Configure Identity Provider (IDP) on Active Directory

Add Relying Party Trusts

Before You Begin

  • You must have administrative privileges to configure AD FS.
  • Ensure that the /adfs/Is endpoint exists for SAML v2.0.
    Note: To add adfs/ls endpoint, refer to the AD FS documentation.
  • Ensure that the token encrypting certificates exist.

Procedure

  1. Access Control Panel, then select System and Security, and then select Administrative Tools.
  2. Select AD FS Management.
    The AD FS window appears.

  3. In the Actions section, select Add Relying Party Trust.
    The Add Relying Party Trust Wizard appears.

  4. Select Start.
    The Select Data Source page appears.

  5. Select Enter data about relying party manually, and then select Next.
    The Specify Display Name page appears.

  6. In the Display name box, enter urn:componentspace:Meridium, and then select Next.
    The Choose Profile page appears.

  7. Select the AD FS profile option, and then select Next.
    The Configure Certificate page appears.

  8. Select Next.
    The Configure URL page appears.

  9. Select the Enable Support for the SAML 2.0 WebSSO protocol check box.
  10. In the Relying Party SAML 2.0 SSO service URL box, enter https://<APM Server Name>/Meridium/api/v1/core/security/ssologinauth, and then select Next.
    Note: The word Meridium is case-sensitive. Therefore, ensure that the first letter of the word is capitalized. Also, the URL must be same as the AssertionConsumerServiceUrl in the saml.json file.
    The Configure Identifiers page appears.

  11. In the Relying party trust identifier box, enter urn:componentspace:Meridium, then select Add, and then select Next.
    The Configure Multi-factor Authentication Now page appears.

  12. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time, and then select Next.
    The Choose Issuance Authorization Rules page appears.

  13. Select Permit all users to access this relying party, and then select Next.
    The Ready to Add Trust page appears.

  14. Select Next.
    The Finish page appears.

  15. Clear the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box, and then select Close.

What To Do Next

Add Claim Rules

Procedure

  1. In the AD FS window, expand the Trust Relationships folder, and then select Relying Party Trusts.
    The Relying Party Trusts page appears.

  2. Select urn:componentspace:Meridium, and then, in the Actions section, select Edit Claim Rules.
    The Edit Claim Rules for urn:componentspace:Meridium window appears. Select Issuance Transform Rules tab.


  3. Select Add Rule.
    The Add Transform Claim Rule Wizard window appears.


  4. In the Claim rule template drop-down list box, select Send LDAP Attributes as Claims, and then select Next.
    The Configure Rule page appears.


  5. In the Claim rule name box, enter Meridium Claims, and then, in the Attribute store drop-down list box, select Active Directory.
  6. Perform the following steps:
    • In the first drop-down list box in the LDAP Attribute column, select User-Principal-Name, and then, in the corresponding Outgoing Claim Type drop-down list box, select Name ID.
    • In the second drop-down list box in the LDAP Attribute column, select E-mail-Addresses, and then, in the corresponding Outgoing Claim Type drop-down list box, select E-Mail Address.
    The Configure Rule page is populated with the selected values.


  7. Select Finish.
    The Edit Claim Rules for urn:componentspace:Meridium window appears.


  8. Select OK.
    The claim rule is added to the Edit Claim Rules for urn:componentspace:Meridium window.

What To Do Next

Add Certificates

About This Task

To add certificates, you must perform the following tasks:

Procedure

  1. Install the Service Provider certificate (sp.pfx)
  2. Export the Public Key Certificate
  3. Copy the Certificate to Active Directory
  4. Install the Token Signing idp.cer Certificate on the Application Server

Install the Service Provider certificate (sp.pfx)

Procedure

  1. Navigate to C:\Program Files\Meridium\ApplicationServer\api, where the public key certificate file (sp.pfx) is located.
    Note: APM provides the public key certificate file (sp.pfx). pfx is personal information exchange.
  2. Right-click sp, and then select Install PFX.
    The Certificate Import Wizard appears.

  3. Select Local Machine, and then select Next.
    The User Account Control window appears.

  4. Select Yes.
    The Certificate Import Wizard appears, and the File Name box displays the file path where the certificate is located.

  5. Select Next.
  6. Enter a password password, and then select Next.
  7. Select Automatically select the certificate store based on the type of certificate.
    The Completing the Certificate Import Wizard appears.

  8. Select Finish.

What To Do Next

Export the Public Key Certificate

Procedure

  1. Access Microsoft Management Console.
  2. In the main navigation bar, select File, then select Add/Remove Snap-in, and then select Certificates.
    The Add or Remove Snap-ins window appears.

  3. Select Add.
    The Certificates snap-in window appears.

  4. Select the Computer account option, and then select Next.
    The Select Computer window appears.

  5. Select the Local computer option, and then select Finish.


  6. In the Add or Remove Snap-ins window, select OK.
    The certificate appears in the Personal > Certificates folder of the Certificates (Local Computer) folder.
  7. Select Certificates (Local Computer), then select Personal, and then select Certificates.


  8. Right-click the certificate that you have installed, select All Tasks, and then select Export.
    The Certificate Export Wizard appears.

  9. Select Next.
  10. Select the No, do not export the private key option, and then select Next.
  11. Select DER encoded binary X.509 (.CER), and then select Next.
  12. Select Browse, and then navigate to the location to which you want to export the certificate.
  13. In the File name box, enter the same name that was mentioned while installing the certificate, and then, in the Save as type drop-down list box, select DER Encoded Binary X.509 (.cer).
  14. Select Next, and then select Finish.
  15. Copy the exported certificate to Active Directory and install it. Please refer to section Install the Token Signing idp.cer Certificate on the Application Server, steps 5 - 8 for detailed process of installing the certificate.

What To Do Next

Copy the Certificate to Active Directory

Procedure

  1. Access Control Panel, then select System and Security, and then select Administrative Tools.
  2. Select AD FS Management.
    The AD FS window appears.

  3. Expand Trust Relationships, and then select Relying Party Trusts.
  4. Select urn:componentspace:Meridium, and then, in the Actions section, select Properties.
    The urn:componentspace:Meridium Properties window appears.

  5. Select the Signature tab, and then select Add.
  6. Navigate to the location in which you have saved the certificate, and then select the file.
  7. Select Yes to ignore the warning about certificate key length.
  8. Select the Advanced tab.
  9. In the Secure hash algorithm drop-down list box, based on the policy of your organization, select SHA-1 or SHA-256.
  10. Select Apply, and then select OK.

What To Do Next

Install the Token Signing idp.cer Certificate on the Application Server

Procedure

  1. Access the Active Directory.
  2. Export the token signing certificate and save the certificate.
  3. Select Finish.
  4. Copy the certificate to the api folder of the application server.
  5. Right-click the file, and then select Install Certificate.
    The Certificate Import wizard appears.

  6. Select Local Machine, and then select Next.
  7. Select Automatically select the certificate store based on the type of certificate.
  8. Select Next, and then select Finish.

What To Do Next

Federation Service Identifier from ADFS

To get Federation Service Identifier from ADFS.

Procedure

  1. Open AD FS management console.
  2. Select AD FS from left navigation and select ‘Edit Federation Service Properties’ from Actions pane on the right.
  3. On the Federation Service Properties dialog window, you can find the Federation Service identifier value.
  4. Navigate to C:\Program Files\Meridium\ApplicationServer\api folder and open saml.json file in a text editor. Update the PartnerIdentityProviderConfigurations Name value with the Federation Service Identifier.

What To Do Next