How To: Configure The Identity Hub to use ADFS as Account Provider
Getting the required certificates
Warning
For security reasons it is possible in The Identity Hub to not support self-signed certificates on a tenant level basis.
If so, the ADFS server MUST use a non-self-signed certificate for token signing and encryption.
Make sure to consult the tenant administrator to know if self-signed certificates are allowed or not.
The self-signed certificates available in ADFS after the installation are for evaluations purposes only.
ADFS: Token Signing Certificate
A certificate is needed to let the ADFS server identify itself to The Identity Hub.
Such certificate can be acquired from certificate providers like VeriSign and GlobalSign.
The certificate is NOT a TLS/SSL certificate, but a personal authentication certificate.
The CN of the certificate has to clearly identify the ADFS server (organisation).
The encryption level has to be SHA-256 with 2048-bit encryption.
An example is: https://ssl.comodo.com/personal-authentication.php
For more information see: https://docs.microsoft.com/nl-be/windows-server/identity/ad-fs/overview/ad-fs-requirements#token-signing-certificate
Warning
If the tenant does not allow so, this certificate can NOT be a self-signed certificate.
ADFS: Service Communication Certificate
Since the ADFS server is reachable over HTTPS a TLS certificate is required.
Such certificate can be acquired from certificate providers like VeriSign and GlobalSign.
An example is: https://ssl.comodo.com/comodo-ssl-certificate.php
The CN of the certificate has to match the DNS name of the ADFS server(s).
The encryption level has to be SHA-256 (minimum) with 2048-bit encryption.
For more information see: https://docs.microsoft.com/nl-be/windows-server/identity/ad-fs/overview/ad-fs-requirements#service-communication-certificate
Warning
If the tenant does not allow so, this certificate can NOT be a self-signed certificate.
The Identity Hub: Authentication Request Signing and Encryption Certificate
A certificate is required for The Identity Hub to sign requests sent to the ADFS Server. And also to decrypt responses sent from the ADFS Server.
Such certificate can be acquired from certificate providers like VeriSign and GlobalSign.
An example is: https://ssl.comodo.com/comodo-ssl-certificate.php
The CN of the certificate has to clearly identify The Identity Hub server.
The encryption level has to be SHA-256 (minimum) with 2048-bit encryption.
Warning
If the tenant does not allow so, this certificate can NOT be a self-signed certificate.
Configuring the ADFS Server and The Identity Hub
Tip
For the ADFS Server and The Identity Hub: Make sure the server can reach the Certificate Revocation List URL's of the certificates.
Install the ADFS Service Communication and Token Signing Certificate
For installing the Token Signing Certificate see: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs#if-youre-not-using-self-signed-certificates
For installing the Service Communication Certificate see: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap
Create a new SAMLP Account Provider in The Identity Hub
For general documentation on configuring a SAMLP Account Provider see SAML-P Account Provider
To configure a SAML-P Account Provider you have two options:
- Supply the metadata of the identity provider via a URL or file.
- Configure the parameters manually.
Supply the metadata of the identity provider via a URL or file.
- In Federation Metadata URL type the URL ADFS Federation Metadata URL. This URL is https://[URL of ADFS Server]/FederationMetadata/2007-06/FederationMetadata.xml
- If the ADFS Federation Metadata URL cannot be reached you can also upload the Federation Metadata file in Federation Metadata file.
- On the General tab set a Name.
- On the Service Provider tab select a Service Provider Certificate (the private key file) and type the certificate password in the Service Provider Certificate Password. This is the private key of certificate obtained in The Identity Hub: Authentication Request Signing and Encryption Certificate.
- On the Advanced tab set Name Id Policy Format to http://schemas.xmlsoap.org/claims/UPN
- Click Save.
Configure the parameters manually.
