HID Microsoft ADFS and ActivID AS using SAML User Manual

hidglobal.com

ACTIVID® APPLIANCE AND

®

MICROSOFT

SAML 2.0 Channel Integration Handbook

AD FS

ActivID Appliance 7.2 | July 2013 | Released Document Version 1.0

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 2

Table of Co ntents

1.0 Introduction ....................................................................................................................................................3

1.1 Scope of Document ......................................................................................................................................3

2.0 Context and Basic Workflow ........................................................................................................................4

3.0 Microsoft AD FS Configuration ....................................................................................................................5

3.1 Procedure 1: Exporting ActivID Appliance IDP Metadat a ............................................................................5

3.2 Procedure 2: Create A Claims Provider Trust Using Federation Metadata .................................................8

3.3 Procedure 3: Create A Rule to Transform An Incoming Claim ................................................................. 12

3.4 Procedure 4: Configure Claims Provider Trust Properties (Using the 'Advanced' Tab) ........................... 14

3.5 Procedure 5: Configure the Relying Party Trust (Your Web Application) ................................................. 15

3.6 Procedure 6: Export ADFS Micros of t Metadat a ........................................................................................ 17

3.7 Procedure 7: Modify ADFS Microsof t Metadat a ........................................................................................ 18

4.0 ActivID Appliance Configuration............................................................................................................... 18

4.1 Procedure 1: Create SAML Channel ........................................................................................................ 19

4.2 Procedure 2: Import AD FS Metadata ....................................................................................................... 21

4.3 Procedure 3: Authorize the SAML Channel (Authentication Policies) ...................................................... 24

4.4 Procedure 4: Configure the Identity Provider ............................................................................................ 25

4.5 Procedure 5: Adding A New Authentication Policies Mapping ................................................................. 26

5.0 SAML Channel Authentication: An Overview .......................................................................................... 27

5.1 Prerequisite: User Activates Web Soft Token ........................................................................................... 27

5.2 User Accesses Web Application ............................................................................................................... 29

Copyright ................................................................................................................................................................ 30

Trademarks ............................................................................................................................................................ 30

Revision History .................................................................................................................................................... 30

Technical Support ................................................................................................................................................. 30

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 3

1.0 Introduction

Microsoft® Active Directory Federation Services AD FS is an identity access solution that provides browser-based
clients (internal or external to your network) with seamless, "one prompt" access to one or more protected
Internet-facing applications, even when the user accounts and applications are located in completely different
networks or organizations.

The process of authenticating to one network while accessing resources in another network—without the burden
of repeated logon actions by users—is known as single sign-on (SSO). AD FS provides a Web-based, SSO
solution that authenticates users to multiple Web applications over the life of a single browser session.

Providing secure “one prompt” access via a web application over existing Internet connections requires strong,
two-factor authentication to protect resources.

The ActivID® Applianc e wo rk s with the Microsoft AD FS solution to provide versatile, strong authentication that is
flexible, scalable, and simple to manage.

1.1 Scope of Document

This document explains how to configure ActivID Appliance and Microsoft AD FS using Security Assertion Markup
Language (SAML). SAML 2.0 enables Web-based authentication and authorization and can be used by Microsoft
AD FS to delegate user authentication to the ActivID® Appliance.

This option is simple and allows users to authenticate to the ActivID® Appliance authentication portal which has
multiple authentication mechanisms working out of the box, including one-time password (OTP), Web soft token
OTP, and Public Key Infrastructure (PKI) methods.

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 4

2.0 Context and Basic Workflow

In the context of the ActivID Appliance, ADFS is a Service Provider (SP) and ActivID® Appliance is an Identity
Provider (IDP) using SAMLv2.0.

For complete details, please have the ActivID Appliance Identity Provider Solution Guide handy for quick
reference.

Consider the following typical (generic) scenario. Please refer to the following diagram.

• Steps 1 and 2: The user’s web browser tries to access the web server and is redirected to the AD FS-R
(proxy) server to authenticate the user.

