Configure federation on the Active Directory Federation Services side

Configure federation on the Active Directory Federation Services side

For your information

The AD FS configuration in these instructions is described using Windows Server 2019 as an example, the steps may be different for other versions.

You should configure Active Directory Federation Services (AD FS) according to Microsoft's recommendations for deploying AD FS clusters and proxy servers.

1. Build a relationship of trust.
2. If at federation you checked the box Sign authentication requests, Download a certificate to sign requests.
3. Configure Claims Mapping.

1. Build a relationship of trust⁠

1. On the AD FS server, open Server Manager.

2. On the menu Tools select AD FS Management.

3. In the block Actions select Relying Party Trust → Add Relying Party Trust.

4. In step Welcome:

   4.1 Select Claims aware.

   4.2. Press Start.

5. In step Select Data Source:

   5.1. Select Enter data about the relying party manually.

   5.2. Press Next.

6. In step Specify Display Name:

   6.1 In the field Display name enter a name for the trust relationship.

   6.2. Press Next.

7. In step Configure Certificate:

   7.1 If at federation you checked the box Sign authentication requests, download a certificate to sign requests and insert it.

   7.2. Press Next.

8. In step Configure URL:

   8.1 Check the checkbox Enable support for the SAML 2.0 WebSSO protocol.

   8.2 In the field URL enter the address to which users will be redirected after authentication, — https://api.servercore.com/v1/auth/federations/<federation_id>/saml/acs.

   Specify <federation_id> — The ID of the federation on the Servercore side can be viewed in the control panels: from the top menu, press Account → sectionFederations → federation line → field ID.

   8.3. Press Next.

9. In step Configure Identifiers:

   9.1 Enter the field URL enter the address — https://api.servercore.com/v1/federations/saml/<federation_id>.

   9.2. Press Add →Next.

10. In step Choose Access Control Policy:

    10.1 Optional: Specify to whom authentication with this federation will be available. The default policy is Permit for everyonewhich allows access for all users.

    10.2. Press Next.

11. In step Ready to Add Trust:

    11.1 Check the data.

    11.2. Press Close.

2. Download a certificate to sign requests⁠

A certificate for signing requests must be downloaded if, when federation you checked the box Sign authentication requests.

1. On the AD FS server, open the folder Service → Relaying Party Trust.
2. Click on the Relaying Party Trust that has been created.
3. On the right under Actions in the box with the name of the created Relying Party Trust, click Properties.
4. Open the tab Signature.
5. Click Add.
6. Download the certificate for signing requests that you downloaded at setting up a relationship of trust in step 7.1.

3. customize Claims Mapping⁠

After successful authentication in AD FS, Servercore will receive a SAML message. To correctly identify the user, you must configure the user data to match the elements of the SAML message.

1. On the AD FS server, open the folder Service → Relying Party Trusts.

2. Right click on your Relying Party Trusts and select Edit Claim Issuance Policy.

3. Click Add Rule.

4. In step Choose Rule Type:

   4.1 In the field Claim rule template select Send LDAP Attributes as Claims.

   4.2. Press Next.

5. In step Configure Claim Rule:

   5.1 In the field Claim rule name enter the name of the rule.

   5.2 In the field Attribute store select Active Directory.

   5.3 In the column LDAP Attribute specify what will be passed as the user ID (External ID). You can specify:

   • User-Principal-Name — username;
   • E-Mail-Addresses — email.

   5.4 In the column Outgoing Claim Type select Name ID.

6. Click Finish → OK.