This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Configuring the AD FS server

After you configure the local service provider and the remote identity provider in the BMC Atrium SSO Admin Console, you must configure AD FS on the Active Directory server.

The following topics are provided:

Configuring Relying Party Trust

  1. On the AD FS server, open the AD FS 2.0 Management application.
  2. On Trust Relationships tab, click Relying Party Trusts.
  3. Click Add Relying Party Trust. A wizard appears.

  4. Configure the following parameters:

    1. Select Import data about the relying party published online or on a local network.

    2. Copy the metadata web link that you received from the BMC Atrium SSO Tenant Console; for example, https://yourcompany.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=sp.

      Note

      If you see a warning, you can ignore it. However, if you are unable to proceed with the configuration, the certificates were not exchanged correctly. Contact the BMC Atrium Single Sign-On administrator for more information. 

      In case of specific network settings when ADFS and BMC Atrium Single Sign-On servers are not able to connect using SSL protocol, this error message may be normal and can be ignored. In this case, you can import the SP metadata into ADFS offline using an XML file.  

    3. Click Next.
    4. Type sp for the display name, and click Next.
    5. Select ADFS 2.0 profile, and click Next.
    6. Select Permit all users to access this relying party, and click Next.
    7. Clear the Open the Claims when this finishes check box.
    8. Click Close.

    After closing the Add Relying Party Trust Wizard window, sp appears in the Relying Party Trusts list.

Modifying the secure hash algorithm

  1. Right-click sp, and select properties.
    The sp Properties dialog box appears.
  2. Click the Advanced tab, and select the secure hash algorithm, SHA-1.
  3. Click OK.

Configuring claim rule

Configure the claim rules for the relying party.

  1. On AD FS 2.0, select sp, and click Edit Claim Rules from the Actions menu.
  2. To add the first claim rule, click Add Rule. You can skip this step if you are Kerberosauthentication instead of Internal LDAP in the Realm Authentication panel..
    1. Select the claim-rule template Send LDAP Attributes as Claims.
    2. Enter the claim-rule name GetSPAttributes
    3. Select the Attribute Store Active Directory.
    4. Select the LDAP attribute SAM-Account-Name.
    5. Select the outgoing claim type UPN.
    6. Click Finish.
  3. To add the second claim rule, click Add Rule.
    1. Select the claim-rule template Send Claims Using Custom Rule.

    2. Enter the claim-rule name Send Claims Using UPN. In this case, use the following script:

      c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
      => issue(
      Type =
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
          Issuer = c.Issuer,
      OriginalIssuer = c.OriginalIssuer,
          Value = c.Value,
      ValueType = c.ValueType,
        
      Properties
      ["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
      = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
        
      Properties
      ["http://schemas.xmlsoap.org/ws/2005/05/
      identity/claimproperties/namequalifier"      ]
      = "http://vm-adfs-abc123.sso.com/adfs/services/trust",
       
      Properties
      ["http://schemas.xmlsoap.org/ws/2005/05/
      identity/claimproperties/spnamequalifier"      ]
      = "sp");

      In this example, the following definitions apply:

  4. Add another custom rule:
    1. Click Add rule, and select the name Add Fake Password Protected Transport.
    2. Select the claim-rule template Custom Rule.
    3. Enter the claim-rule name Add Fake Password Protected Transport.

    4. In this case, use the following script:

      exists([Type ==
      "http://schemas.xmlsoap.org/ws/2005/05/
      identity/claims/nameidentifier"      ])

      => issue(Type
      = "http://schemas.microsoft.com/ws/2008/06/
      identity/claims/authenticationmethod"      ,
      Value =
      "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
  5. Click OK to close the Edit Rule window.

Configuring AD FS signed requests

Note

You must add the AD FS 2.0 snap-in each time you start a Windows PowerShell session.

Start the Windows PowerShell console with an Administrator logon, and then perform the following actions:

  • Add the AD FS 2.0 snap-in to a Windows PowerShell session:

    Add-PSSnapin Microsoft.Adfs.PowerShell

  • Set the SignedSamlRequestRequired property:

    Set-ADFSProperties -SignedSamlRequestsRequired $False

  • Verify the AD FS properties:

    Get-ADFSProperties

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*