Skip to main content

 

Druva Documentation

How to install and configure ADFS 3.0 with inSync Cloud

inSync Cloud Editions: File:/tick.png Elite Plus File:/tick.png Elite File:/cross.png Enterprise File:/cross.png Business

Overview

This topic provides information on how to install and configure ADFS 3.0 with inSync Cloud.

Before you begin

  • Register your Windows Server 2012 server as a member server of existing domain.
  • Log on to server as Domain Administrator.

Procedure

To install ADFS 3.0

  1. Start Server Manager.
  2. On the Menu bar, click Manage > Add Roles and Features.
    Add Roles and Features wizard is launched.
  3. On the Before you begin page, click Next.
  4. On the Select installation type page, click Role-based or feature-based installation, and then click Next.
  5. On the Select destination server page, click Select a server from the server pool, and then click Next.
  6. On the Select server roles page, select Active Directory Federation Services, and then click Next.
    ADFS_3.0_01.png
  7. On the Select features page, click Next.
  8. On the Active Directory Federation Services (AD FS) page, click Next.
    ADFS_3.0_02.png
  9. On the Confirm installation settings page, verify the information, and click Install.
    ADFS_3.0_03.png
  10. On the Installation progress page, you can view the installation progress. Verify the installed component, and click Close.

Configure the federation server

To configure the federation server

  1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched.
    ADFS_3.0_04.png
  2. On the Welcome page, select Create the first federation server in a federation server farm, and click Next.
    ADFS_3.0_05.png
  3. On the Connect to Active Directory Domain Services page, specify an account with domain administrator rights for the Active Directory domain that this computer is joined to, and then click Next.
    ADFS_3.0_06.png
  4. On the Specify Service Properties page, enter the following details, and click Next
    • Browse to the location of your SSL certificate and import it.
    • Type a Federation Service Name. This value is the same value that you provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).
    • Type a Federation Service Display Name.

    ADFS_3.0_07.png
  5. On the Specify Service Account page, select Use an existing domain user account, and click Next.
  6. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and then click Next.
    ADFS_3.0_08.png
  7. On the Review Options page, verify your configuration selections, and then click Next.
    ADFS_3.0_09.png
  8. On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure.
  9. On the Results page, review the results, check whether the configuration has completed successfully.

Configure ADFS to integrate with inSync Cloud

After you have installed ADFS 3.0, perform the following actions:

  1. Create trust between inSync Cloud and ADFS by configuring ADFS with a relying party rule, which is inSync Cloud.
  2. Configure inSync Cloud to trust ADFS 3.0. The trust allows ADFS 3.0 to send claims to inSync Cloud.
  3. Set up a web application and site to consume these claims.

Create a relying party

After you have set up the Federation Server, the next step is to create a relying party.

To create a relying party

  1. On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 window appears.
  2. Expand the Trust Relationships node.
  3. In the right pane, click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.
    ADFS_3.0_11.png
  4. Click Start. The Select Data Source page appears.
  5. Click Enter data about the relying party manually, and then click Next. The Specify Display Name page appears.
    ADFS_3.0_12.png
  6. Provide the appropriate information for each field, and click Next.
    Field Action
    Display Name

    Type a display name for the relying party.

    For example, Druva inSync.

    Notes Type a description for the relying party.
    ADFS_3.0_13.png
    The Choose Profile page appears.
  7. Select AD FS profile and click Next. The Configure Certificate page appears.
    ADFS_3.0_14.png
  8. (Optional) If you want to encrypt the SAML token, browse and select the certificate, and then click Next. However, ADFS establishes a secure SSL connection to Druva inSync, which ensures the token is encrypted. Click Next.
    ADFS_3.0_15.png
  9. The Configure URL page appears.
    • Select the Enable support for the SAML 2.0 WebSSO 2.0 protocol check box.
    • In the Relying party SAML 2.0 SSO service URL box, provide the following URL
      https://cloud.druva.com/wrsaml/consume
      
    • Click Next. The Configure Identifiers page appears.

