How to: Configure SAML with ADFS

Last modified: Thursday September 02, 2021.

Configure ADFS as your SAML IdP for Alta Aware®.

Task — Configure ADFS IdP

  1. Open the ADFS Management console.
  2. In the left-hand panel, click Relying Party Trusts.
  3. In the right-hand panel, click Add Relying Party Trust.
  4. In the Add Relying Party Trust Wizard, do the following:
    1. Select the Claims aware radio button and then click Start.
    2. Select the Enter data about the relying party manually radio button and then click Next.
    3. In the Display name field, type Alta Aware and then click Next.
    4. From the Configure Certificate page, click Next.
    5. Select the Enable support for the SAML 2.0 WebSSO protocol radio button.
    6. In the Relying party SAML 2.0 SSO service URL field, paste the ACS URL you obtained from Alta Aware and then click Next.
    7. In the Relying party trust identifier field, paste the Entity ID you obtained from Alta Aware and then click Add.
    8. Click Next.
    9. Select the relevant access control policy and then click Next.
    10. From the Ready to Add Trust page, click Next and then click Close.
  5. Double-click the Alta Aware Relying Party Trust.
  6. In the Alta Aware Properties page:
    1. Click the Signature tab.
    2. Click Add.
    3. Select the certificate file (with a .cer extension) that you created by downloading it from your Aware deployment.
    4. Click OK.
  7. In the middle panel, right-click Alta Aware and then select Edit Claim Insurance Policy.
  8. Click Add Rule.
    1. In the Claim Rule Template menu, select Send LDAP Attributes as Claims and then click Next.
    2. In the Claim rule name field, type Aware claims.
    3. In the Attribute store menu, select Active Directory.
    4. Configure your attributes, which are known as claims in ADFS:
      1. To configure the role attribute:
        1. In the LDAP Attribute menu, select your preferred role attribute name. This can be an existing attribute or a new custom attribute you create using these instructions. The attribute value must correspond to at least one role in Alta Aware. For example, use Department.
        2. In the Outgoing Claim Type menu, type AvaAwareUserGroup.
      2. To configure the login name attribute:
        1. In the LDAP Attribute menu, select User-Principal-Name or your preferred login name attribute name.
        2. In the Outgoing Claim Type menu, type AvaAwareUsername.
      3. To configure the email addressees:
        1. In the LDAP Attribute menu, select E-Mail-Addresses or your preferred user email attribute name.
        2. In the Outgoing Claim Type menu, type AvaAwareEmail.
        3. Select the empty bottom row.
        4. In the LDAP Attribute menu, again select E-Mail-Addresses.
        5. In the Outgoing Claim Type menu, select E-Mail-Address.
        ADFS LDAP attributes
    5. Click Finish.
  9. Click Add Rule.
    1. From the Claim rule template dropdown, select Transform an Incoming Claim.
    2. In Claim rule name, type Transform Name ID.
    3. In Incoming claim type, select E-Mail Address.
    4. In Outgoing claim type, type Name ID.
    5. In Outgoing name ID format, select Unspecified.
    6. Click Finish.
    7. Click OK.
  10. To obtain the IdP metadata, go to your ADFS. For example, https://adfs.example.com/FederationMetadata/2007-06/Federationmetadata.xml.
    An XML file will download to your computer which you will use to complete the next task.
  11. Return to the task in How to: Configure Aware to enable SAML single sign-on.