Configure ADFS with Password Safe Using SAML

Configure ADFS on the Identity Provider Server

  1. Open the ADFS management console.
  2. Expand Trust Relationships.
  3. Right-click Relying Party Trusts.

    Screen capture of AD FS 2.0 Add Relying Party Trust option

  4. Select Add Relying Party Trust.

  5. Click Start.

    Screen Capture of  Select Data Source Option in the Add Relying Party Trust Wizard

  6. Select Enter data about the relying party manually, and then click Next.

  7. Screen capture of the Specify Display Name Option in the Add Relying Party Trust Wizard

  8. Enter a Display name, and then click Next.

  9. Screen Capture of the Choose Profile Option in the Add Relying Party Trust Wizard

  10. Leave AD FS 2.0 profile selected, and then click Next.
  11.  


    Screen Capture of the Configure Certificate Option in the Add Relying Party Trust Wizard

  12. Click Browse on the Configure Certificate screen to import the service provider (SP) public certificate.
  13. Navigate to the location of the SP certificate.
  14. Select the certificate, click Open, and then click Next.

  15. Screen Capture of the Configure URL Option in the Add Relying Party Trust Wizard

  16. Select Enable support for the SAML 2.0 WebSSO protocol.
  17. Enter the Relying party SAML 2.0 SSO service URL, and then click Next.

  18. Screen Capture of the Configure Identifiers Option in the Add Relying Party Trust Wizard

  19. Enter the Relying party trust identifier, click Add, and then click Next.

Screen Capture of the Choose Issuance Authorization Rules Option in the Add Relying Party Trust Wizard

  1. Select the preferred method of access, and then click Next. The default is Permit all users.

  2. Screen Capture of the Ready to Add Trust Option in the Add Relying Party Trust Wizard

  3. Click Next, and then click Close.

  4. Click Add Rule.

    Screen capture of selecting Send Group Membership as a Claim rule template in the Add Transform Claim Rule Wizard

  5. Select the Send Group Membership as a Claim rule template, and then click Next.

Screen capture of configuringh the Claim rule in the Add Transform Claim Rule Wizard

  1. Enter a name for the claim rule.
  2. Select the User's group.
  3. Select the Outgoing claim type.
  4. Select the Outgoing claim value.
  5. Click Finish.

The outgoing Group claim must match exactly what is in BeyondInsight.


  1. Click Add Rule.

Screen capture of selecting Send LDAP Attributes as Claims rule template in the Add Transform Claim Rule Wizard

  1. Select the Send LDAP Attributes as Claims rule template, and then click Next.

Screen Capture of Configuring Claim Rule Attributes in the Add Transform Claim Rule Wizard

  1. Enter a Claim rule name.
  2. Select the Attribute store.
  3. Select User-Principal-Name for the LDAP Attribute.
  4. Select Name as the Outgoing Claim Type.
  5. Click Finish.


  6. On the Relying Party Trusts page, right-click BT Service Provider, and then select Properties.

Screen Capture of Relying Party Trusts - Add Service Provide Public Certificate

  1. Select the Signature tab.
  2. Click Add, and then enter the service provider public certificate.

 

Configure SAML on the Service Provider Server (U-Series Appliance)

To configure SAML, go to the Dashboard or Menu and click Configuration. Under Multi-Factor Authentication, click SAML Configuration.

Screenshot of Identity Provider Settings for ADFS SAML configuration

Identity Provider Settings:

  1. Entity ID: The name of the identity provider (IdP) entry, normally supplied by the provider.
  2. Single Sign-on Service URL: The SSO URL, from the provider.
  3. Select SSO URL Protocol Binding type, Redirect or Post.
  4. Single Logout Service URL: The SLO URL, from the provider.
  5. Select SLO URL Protocol Binding type, Redirect or Post.

 

Screenshot of the three Identity Provider Signature Setting options for ADFS SAML configuration

Encryption and Signing Configuration:

  1. Depending on IdP configuration, check any of the first 3 settings, Sign Authentication Request, Sign Logout Request, and Sign Logout Response.

 

Screenshot of the Service Provider Signature Setting options for ADFS SAML configuration

  1. Check the appropriate service provider (SP) settings.

 

Screenshot of the miscellaneous Identity Provider Signature Setting options for ADFS SAML configuration

  1. Check any required miscellaneous settings.

 

Screenshot of the miscellaneous Identity Provider Signature Setting options for ADFS SAML configuration

  1. Select the Signature Method, from the dropdown list of methods. The correct method is as required by your IdP.

 

Screenshot of the Current Identity Provider Certificate and option to upload.

  1. Upload the identity provider certificate.

 

Service Provider (SP) Settings:

Screenshot of the Current Identity Provider Certificate and option to upload.

  1. Entity ID: The fully qualified domain, followed by the file name:

    https://<serverURL>/eEye.RetinaCSSAML

  2. Click SAVE SAML CONFIGURATION.

 

Screenshot of enabled option to download.

  1. Once the SAML configuration is saved, a public SP certificate is available to download and upload to the IdP, if required.