Navigating the ADFS tab
ADFS tab
Interface feature descriptions
Interface feature | Description |
|---|---|
Refresh | Refreshes the BMC Defender Server window |
Edit | Enable you to make changes to the parameter values You can auto-configure some of these values by using the Wizard (if the Discovery Endpoint URL of the ADFS Server is known). |
Wizard | Runs a wizard that enables you to automatically configure the URLs using the Discovery Endpoint. The Discovery Endpoint is a URL to a JSON document that identifies the configuration of the ADFS Server URLs and capabilities. The URL to this document might be available from the ADFS Server by navigating to the ADFS > Service > Endpoints window (in the left pane of the native ADFS Windows application) listed as the OpenID Connect Discovery type. This tab is displayed in both the top-level and Edit windows. |
Enable ADFS Logon Functions | Disabled or Enabled ADFS functions are available only if the setting is Enabled. This field is useful for completely disabling ADFS if needed. (When Disabled, the end user must use the local logon interface of the BMC Defender Server.) |
Client ID | Client ID for the BMC Defender application, as configured in the ADFS application The Client ID is typically a random identifier generated by the software when the application is first initialized. You should obtain the Client ID from the Microsoft ADFS system, and then copy and paste the value into the BMC Defender system. |
Client Secret | The Client Secret that is a random number configured in the ADFS application, generated by the ADFS application when the application is first initialized in ADFS You can generate new secret keys in the ADFS application, and then copy and paste the values into the Client Secret field. |
ADFS Server URL | The URL to the ADFS Server web interface The ADFS Server URL is a simple name in the form https://(server)[:(port)], without any other path. The value is used to prefix the various Endpoint values. The URL must contain https:// as a prefix and should have no other slashes or query characters. You can test the value by clicking Test. |
ADFS Server Logon Endpoint | The URL to the Logon Endpoint at the ADFS Server that prompts the end user for credentials This value is appended to the ADFS Server URL value. This value is auto-configured by the Wizard function, but you can also enter the value manually. If the value is not correct, the ADFS logon page cannot be reached or be accessible when the end user attempts to log on using ADFS. |
ADFS Server Token Endpoint | The URL to the Token Endpoint at the ADFS Server that BMC Defender Server queries to obtain access information When the end user logs into ADFS, the ADFS Server is redirected to BMC Defender Server that then queries this URL. This value is auto-configured by the Wizard function, but you can also enter the value manually. If the value is not correct, then when logging on using ADFS, an error is displayed at the BMC Defender Server. |
BMC Defender Client Server URL | The URL to the BMC Defender Server URL including the https:// prefix It is a simple name in the form https://(server)[:(port)] without any other path. The value must agree with the value configured in ADFS for the redirection URL and the value should contain the Common Name that is configured in the BMC Defender Apache TLS Server certificate (the official hostname of the platform, reachable from ADFS). Ensure that you configure this field correctly. If this value is not correctly configured, then the ADFS Server logon page displays a cryptic error message. |
BMC Defender Logon Screen Type | Normal or Redirect This value controls what end users see when they access the BMC Defender Server logon page. The Normal value adds links to ADFS at the top of the BMC Defender Server page (making it easy for the end user to log on using either ADFS or the local BMC Defender logon page). In contrast, theRedirect value causes the BMC Defender logon and logout functions to redirect immediately to the ADFS Server URL value, presenting the end user with the ADFS sign-on or sign-out pages. |
Check ADFS Referer URL | Yes or No BMC recommends that you generally enter Yes for extra security. When you enter Yes, any access by the ADFS system (during redirect, cross posting, or both) must come from the ADFS Server URL. Otherwise, the operation is bypassed. Entering Yes might cause problems if ADFS (or the browser) does not use the official host name during redirect operations. In that case, you can enter No. |
Require ADFS Certificate | Yes or No If the ADFS system is using a formal certificate, enter Yes. If the ADFS system is using a self-signed certificate, you can enter No. |
Test ADFS Configuration | Performs a test of the ADFS Server URL, the BMC Defender Client URL, and various other settings If the test fails, you should inspect the transcript of the transaction for error messages and make adjustments to the configured URLs. If the test fails, the ADFS configuration does not work and must be modified. (However, a successful test does not guarantee that there are no issues with endpoint URLs, the Client ID, or the Client Secret configuration items.) |
Test | Enable testing of the parameter URLs |