• Steps 3 and 4: At the AD FS-R server, after figuring out which identity partner the user should access,
redirects the browser to the ActivID Appl ianc e IDP.

• Steps 5 and 6: At the ActivID Appliance, the user is authenticated and given an SAML token and redirected
back to the ADFS-R server.

• Steps 7 and 8: Once back at the ADFS-R server, the SAML token is exchanged for a token that the web
server understands and then the user is redirected back to the web server.

• Steps 9 and 10: Finally, once the user’s web browser presents the appropriate token (cookie), the web server
allows the user access to the content.

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 5

3.0 Microsoft A D FS Configuration

This chapter describes how to manage Microsoft AD FS.
When an application is in one network and user accounts are in another network (managed by an ActivID

Appliance), it is typical for users to encounter prompts for secondary credentials when they attempt to access the
application. These secondary credentials represent the identity of the users in the realm where the application
resides. The web server that hosts the application usually requires these credentials so that it can make the most
appropriate authorization decision.

AD FS makes secondary accounts and their credentials unnecessary by providing trust relationships that you can
use to project a user's digital identity and access rights to trusted partners (stored in the ActivID Appliance or
linked to the ActivID Appliance). In a federated environment, each organization continues to manage its own
identities, but each organization can also securely project and accept identities from other organizations.

When a user signs into a web application linked in AD FS, the user specifies a URL, which is associated with a
specific identity partner (realm). The web application and AD FS forwards the user to the IDP ActivID Appliance
authentication server to verify the user’s identity before providing a web SSO.

3.1 Procedure 1: Exporting Acti vID Appliance IDP Metadata

To configure the ActivID Appliance as an IDP, you must provide the metadata information to the Service Provider
(AD FS). The first procedure is to create a trust between the SP (AD FS) and the IDP (ActivID Appliance), that is
the Metadata exchange.

The ActivID Appliance IDP metadata is not stored as it is in the appliance database, but instead is generated
when there is a request for an export through the ActivID Appliance Management Console. This request is based
on the following data:

• ActivID Appliance IDP host name

• ActivID Appliance IDP port number—This is an optional attribute.

• ActivID Appliance Security Domain—The Security Domain name is part of the URIs defined in the metadata.

• Flag indicating if the ActivID Appliance IDP accepts only signed requests—This is an optional attribute that

indicates a requirement for the <samlp:AuthnRequest> messages received by this IDP to be signed. If
omitted, then the value is assumed to be false.

• Alias of the ActivID Appliance IDP certificates (signing and encryption) stored in the Hard w are Sec urity
Module (HSM) keystore.

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 6

1. Log on to the ActivID Appliance Management Console as an administrator.

2. When prompted, enter your User name and Password, and then click Submit.

3. Select the Configuration tab.

4. Under the Policies > S AML menu, click Appliance Identity Provider.

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 7

5. Click Export Metadata.

6. When prompted, click Open, and then save the IDP METADATA file to a desired location.

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 8

3.2 Procedure 2: Create A Claims Pro vider Trust Using

Federation Metadata

1. In your AD FS, click Start, point to Programs >Administrative Tools, and then click AD FS 2.0.

2. Point to AD FS 2.0 > Trust Rela tionships, right-click Claims Provider Trusts, and then click Add Claims
Provider Trust to open the Add Claims Provider Trust Wizard.

3. On the Welcome page, click Start.

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 9

4. On the Select Data Source page, select the option, Import data about the claims provider from a file.

5. For Federation metadata file location, click Browse to locate the file path to the ActivID Appliance
metadata, and then click Next.

6. When prompted by the warning, click OK.

ActivID Appliance 7.2 and AD FS | integration H an dboo k | AD FS

External Release | © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved.

Page 10

7. On the Specify Display Name page, type a meaningful Display name, and then optionally in the Notes box,
type a description for this claims provider trust.

8. Click Next.

9. On the Ready to Add Trust page, click Next to save your claims provider trust information.