Configuring the AD FS server
After you configure the local service provider and the remote identity provider in the BMC Atrium SSO Admin Console, you must configure AD FS on the Active Directory server.
The following topics are provided:
Configuring Relying Party Trust
- On the AD FS server, open the AD FS 2.0 Management application.
- On Trust Relationships tab, click Relying Party Trusts.
- Click Add Relying Party Trust. A wizard appears.
- Configure the following parameters:
- Select Import data about the relying party published online or on a local network.
If you see a warning, you can ignore it. However, if you are unable to proceed with the configuration, the certificates were not exchanged correctly. Contact the BMC Atrium Single Sign-On administrator for more information.
In case of specific network settings when ADFS and BMC Atrium Single Sign-On servers are not able to connect using SSL protocol, this error message may be normal and can be ignored. In this case, you can import the SP metadata into ADFS offline using an XML file.
- Click Next.
- Type sp for the display name, and click Next.
- Select ADFS 2.0 profile, and click Next.
- Select Permit all users to access this relying party, and click Next.
- Clear the Open the Claims when this finishes check box.
After closing the Add Relying Party Trust Wizard window, sp appears in the Relying Party Trusts list.
Modifying the secure hash algorithm
- Right-click sp, and select properties.
The sp Properties dialog box appears.
- Click the Advanced tab, and select the secure hash algorithm, SHA-1.
- Click OK.
Configuring claim rule
Configure the claim rules for the relying party.
- On AD FS 2.0, select sp, and click Edit Claim Rules from the Actions menu.
- To add the first claim rule, click Add Rule. You can skip this step if you are Kerberosauthentication instead of Internal LDAP in the Realm Authentication panel..
- Select the claim-rule template Send LDAP Attributes as Claims.
- Enter the claim-rule name GetSPAttributes.
- Select the Attribute Store Active Directory.
- Select the LDAP attribute SAM-Account-Name.
- Select the outgoing claim type UPN.
- Click Finish.
- To add the second claim rule, click Add Rule.
- Select the claim-rule template Send Claims Using Custom Rule.
Enter the claim-rule name Send Claims Using UPN. In this case, use the following script:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue( Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties ["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties ["http://schemas.xmlsoap.org/ws/2005/05/ identity/claimproperties/namequalifier"] = "http://vm-adfs-abc123.sso.com/adfs/services/trust", Properties ["http://schemas.xmlsoap.org/ws/2005/05/ identity/claimproperties/spnamequalifier"] = "sp");
In this example, the following definitions apply:
Add another custom rule:
Click Add rule, and select the name Add Fake Password Protected Transport.
- Select the claim-rule template Custom Rule.
- Enter the claim-rule name Add Fake Password Protected Transport.
In this case, use the following script:
exists([Type == "http://schemas.xmlsoap.org/ws/2005/05/ identity/claims/nameidentifier"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/ identity/claims/authenticationmethod", Value = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
- Click OK to close the Edit Rule window.
Configuring AD FS signed requests
You must add the AD FS 2.0 snap-in each time you start a Windows PowerShell session.
Start the Windows PowerShell console with an Administrator logon, and then perform the following actions:
Add the AD FS 2.0 snap-in to a Windows PowerShell session:
Set the SignedSamlRequestRequired property:
Set-ADFSProperties -SignedSamlRequestsRequired $False
Verify the AD FS properties: