Skip to main content

 

Druva Documentation

How to install and configure AD FS 3.0 with Single Sign-On

Overview

This topic provides information on how to install and configure AD FS 3.0 with inSync Master.

Install Active Directory Federation Services 

You must install the Active Directory Federation Services (AD FS) 3.0 software on a computer that you are preparing for the federation server role or the federation server proxy role. For more information on how you can install the AD FS software and its prerequisites, see the Microsoft documentation.

Before you begin

  • Register your Windows Server 2012 server as a member server of existing domain.
  • Log on to server as Domain Administrator.

Procedure

To install AD FS 3.0

  1. Start Server Manager.
  2. On the Menu bar, click Manage > Add Roles and Features.
    Add Roles and Features wizard is launched.
  3. On the Before you begin page, click Next.
  4. On the Select installation type page, click Role-based or feature-based installation, and then click Next.
  5. On the Select destination server page, click Select a server from the server pool, and then click Next.
  6. On the Select server roles page, select Active Directory Federation Services, and then click Next.
    ADFS_3.0_01.png
  7. On the Select features page, click Next.
  8. On the Active Directory Federation Services (AD FS) page, click Next.
    ADFS_3.0_02.png
  9. On the Confirm installation settings page, verify the information, and click Install.
    ADFS_3.0_03.png
  10. On the Installation progress page, you can view the installation progress. Verify the installed component, and click Close.

Configure the federation server

To configure the federation server

  1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server. The Active Directory Federation Service Configuration Wizard is launched.
    ADFS_3.0_04.png
  2. On the Welcome page, select Create the first federation server in a federation server farm, and click Next.
    ADFS_3.0_05.png
  3. On the Connect to Active Directory Domain Services page, specify an account with domain administrator rights for the Active Directory domain that this computer is joined to, and then click Next.
    ADFS_3.0_06.png
  4. On the Specify Service Properties page, enter the following details, and click Next
    • Browse to the location of your SSL certificate and import it.
    • Type a Federation Service Name. This value is the same value that you provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).
    • Type a Federation Service Display Name.

    ADFS_3.0_07.png
  5. On the Specify Service Account page, select Use an existing domain user account, and click Next.
  6. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and then click Next.
    ADFS_3.0_08.png
  7. On the Review Options page, verify your configuration selections, and then click Next.
    ADFS_3.0_09.png
  8. On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure.
  9. On the Results page, review the results, check whether the configuration has completed successfully.

Configure AD FS to integrate with inSync Master

After you have installed AD FS 3.0, perform the following actions:

  1. Create trust between inSync Master and AD FS by configuring AD FS with a relying party rule, which is inSync Master.
  2. Configure inSync Master to trust AD FS 3.0. The trust allows AD FS 3.0 to send claims to inSync Master.
  3. Set up a web application and site to consume these claims.

Create a relying party

After you have set up the Federation Server, the next step is to create a relying party.

To create a relying party

  1. On the Start menu, click Administrative Tools > AD FS 3.0 Management. The AD FS 3.0 window appears.
  2. Expand the Trust Relationships node.
  3. Right-click on the Relying Party Trusts folder. A list with additional options appears.
  4. In the right pane, click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.
    ADFS_3.0_11.png
  5. Click Start. The Select Data Source page appears.
  6. Click Enter data about the relying party manually, and then click Next. The Specify Display Name page appears.
    ADFS_3.0_12.png
  7. Provide the appropriate information for each field.
    Field Action
    Display Name

    Type a display name for the relying party.

    For example, Druva inSync.

    Notes Type a description for the relying party.
    ADFS_3.0_13.png
  8. Click Next. The Choose Profile page appears.
  9. Select AD FS profile and click Next. The Configure Certificate page appears.
    ADFS_3.0_14.png
  10. (Optional) If you want to encrypt the SAML token, browse and select the certificate, and then click Next. However, AD FS establishes a secure SSL connection to Druva inSync, which ensures the token is encrypted. Click Next.
    ADFS_3.0_15.png
  11. The Configure URL page appears.
    • Select the Enable support for the SAML 2.0 WebSSO 2.0 protocol check box.
    • In the Relying party SAML 2.0 SSO service URL box, provide the following URL
      https://<IP/FQDN of Master or Edge Server>/wrsaml/consume
  12. Click Next. The Configure Identifiers page appears.
  13. In the Relying party trust identifier box, type:
    https://<IP/FQDN of Master or Edge Server>

    For inSync On-Premises, you must add "https://" as a prefix to the Relying Party trust identifier.

