Active Directory Federation Services (ADFS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with SSO access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity.
This article describes the d!nk Single Sign-On (SSO) for Active Directory Federation Services (ADFS) and SAML, which is supported in Windows Server 2012.
In Windows Server 2016 it's possible to configure OpenId Connect as described at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs. This is preferable to SAML 2.0.
How to configure OpenId Connect for d!nk integration is provided in this article.
1. Configuring Relying Party Trust
d!nk has to be added as a relying party trust.
That process is described at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust. d!nk will provide the SAML 2.0 SSO service URL.
The images below show some examples of configuration:
After setup, the Relying Party Trust should look similar to the image below in ADFS management:
2. Needed information for d!nk
Following information needs to be provided to d!nk:
- EntityId
- signOnUrl
- certificate
2.1. EntityId
The EntityId can be obtained by looking at the FederationMetadata.xml file.
That file is usually located at https://<yourhost.com>/FederationMetadata/2007-06/FederationMetadata.xml
You can get details about these in ADFS Management, under ADFS > Service > Endpoints.
An example:
2.2. SingOnURL
The SignOn URL is usually located at https://<yourhost.com>/adfs/ls/idpinitiatedsignon, but can be customized. You will need to provide the correct SignOn URL to d!nk.
2.3. Certificate
You will need to provide the base64 encoded x.509 certificate (= public key) used to verify the signature of the tokens. If ADFS uses auto-rollover for keys, you will need to provide future certificates as well.
3. Required claims
d!nk will need at least the following user attributes from you:
- First name - ClaimTypes.GivenName (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)
- Last name - ClaimTypes.Surname (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)
- Name Id - ClaimTypes.NameIdentifier (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier)
- Email - ClaimTypes.Email (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
Example of the rule to send the values to d!nk is below:
Comments