png
  8. Choose the AD FS Profile option and click Next.
    image.png
  9. Optionally, if you want to encrypt claims sent to the relying party, browse to the CTERA Portal certificate and select it and click Open.
    The issuer, subject, effective date and expiry date information for the certificate is displayed.
  10. Click Next.
    image.png
  11. Check Enable support for the SAML 2.0 WebSSO protocol and enter the CTERA Portal URL followed by /SAML, as in the following example: https://exampleportal.ctera.me/ServicesPortal/saml
  12. Click Next.
    image.png
  13. Set the Relying party trust identifier and click Add. For example, ctera-adfs
    You use the Relying party trust identifier in the CTERA Portal Entity ID/Issuer ID field, in the procedure To configure SAML single sign-on, described in Defining SAML Single Sign-on in a CTERA Portal, when setting up SAML in the portal.
  14. Click Next.
  15. Leave the default to allow all users access, unless you want to restrict the users with access to the portal to users for whom you add issuance authorization rules, as described in the ADFS documentation.
  16. Click Next.
    image.png
    A summary of the wizard steps is displayed in the tabs.
  17. Select the Signature tab and import the CTERA Portal Certificate.
  18. Click Next.
    image.png
  19. Check the Open Edit Claim Rules dialog for this relying trust when the wizard closes and click Close.
    The edit claim rules window for the relying party is displayed.
    image.png
  20. Click Add Rule.
    image.png
  21. Select Send LDAP Attributes as Claims for the Claim rule template and click Next.
    image.png
  22. Enter the following:
    Claim rule name – A name for the rule.
    Attribute store – Select the store from the list, for example, Active Directory.
    LDAP Attribute – Use User-Principal-Name.
    Outgoing Claim Type – Select Name ID.
  23. Click Finish.
  24. Click OK.
  25. In the left pane navigation tree, select Service > Certificates, right-click the certificate under Token-signing and click View Certificate.
    image.png
  26. Select the Details tab and click Copy to File.
    image.png
  27. Click Next in the Certificate Export wizard and select the Base-64 encoded X.509 option.
    image.png
  28. Click Next and enter a file name.
  29. Click Next and then Finish.

You upload this certificate when setting up SAML in the CTERA Portal.

Encrypting the SAML Response

When using ADFS for SAML to sign in to the portal, the SAML response can be encrypted, as follows:

  1. Add the portal certificate to the relaying party in ADFS.
  2. Using SSH, log in as root to your CTERA Portal server.
  3. Run the following command in ADFS PowerShell: set-ADFSRelyingPartyTrust –TargetName “<relaying party name>” –EncryptClaims $True
    For example,
    set-ADFSRelyingPartyTrust –TargetName “CTERA Portal” –EncryptClaims $True

To turn the encryption off, run the command but set to $False


Was this article helpful?