Configure Identity Provider (IDP) on Active Directory

About Configuring Identity Provider (IDP) on Active Directory

About this task

You must configure IDP on Active Directory using the Active Directory Federation System (AD FS) Management Console.
Note: The strings and the URLs in AD FS are case-sensitive.

To configure IDP on Active Directory, you must perform the following tasks:

Procedure

  1. Add Relying Party Trusts
  2. Add Claim Rules
  3. am_apm_sso_add_certificates.html

Add Relying Party Trusts

Before you begin

  • You must have administrative privileges to configure AD FS.
  • Ensure that the /adfs/Is endpoint exists for SAML v2.0.
    Note: To add adfs/ls endpoint, refer to the AD FS documentation.
  • Ensure that the token encrypting certificates exist.

Procedure

  1. Access Control Panel, then select System and Security, and then select Administrative Tools.
  2. Select AD FS Management.
    The AD FS window appears.

  3. In the Actions section, select Add Relying Party Trust.
    The Add Relying Party Trust Wizard appears.

  4. Select Start.
    The Select Data Source page appears.

  5. Select Enter data about relying party manually, and then select Next.
    The Specify Display Name page appears.

  6. In the Display name box, enter urn:componentspace:Meridium, and then select Next.
    The Choose Profile page appears.

  7. Select the AD FS profile option, and then select Next.
    The Configure Certificate page appears.

  8. Select Next.
    The Configure URL page appears.

  9. Select the Enable Support for the SAML 2.0 WebSSO protocol check box.
  10. In the Relying Party SAML 2.0 SSO service URL box, enterhttps://<name of the GE Digital APM server>/Meridium/api/core/security/ssologinauth , and then select Next.
    Note: The word Meridium is case-sensitive. Therefore, ensure that the first letter of the word is capitalized. Also, the URL must be same as the URL in the saml.config file.
    The Configure Identifiers page appears.

  11. In the Relying party trust identifier box, enter urn:componentspace:Meridium, then select Add, and then select Next.
    The Configure Multi-factor Authentication Now page appears.

  12. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time, and then select Next.
    The Choose Issuance Authorization Rules page appears.

  13. Select Permit all users to access this relying party, and then select Next.
    The Ready to Add Trust page appears.

  14. Select Next.
    The Finish page appears.

  15. Clear the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box, and then select Close.

Add Claim Rules

Procedure

  1. In the AD FS window, expand the Trust Relationships folder, and then select Relying Party Trusts.
    The Relying Party Trusts page appears.

  2. Select urn:componentspace:Meridium, and then, in the Actions section, select Edit Claim Rules.
    The Edit Claim Rules for urn:componentspace:Meridium window appears.

  3. Select the Issuance Transform Rules tab, and then select Add Rules.
    The Add Issuance Authorization Claim Rule Wizard appears.

  4. In the Claim Rule Template drop-down list box, select Send LDAP Attributes as Claims, and then select Next.
    The Configure Rule page appears.

  5. In the Claim rule name box, enter Meridium Claims, and then, in the Attribute Store drop-down list box, select Active Directory.
  6. Perform the following steps:
    • In the first drop-down list box in the LDAP Attribute column, select User-Principal-Name, and then, in the corresponding Outgoing Claim Type drop-down list box, select Name ID.
    • In the second drop-down list box in the LDAP Attribute column, select E-mail-Addresses, and then, in the corresponding Outgoing Claim Type drop-down list box, select Email Address.
  7. Select Finish.
    The Edit Claim Rules for urn:componentspace:Meridium window appears.

  8. In the Edit Claim Rules for urn:componentspace:Meridium window, select Apply, and then select OK.

Install the Public Key Certificate File (sp.pfx)

Procedure

  1. Navigate to C:\Program Files\Meridium\ApplicationServer\api, where the public key certificate file (sp.pfx) is located.
    Note: GE Digital provides the public key certificate file (sp.pfx). pfx is personal information exchange.
  2. Right-click sp, and then select Install PFX.
    The Certificate Import Wizard appears.

  3. Select Local Machine, and then select Next.
    The User Account Control window appears.

  4. Select Yes.
    The Certificate Import Wizard appears, and the File Name box displays the file path where the certificate is located.

  5. Select Next.
  6. Enter a password, and then select Next.
  7. Select Automatically select the certificate store based on the type of certificate.
    The Completing the Certificate Import Wizard appears.

  8. Select Finish.

Export the Certificate

Procedure

  1. Access Microsoft Management Console.
  2. In the main navigation bar, select File, then select Add/Remove Snap-in, and then select Certificates.
    The Add or Remove Snap-ins window appears.

  3. Select Add.
    The Certificates snap-in window appears.

  4. Select the Computer account option, and then select Next.
    The Select Computer window appears.

  5. Select the Local computer option, and then select Finish.
  6. In the Add or Remove Snap-ins window, select OK.
    The certificate appears in the Personal > Certificates folder of the Certificates (Local Computer) folder.
  7. Select Certificates (Local Computer), then select Personal, and then select Certificates.
  8. Right-click the certificate that you have installed, select All Tasks, and then select Export.
    The Certificate Export Wizard appears.

  9. Select Next.
  10. Select the No, do not export the private key option, and then select Next.
  11. Select DER encoded binary X.509 (.CER), and then select Next.
  12. Select Browse, and then navigate to the location to which you want to export the certificate.
  13. In the File name box, enter the same name that was mentioned while installing the certificate, and then, in the Save as type drop-down list box, select DER Encoded Binary X.509 (.cer).
  14. Select Next, and then select Finish.

Copy the Certificate to Active Directory

Procedure

  1. Access Control Panel, then select System and Security, and then select Administrative Tools.
  2. Select AD FS Management.
    The AD FS window appears.

  3. Expand Trust Relationships, and then select Relying Party Trusts.
  4. Select urn:componentspace:Meridium, and then, in the Actions section, select Properties.
    The urn:componentspace:Meridium Properties window appears.

  5. Select the Signature tab, and then select Add.
  6. Navigate to the location in which you have saved the certificate, and then select the file.
  7. Select Yes to ignore the warning about certificate key length.
  8. Select the Advanced tab.
  9. In the Secure hash algorithm drop-down list box, based on the policy of your organization, select SHA-1 or SHA-256.
  10. Select Apply, and then select OK.

Install the Token Signing idp.cer Certificate on the Application Server

Procedure

  1. Access the Active Directory.
  2. Export the token signing certificate and save the certificate.
  3. Select Finish.
  4. Copy the certificate to the api folder of the application server.
  5. Right-click the file, and then select Install Certificate.
    The Certificate Import wizard appears.

  6. Select Local Machine, and then select Next.
  7. Select Automatically select the certificate store based on the type of certificate.
  8. Select Next, and then select Finish.