Overview
ADFS (Active Directory Federation Services) is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.For more information about ADFS, go to https://msdn.microsoft.com/en-us/library/bb897402.aspx
What you need:
ADFS requirements
- An Active Directory instance where all users have an email address attribute.
- A server running Microsoft Server 2012 or 2016. This guide uses screenshots from Server 2016R2.
- An SSL certificate to sign your ADFS login page and the fingerprint for that certificate.
Catchpoint requirements
- SSO must be enabled in the portal by your Catchpoint Representative.
- Federation Service Identifier.
- Your ADFS token signing certificate.
ADFS Setup
Add Relying Party Trusts
In ADFS Management, select Add Relying Party Trust
Add Identifier:
https://portal.catchpoint.com/SAML2
Note: Do NOT add a slash "/" at the end of identifier
Add Logout Endpoint
In ADFS Management, open Trust Relationships, choose the Relying Party Trust, then on the Action menu click on properties.
Select the Endpoints tab
Click ok to finish adding the endpoint
Export Certificate for Signature Verification
- In AD FS Management > Open Service > Select Certificates
- On the right-hand side, choose the “Token-signing” certificate.
Select Version > Click Copy to File
In to AD FS Management > Open Trust Relationships > Choose the Relying Party Trust > On the action menu click on properties > Select the Signature tab > Click Add
Select your exported certificate from the previous step.
Add Claim Attributes to your Relying Party Trust
In to AD FS Management > Open Trust Relationships > Choose the Relying Party Trust > On the action menu click on properties > Select Edit Claim Issuance Policy
Click Add Rule
In Claim rule template > Send LDAP Attribute as Claims
Name your Claim Rule
- Choose Active Directory in the Attribute Store Dropdown
- In the LDAP Attribute, Select E-Mail Addresses
- In the Outgoing Claim Type, Select E-Mail Address
- Click Ok
- Click Add Rule
- In Claim rule template > Select Transform an Incoming Claim
Name your Claim Rule
- In Incoming rule name: Select E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Click Add Rule
- In Claim rule template > Select Send Claim Using a Custom Rule
Name your Claim Rule
In the Custom Rule add:
=\> issue(Type = "namespace", Value = "MyAdfsSSO");
Leave the Type attribute as “namespace”. Note this value is case sensitive
The Value attribute should be the namespace value in the Catchpoint portal
Catchpoint Setup
Setup ADFS SSO in Catchpoint portal
Locating your Federation Service Identifier
Catchpoint SSO SettingsIn the Catchpoint portal > go to Settings > Select SSO Identity Provider
Identity Provider Issuer: adfs2.yourdomain.net
Look at section Locating your Federation Service Identifier
Single Sign-On URL: https://adfs2.yourdomain.net/adfs/ls/IdPInitiatedSignonPage
Logout URL: https://adfs.yourdomain.net/adfs/ls/?wa=wsignout1.0
Certificate:
Look at section Certificate Signature.
Copying your certificate signature.
