Skip to main content

ADFS User SAML Instructions

Operation scenario

Active Directory Federation Services (ADFS) is Microsoft's Windows Server Active Directory Federation Services (ADFS). ADFS is a new technology that can be used to authenticate multiple web application users during a single session. You can use User SSO to integrate ADFS with HAP to enable ADFS account console management resources

Prerequisites

  1. Have a Windows Server server(This is Window Server 2012 R2, Window Server 2016/2019 configuration is slightly different).

  2. Perform the following setup work within the server.

    • DNS server: resolves authentication requests to the correct Federation Service.
    • Active Directory Domain Services (AD DS): Provides functions such as creating, querying, and modifying objects such as domain users and domain devices.
    • Active Directory Federation Service (AD FS): Provides the function of configuring SSO relying parties and provides SSO authentication for the configured relying parties.

Steps

Install and deploy Microsoft AD

explanation

If you have already installed and deployed Microsoft AD, you can ignore steps 1-5.

  1. In the server, go to Server Manager > Dashboard and click Add roles and features, as shown in the figure below:a1

  2. Keep clicking Next until you click Install to complete the installation, as shown in the figure below:a2a3a4a5a6a7a8

  3. After the installation is complete, click Promote this server to a domain controller, as shown in the figure below:a9

  4. Select Add a new forest on the Deployment Configuration page and add the Root domain name information to testdomain.com, as shown in the figure below:a10

  5. Supplement the Password information in Domain Controller Options, as shown in the figure below. After completion, click Next and click Install to complete the installation: a11a12a13a14

Install CA

  1. In the cloud server, go to Server Manager > Dashboard and click Add roles and features, as shown below: a15

  2. Keep clicking Next until the Server Roles page, and select Active Directory Certificate Services for Roles, as shown below: a16

  3. Keep clicking Next until you reach the AD CS-Server Roles page. For Server Roles, select Certification Authority, Certification Authority Web Enrollment, as shown in the figure below: a17a18

  4. Keep clicking Next until the Results page, click the information below to configure AD CS Configuration, as shown below: a19a20a21

  5. Click Next, in Role Serverives, check the information in the picture below, and click Nexta22

  6. On the Setup Type page, select Enterprise CA, as shown in the following figure: a23

  7. On the CA Type page, select Root CA, as shown in the figure below: a24

  8. On the Private Key page, select Create a new private key, as shown in the figure below: a25a26a27a28

  9. On the Certificate Database page, add information and click Next, as shown below: a29a30 a31

  10. Visit http://localhost/certsrv to ensure that the CA is installed successfully, as shown in the following: a32

Install ADFS service

Before configuring, you need to issue an authorization certificate to the computer or designated user or computer. Before installing ADFS, you need to create and configure a certificate. In this article, you apply for the certificate through IIS.

  1. Click Server Manager > Tools and select IIS Manager. a33

  2. In IIS Manager, click Server Certificates, as shown below: a34

  3. Enter the Server Certificates page and click Create Certificate Request, as shown below: a35 a36a37 a38

  4. Visit http://localhost/certsrv, click Request a certificate > advanced certificate request > using a base-64-encoded, as shown below: a39a40a41

  5. In the pop-up submit certificate application page, copy the contents of the certificate file saved in the certificate application (adserver2.txt in the step) and add it to the following input box. Select the Web server as the certificate template and click Submit. As shown in the figure below: a42

  6. After submitting, click Download a certificate, as shown below: a43a44

  7. On the server certificate page, click Complete Certificate Request, and select the certificate downloaded in step 6 on the pop-up page, as shown below: a45a46

  8. On the Website > Default Web Site homepage, right-click Edit Bindings, as shown below: a47

  9. On the website binding page that pops up, click Add, select the type as https, the IP address as all unallocated, the port as 443, and the SSL certificate as adserver2.cert, as shown in the following figure: a48

  10. In the server, go to Server Manager > Dashboard, click Add roles and features, and keep clicking Next according to the default selection.

  11. Go to the Server Roles selection page, check Active Directory Federation Services, and click Next a49

  12. On the pop-up wizard page, click Next, a50

  13. On the installation completion page, click Configure the federation service on this servicea51

  14. On the pop-up wizard page, click Next a52a53

  15. Specify Service Property, select and fill in the required data, and click Next. a54

  16. Specify Service Account, choose to use an existing domain user account or group hosting service account, click Selecta55a56. a57

  17. Specify Database Click Next. a58a59

  18. Visit https://adserver2.testdomain.com/FederationMetadata/2007-06/FederationMetadata.xml with the browser to check whether the installation is successful a60

User SSO configuration

  1. Access https://adserver2.testdomain.com/FederationMetadata/2007-06/FederationMetadata.xml in the server browser and download the source data XML to the local. Here, use the command line to export the data. a61

  2. Enable SAML2 docking configuration, configure and mount the XML file saved in step 1 according to the steps (named idp.xml in the docking document).

  3. Enter the ADFS management page in the server, select Trust Relationship > Relying Party Trust, right-click and select Add Relying Party Trust, click Start, and add the joint metadata address and metadata address Take it from step 2 and keep clicking Next as shown below: a62

  4. Here you choose to set the remote xml address. The HAP system is generally {server}/orgsso/metadata.xmla63 a64

  5. Keep clicking Nexta65

  6. After the configuration is complete, you can visit https://adserver2.testdomain.com/adfs/ls/idpinitiatedsignon to view trusted sitesa66

Configure SAML assertion attributes for SP

  1. Add mapping rules: a67

  2. Select the rule template, which can be set according to the actual situation. You can customize the template or select an existing rulea68

  3. Here is an example of submitting three existing rules, corresponding to user ID, Name, and Email corresponding to user attributes, for account creation a69a70

User SSO login

  1. Enter {server}/orgsso/sso in the browser a71

  2. Redirect SAMLRequest to https://adserver2.testdomain.com/adfs/ls/?SAMLRequest=xxxa72

  3. Enter adserver2 username and password information to complete system login, as shown in the figure below: a73