Active directory federation services

Setting up federated authentication using Active directory federation services

To configure federated authentication using Active Directory Federation Services (AD FS) as the IdP and SAML 2.0 as the protocol for exchanging authentication data, follow the steps below to set up a relying party trust and establish the necessary claim rules and endpoints:

1. Login to the AD FS Server and open the AD FS Management tool

2. Right click Relying Party Trusts and select Add Relying Party Trust to initiate the wizard

3. Select to Enter data about the relying party manually

4. Enter an apt Display Name and Description e.g. Objective Trapeze Federated Authentication

5. Select AD FS 2.0 (or above, dependent on version of AD FS server) profile

6. Opt to not select a token encryption certificate

7. Leave both the WS-Federation Passive protocol and SAML 2.0 WebSSO protocol unchecked

8. Enter the respective Relying Party trust identifier

   urn:amazon:cognito:sp:ap-southeast-2_ 4cA2YQQUx

9. Permit all users to access this relying party

10. Confirm Next to Finish, and leave the box checked to Edit Claim Rules for this Relying Party

11. Select Add Rule, and use the Send LDAP Attributes as Claims template

• Specify the Attribute Store as Active directory

• Add the following 4 entries to the Mapping of LDAP Attributes to complete this part of the configuration

LDAP Attribute	Outgoing Claim Type
E-Mail Addresses	Name ID
E-Mail Addresses	EmailAddress
Given-Name	FirstName
Surname	LastName

12. Next open the newly created Relying Trust properties and select the Endpoints Tab

• Click Add SAML

• Specify SAML Assertion Consumer

• Binding POST

• Check 'Set the trusted URL as default'

• Enter the Trusted URL

  https://objectiveidpapacprod.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse

• Ok the SAML configuration and OK on the properties to apply

13. Open a browser and download the xml configuration, where <adfs_url> represents your AD FS server

https://<adfs_url>/federationmetadata/2007-06/federationmetadata.xml

14. Provide both of the following items to your designated Objective CloudOps Team member via a secure mechanism such as an Objective Connect workspace. Objective recommends limiting the complete set of configuration details to only those required to complete configuration.

• The xml file

• And the login domain e.g. objective.com

Note:  Please email Trapeze Objective Support Team to request access to a secure Objective Connect workspace if you have not already been provided one. Alternatively, if you prefer you may use any secure mechanism to transfer this data that you're comfortable with, e.g. Citrix ShareFile etc.