    ADFS_3.0_16.png
  10. In the Relying party trust identifier box, type druva-cloud.
    The web application passes this realm to the ADFS when users log into the web restore URL.
    Note: If you are using inSync Gov Cloud as the relying party, type druva-govcloud.
    ADFS_3.0_17.png
  11.  Click Next. The Configure Multifactor Authentication Now? page appears. Select I do not want to configure MFA settings for this relying party trust at this time and click Next.
    Note: If you want to configure Multifactor Authentication, you can do it at a later stage.
    ADFS_3.0_18.png
  12.  Click Next. The Choose Issuance Authorization Rules page appears.
  13. Click Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.
    ADFS_3.0_19.png
  14. Review and if required update the settings that you have configured, and then click Next. The Finish page appears.
    ADFS_3.0_20.png
  15. Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box is by default selected.
  16. Click Close.

 

Create a new claim

To create a new claim

  1. On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
  2. In the Claim rule template list, select Send LDAP Attributes as Claims, and then click Next. The Edit Rule – LDAP EMAIL window appears.
    ADFS_3.0_21.png
  3. Provide the appropriate information for each field.
    Field Action
    Claim rule name    Type a name for the claim rule.
    Attribute store In the list, select Active Directory
    Mapping of LDAP attributes to outgoing claim types
    LDAP Attribute Map it to Outgoing claim type.
    E-mail Addresses Map it to Name ID.
    E-mail Addresses Map it to E-mail Address.
    User-Principal-Name Map it to Name.
    ADFS_3.0_22.png
  4. Click Finish.

Create a custom rule

To create a custom rule

  1. On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
  2. In the Claim rule template list, select Send Claims Using a Custom Rule, and then click Next. The Edit Rule – LDAP EMAIL window appears.
    ADFS_3.0_23.png
  3. Provide the appropriate information for each field.
    Field Action
    Claim rule name  Type a name for the custom rule.
    Custom rule

    Type,

    => issue(Type = "insync_auth_token", Value = "value of SSO Token generated from inSync Console");

    ADFS_3.0_24.png
  4. Click OK.

Configure Single sign-on

Before you begin

Before you configure the single sign-on settings with inSync Cloud, ensure that you have an ID provider certificate. If you do not have an ID provider certificate, follow these steps:

  1. On the Start menu, click Administrative Tools > ADFS 3.0 Management. The ADFS 3.0 Management window appears.
  2. Expand to the Service folder.
  3. Click Certificates. The Certificates view appears in the right pane.
    ADFS_3.0_25.png

    |View larger image|

  4. Under the Token-signing area, right-click the certificate. A list with additional options appears.
  5. In the list, click View Certificate. The Certificate window appears.
  6. Click the Details tab and then click Copy to file. The Certificate Export Wizard appears.
    ADFS_3.0_26.png
  7. On the Certificate Export Wizard, click Next. The Export File Format page appears.
  8. Select DER encoded binary X.509 (.CER), and then click Next.
    ADFS_3.0_27.png
  9. On the File to Export page, type the file name as Cert.cer, and then click Next.
  10. Click Finish.
  11. Open and edit the cert.cer file in a Notepad. The certificate opens in the following format:

         “-----BEGIN CERTIFICATE-----
        
        ………. …..
        
        -----END CERTIFICATE-----"
        

  12. Copy the content of the cert.cer certificate and provide it when you configure the single sign-on settings by using the inSync Master Management Console.

Configure the single sign-on settings

To configure the single sign-on settings

  1. On the inSync Master Management Console menu bar, click  > Settings.
  2. Click the Single Sign-on tab and then click Edit.
  3. Provide the following appropriate information.
    SAML Attribute    Description and value
    ID Provider Login URL

     Type,

    https://{fqdn-name of the ADFS server}/adfs/ls

    ID Provider Certificate Provide the content of the cert.cer certificate. For more information see, Before you begin.
    AuthnRequests Signed Select this checkbox, if you want signed SAML Authentication Requests.

    By default, SAML Authentication Requests are not signed.

    Want Assertions Encrypted Select this checkbox, if you want to enable encryption for the SAML assertions.

    By default, encryption is disabled.

  4.   Click Save.