    The web application passes this realm to the AD FS when users log into the web restore URL.
  14.  Click Next. The Configure Multifactor Authentication Now? page appears. Select I do not want to configure MFA settings for this relying party trust at this time and click Next.
    Note: If you want to configure Multifactor Authentication, you can do it at a later stage.
    ADFS_3.0_18.png
  15.  Click Next. The Choose Issuance Authorization Rules page appears.
  16. Click Permit all users to access this relying party and then click Next. The Ready to Add Trust page appears.

    ADFS_3.0_20.png
    For Single-Sign-On, ensure you enter the following details for Relying Party Trust:
Field Details
Identifier

Type,

 https://<IP/FQDN of Master or Edge Server>
Endpoints

Type,

https://<IP/FQDN of Master or Edge Server>/wrsaml/consume
Accepted Claims

Type,

  • AD_Rule
  • SAML_Token
  • email-Transform
  1. Review the other properties and if required update the settings that you have configured, and click Next. The Finish page appears.
  2. Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box is by default selected.
  3. Click Close. 

Create a new claim

To create a new claim

  1. On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
  2. In the Claim rule template list, select Send LDAP Attributes as Claims, and then click Next.
    ADFS_3.0_21.png
  3. The Add Transform Claim Rule Wizard window appears.
  4. Provide the appropriate information for each field.
    Field Action
    Claim rule name    Type a name for the claim rule.
    Attribute store In the list, select Active Directory
    Mapping of LDAP attributes to outgoing claim types
    LDAP Attribute Map it to Outgoing claim type.
    E-mail Addresses Map it to E-mail Address.
    E-mail Addresses Map it to Name ID.
    User-Principal-Name Map it to Name.
  5. Click Finish.

To create a new claim for Transform_rules

  1. On the Edit Claim Rules window, under the Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
  2. In the Claim rule template list, select Transform an Incoming Claim, and then click Next. The Edit Rule – Email-Transform window appears.
  3. Provide the appropriate information for each field.
    Field Action
    Claim rule name    Type a name for the claim rule.
    Incoming claim type Map it to E-mail Address.
    Outgoing claim type Map it to Name ID.
    Outgoing name ID format Map it to Email.
  4. Click Finish.

Create a custom rule

To create a custom rule

  1. On the Edit Claim Rules window, under Issuance Transform Rules tab, click Add Rule. The Select Rule Template page appears.
  2. In the Claim rule template list, select Send Claims Using a Custom Rule, and then click Next. The Edit Rule – Authentication  window appears.
    ADFS_3.0_23.png
  3. Provide the appropriate information for each field.
    Field Action
    Claim rule name  Type a name for the custom rule.
    Custom rule

    Type,

    => issue(Type = "insync_auth_token", Value = "value of SSO Token generated from inSync Console");

  4. Click OK.

Configure Single sign-on

Prerequisite to configure Single sign-on

Before you configure the single sign-on settings with inSync Master, download the metadata.xml file from:

 https://<adfs fqdn>/federationmetadata/2007-06/federationmetadata.xml

Configure the single sign-on settings

To configure the single sign-on settings

  1. On the inSync Master Management Console menu bar, click  > Settings.
  2. Click the Single Sign-on tab and then click Edit.
  3. Provide the following appropriate information.
    SAML Attribute    Description and value
    ID Provider Login URL

     Type,

    https://<ADFS FQDN>/adfs/ls

    ACS

    Type,

    <inSync Master or Edge IP/FQDN>

    ID Provider Metadata XML

    Copy and paste the contents of the federationmetadata.xml file.

    AuthnRequests Signed

    Select this checkbox, if you want signed SAML Authentication Requests.

    By default, SAML Authentication Requests are not signed.

  4.   Click Save.

Note: The last step to setup SSO with AD FS requires changes in the configuration files. To verify and complete the configuration contact Druva Support