Configuring Active Directory Federation Services as a SAML identity provider

Before you begin

If your IdP requires a service provider signed certificate, you must have a certificate generated as described in Creating and updating the SP signing certificate for SAML authentication and signed by the BMC Helix SSO server as described in Planning advanced functions for SAML authentication.
Configure a realm for SAML 2.0 authentication. For information about how to configure SAML authentication, see Configuring SAML 2.0 authentication.

Task 1: To import service provider certificates to the AD FS identity provider

To export the SSL certificate of the Tomcat on which BMC Helix SSO is deployed, perform the following steps:
1. Open BMC Helix SSO URL, and click the padlock symbol in the address line of the browser.
2. In the Certificate window, click the Details tab.
3. Click Copy to File.
4. In the Certificate Export Wizard, click Next.
5. Select "DER encoded binary X.509 (.CER)", and click Next.
6. Provide a name for the file and include the path in the file name.
  Important
  
  The Common Name (CN) attribute of this certificate must be the same as the FQDN of BMC Helix SSO server.
To import certificates to the AD FS server, perform the following steps:
1. From the Run dialog box, type mmc to open Microsoft Management Console (mmc).
2. Open the File menu and click Add/Remove Snap-in.
3. From the list of available snap-ins, select Certificates, and click Add.
  The Certificates snap-in dialog box is displayed.
4. Select My User Account, and click Finish and OK.
5. From the explorer panel, select Personal > Certificates.
6. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
7. Follow the wizard steps and import the following certificates:
  - SSL certificate of the Tomcat on which BMC Helix SSO is deployed
  - (Optional) If required, the service provider certificate signed by BMC Helix SSO.

Task 2: To configure a relying party trust

BMC Helix SSO is the relying party which depends on the IdP to check the claims of the user. In this case, AD FS is the IdP.

On the AD FS server, open the AD FS 2.0 Management application.
On the Trust Relationships tab, select Relying Party Trusts and right-click it.
Select Add Relying Party Trust Wizard.
Click Start.
Select Import data about the relying party published online or on a local network radio button.
Important

If AD FS and BMC Helix SSO servers cannot connect via SSL because of some specific network settings, you might see a warning. This error message might be normal and you can ignore it. In this case, you can import the service provider metadata XML to the AD FS in the offline mode.
If you are unable to proceed with the configuration, the certificates were not exchanged correctly. Contact the BMC Helix SSO administrator for more information.
In the Federation metadata address field, enter the link copied from the BMC Helix SSO Admin Console (click View Metadata and copy the URL).
Click Next.
In the Display Name field, type any value, for example rsso-sp, and then click Next.
On the Choose Issuance Authorization Rules step, click Permit all users to access this relying party, and click Next.
Do not change the default selections, and click Next.
Clear the Open the Claims when this finishes check box.
Click Close.

After you close the Add Relying Party Trust Wizard window, rsso-sp appears in the Relying Party Trusts list.

Task 3: To configure the claim rules for the relying party

From AD FS 2.0, select rsso-sp, and click Edit Claim Rules from the Actions menu.

To add a claim rule, click Add Rule.

Select the Send Claims Using Custom Rule claim-rule template.

Enter the Send Claims Using UPN claim-rule name. Use the following script:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
     => issue(
Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer,
OriginalIssuer = c.OriginalIssuer, 
Value = c.Value, 
ValueType = c.ValueType,
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = 
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = 
"<idp-entity-id>",
     
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = 
"<sp-entity-id>/<realm-id>"
     );

To support SAML groups retrieving, add one more claim rule to the Relying Party Trust. Use the following script:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(
store = "Active Directory", 
types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), 
query = ";tokenGroups;{0}", 
param = c.Value);

Important

Service provider name qualifier is required only when you want to implement service provider initiated single log out.
The properties "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format" must be the same as the NameID format value in the Authentication tab of BMC Helix SSO. For example, a Transient Identifier such as urn:oasis:tc:SAM:2.0:nameid-format:transient.
The Fully Qualified Domain Name (FQDN) specified for the properties " http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier" must be the FQDN of the AD FS server.
The properties "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier" must be the same as the service provider Entity ID value specified in the BMC Helix SSO Admin Console (General > Advanced > SAML Service Provider > SP Entity ID) and the realm ID value specified in the BMC Helix SSO Admin Console (Realm > Realm ID).

Task 4: To import AD FS certificates to BMC Helix SSO

To export the AD FS certificates as files, perform the following steps:
1. Open the AD FS 2.0 Management console.
2. From the explorer panel, navigate to Service > Certificates.
3. Double-click the certificate name.
4. Double-click the Details tab.
5. Click Copy to File and then click Next.
6. Select Do not export the private key and then click Next.
7. Select DER and then select the file to save it.
8. Click Finish.
9. Perform steps c-h for all the other certificates.
To import the AD FS certificates into BMC Helix SSO *.jks file with the third-party tool KeyStore Explorer (https://keystore-explorer.org/), perform the following steps:
1. Open the truststore file by using the KeyStore Explorer.
2. Select Tools and click Import Trusted Certificate.
3. Select the file and import it.
Restart the BMC Helix SSO server.

Demonstration videos

Watch these videos to understand how to configure AD FS as a SAML IdP provider.

&amp;lt;p&amp;gt;&amp;lt;br/&amp;gt;&amp;lt;/p&amp;gt;

https://www.youtube.com/watch?v=HcW-u-V9yvo?rel=0