How to connect Safewhere*Identify to AD FS 2.0

The following article describes the process for connecting Safewhere*Identify to AD FS 2.0. It is recommended that you read the following document before starting:

Saml2 protocol: connections


The following example is in the context thatidentify1 (identify1.safewhere.local) is a RP for ADFS (fed.safewhere.local) using Saml2 protocol.

ADFS Configuration

  1. Using ADFS Management create a Relying Party Trust: Add a Relying Party Trust Using Saml2 Metadata URL: https://identify1.safewhere.local/runtime/saml2auth/metadata.idp
  2. Create some claims rules as section Claim settings
  3. Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm (SHA) that you want to use: right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select either SHA-1 or SHA-256 and then click OK.
  4. Using Windows Powershell to remove the Revocation Check when using self-certificates
    • add-pssnapin microsoft.adfs.powershell
    • set-ADFSrelyingpartytrust -targetname “RP_Name” -SigningCertificateRevocationCheck None
    • set-ADFSrelyingpartytrust -targetname “RP_Name” -EncryptionCertificateRevocationCheck None
    • set-ADFSrelyingpartytrust -targetname “RP_Name” -SignedSamlRequestsRequired $True

Identify Configuration

  1. Go to Connections tab and create a Saml2 authn connection:
    • check Enable
    • check Do not map logins to user store
    • Select an Identity-bearing name and save.
    • Select the SHA mode according to the one you chose on ADFS.
  2. Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06/federationmetadata.xml

WS-Federation protocol: connections


The following example is in the context that identify1 (identify1.safewhere.local) is a RP for ADFS (fed.safewhere.local) using WS-Fed protocol.

ADFS Configuration

  1. Using ADFS Management create a Relying Party Trust: Add a Relying Party Trust Using WS-Fed Metadata URL: https://identify1.safewhere.local/runtime/wsfedauth/metadata.idp
  2. Create some claims rules as section Claim settings
  3. Change AD FS 2.0 Signature Algorithm to use the Secure Hash Algorithm 1 (SHA-1): right-click > Properties > On the Advanced tab, in the Secure hash algorithm list, select SHA-1,and then click OK.
  4. Using Windows Powershell to remove the Revocation Check when using self-certificates
    • add-pssnapin microsoft.adfs.powershell
    • set-ADFSrelyingpartytrust -targetname “RP_Name” -SigningCertificateRevocationCheck None
    • set-ADFSrelyingpartytrust -targetname “RP_Name” -EncryptionCertificateRevocationCheck None

Identify Configuration

  1. Go to Connections tab and create a WS-Fed authn connection, check enable, select an Identity-bearing name and save.
  2. Go back to the connection list, open the upload metadata form and point to https://fed.safewhere.local/FederationMetadata/2007-06
  3. Resolve issue “A potentially dangerous Request.Form value was detected from the client (wresult=”<t:RequestSecurityTo…”).” with .NET 4.0
    • Add: <httpRuntime requestValidationMode=“2.0”/>before tag <pages…/>
    • Add param validateRequest=“false” in tag <pages…/>

Claim settings

The following is a minimal set of claims which AD FS 2.0 needs to issue to Identify-RP. They include, notice the rule template of each claim rule:

  • A name claim
  • A upn claim
  • A NameId claim which is transformed from the UPN claim.

editclaimsrules4idp

editrule_namerule

editrule_unp

editrule_name_nameid

Save

Was this helpful ?Good Somewhat Bad