For more information on the configuration parameters see Specific configuration parameters for the SAML-P Account Provider
| Parameter | Description |
|---|---|
| Service Provider tab: Service Provider Certificate | This is the private key of the certificate (pfx) obtained in The Identity Hub: Authentication Request Signing and Encryption Certificate. |
| Identity Provider tab: Sign On Endpoint URL | https://[URL of ADFS Server]/adfs/ls/ |
| Identity Provider tab: Single Log Out Endpoint URL | https://[URL of ADFS Server]/adfs/ls/ |
| Identity Provider tab: Sign On Endpoint Protocol Binding | Http Post |
| Identity Provider tab: Single Log Out Endpoint Protocol Binding | Http Post |
| Identity Provider tab: Identity Provider Certificate (Primary) | This is the public key of the certificate (cer) obtained in ADFS: Token Signing Certificate. |
| Advanced tab: Assertions must be signed | true |
| Advanced tab: Sign on response must be signed | false |
| Advanced tab: Single log out response must be signed | true |
| Advanced tab: Authn Context Comparison | Better |
| Advanced tab: Secure Hash Algorithm | SHA256 |
| Advanced tab: Name Id Policy Format | http://schemas.xmlsoap.org/claims/UPN |
Create a new Relying Party for The Identity Hub in the ADFS Server Management Console
For details on how to create a new Relying Party see https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust#to-create-a-claims-aware-relying-party-trust-using-federation-metadata
The metadata URL for the configured SAMLP Account Provider in The Identity Hub can be found on the General tab of the SAMLP Account Provider configuration.
The metadata URL has the following format https://www.theidentityhub.com/{tenant}/AccountProviders/{accountproviderid}/FederationMetadata/2007-06/FederationMetadata.xml
Parameter values and configuration
| Parameter | Description |
|---|---|
| Display Name | Choose a name that clearly identifies The Identity Hub |
Configure the Relying Party Claims Provider Claim Rules in the ADFS Server Management Console
Configure the following Claim Rules for the Relying Party.
For more information on Claim Rules see https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-claim-rules
| Claim Rule Name | Claim Rule Type | Description |
|---|---|---|
| The Identity Hub Mail Role GivenName SurName | Send LDAP Attributes as Claims | Attribute Store: Active Directory Mappings: Select items from dropdownlist. Do not type manually! - LDAP Attribute => Outgoing Claim Type E-Mail-Addresses => E-Mail Address Given-Name => Given Name Surname => Surname Token-Groups - Unqualified Names => Role |
| The Identity Hub UPN | Send Claims using Custom Rule | c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "http://schemas.xmlsoap.org/claims/UPN"); |
Configure the AD Claims Provider Claim Rules in the ADFS Server Management Console
Configure the following Claim Rules for the AD Claim Provider Trust.
For more information on Claim Rules see https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-claim-rules
| Claim Rule Name | Claim Rule Type | Description |
|---|---|---|
| The Identity Hub UPN | Pass Through or Filter an Incoming Claim | If not present add this Rule. Incoming Claim Type: UPN Select Pass through all claim values |
Configure the SAMLP Account Provider in The Identity Hub
Configure the following claim mappings
You can also import using the Import claim mappings template the following template
[{"inputClaimType":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role","inputClaimValue":"","outputClaimType":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role","outputClaimValue":"","removeOriginalOutputClaims":false,"removeDuringAuthentication":false},{"inputClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname","inputClaimValue":"","outputClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname","outputClaimValue":"","removeOriginalOutputClaims":false,"removeDuringAuthentication":false},{"inputClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","inputClaimValue":"","outputClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","outputClaimValue":"","removeOriginalOutputClaims":false,"removeDuringAuthentication":false},{"inputClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname","inputClaimValue":"","outputClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname","outputClaimValue":"","removeOriginalOutputClaims":false,"removeDuringAuthentication":false}]
Configure the Service Provider Entity Id on the Advanced tab with the value "uri:"[Service Provider Identifier on the Service Provider tab]
Test the authentication flow
To test the authentication flow, try to authenticate (close all browser sessions and open a new one) with the configured SAMLP Account Provider by navigating to your tenant (https://www.theidentityhub.com/{tenant}) and selecting the ADFS Account Provider.