Core Engine (4.38)

# SAML 2.0 Login with Windows AD FS as Asserting Party (IDP)

To configure Windows AD FS as Asserting Party, configurations in the 4ALLPORTAL as well as external configurations in AD FS are necessary.

# SAML Preconditions

Please note the general SAML preconditions here: SAML preconditions.

# 4ALLPORTAL: Relying Party and Asserting Party

This basic configuration generates the metadata required for the AD FS configuration (likely configured by an external IT responsible).

  1. Configure a SAML2 Relying Party (SP):
    • Go to admin snap-in Authentication/SAML2 Relying Party (SP)
    • Set Relying Party ID to a unique ID, e.g. "example40".
    • Save your Relying Party.
    • Click action "Generate Decryption certificate" from the toolbox to generate both Decryption certificate (X509) and Key for Decryption certificate.
    • Click action "Generate Signing certificate" from the toolbox to generate both Signing certificate (X509) and Key for Signing certificate.
    • Save your settings.

Refer Relying Party configuration for detailed information.

  1. Configure a SAML2 Asserting Party (IDP):
    • Go to admin snap-in Authentication/SAML2 Asserting Party (IDP)
    • Set RegistrationId (name) to a unique ID, e.g. "example40_adfs".
    • Set Relying Party to previously generated "example40" (via the dropdown).
    • Save your Asserting Party.
    • Click action Show Metadata URL to copy the Metadata URL or click action Download Metadata file to download the Asserting Party Metadata file for step 4.

Refer Asserting Party configuration for detailed information.

  1. Clear the configuration cache in admin snap-in General system configurations/System settings/Maintenance.

  2. Give your Metadata URL or Metadata file to your IT responsible for external AD FS configuration.

# External AD FS Configuration

For the external part of the configuration, pass the required metadata to your (external) IT responsible. They need to make the following configuration steps:

  1. Open AD FS tool and select "Add Relying Party Trust...":

  1. A Wizard opens. Click "Start":

  1. Import data from Metadata file:

  1. Specifiy the display name, e.g. "example40_adfs":

  1. Choose not to configure multi-factor authentication:

  1. Permit all users:

  1. You will get an overview of all that will be imported:

  1. Before closing, tick checkbox "Open the Edit Claim Rules" dialog:

  1. Click "Add Rule...":

  1. The Transform Claim Rule Wizard opens. Select "Transform an Incoming Claim":

  1. Next, the main attribute required for SAML to work is configured. Enter the following values:

  1. Click "Add Rule..." again

  1. The Transform Claim Rule Wizard opens again. Select "Send LDAP Attribute as Claim":

  1. Make your mappings of LDAP attributes:


  1. Change the SAMLResponseSignature to MessageAndAssertion:
Set-ADFSRelyingPartyTrust -TargetName {specific display name} -SamlResponseSignature "MessageAndAssertion"
  1. Finish your AD FS configuration. Give either Metadata URL or Metadata File to the 4ALLPORTAL responsible. The next steps are back in the 4ALLPORTAL.

# Complete Configuration in 4ALLPORTAL

The last steps can be done as soon as the person who configured AD FS externally provided either Metadata URL or Metadata File.

  1. Go back to your Asserting Party in admin snap-in Authentication/SAML2 Asserting Party (IDP).
  2. Set Metadata URL of the Asserting Party, e.g. https://external_adfs.com/FederationMetadata/2007-06/FederationMetadata.xml.
    Or use the Metadata File instead of the URL if you wish or in case the URL is not accessible.
    Or fill all advanced fields below.
  3. In Mappings, set Default role ID, e.g. to User.
  4. Add mapping to Mapping of user fields. Assign CoreEngine Field External ID to External Field objectSid.
  5. Configure CORS like described in the basic SAML configuration here.
  6. Reload 4ALLPORTAL.
  7. Test your configuration and login to 4ALLPORTAL with the new provider.

Troubleshooting

If any problems occur during configuration or when logging in, look for help here.

# Optional: Map Additional Attributes

With the configuration described above, only attribute user.external_id in 4ALLPORTAL will be set to objectSid from Windows AD FS. This is sufficient for login, but a user will contain no further information.

If you want to map additional attributes, you may add attributes to your mapping in admin snap-in Authentication/SAML2 Asserting Party (IDP) e.g. like this:


example for mapping of user fields in 4ALLPORTAL

Show SAML attributes

If you do not know the names of required attributes, use URL {baseUrl}/saml2/info to show SAML attributes after a valid login.

4APQL - 4ALLPORTAL Query Language

Request missing documentation