- How to set up Single-sign on (SSO) with Microsoft ADFS 3.0
- Microsoft Active Directory Federation Services (ADFS) -- correctly configured and functioning with valid external certificates.
- Windows Server 2012 r2
Although not required, this guide does not include:
1. Obtain your IdP certificate by navigating to https://<yourdomain>/FederationMetadata/2007-06/FederationMetadata.xml
2. Typically, your certificate is the first X509 listed <X509Data><X509Certificate>Copy everything here and paste into F5 certificate field</X509Certificate></X509Data>
3. Open ADFS 3.0
4. Navigate to Trust Relationships > Relying Party Trusts (RP)
5. Add Relying Party Trust (RP)
6. Start Wizard
7. Select 3rd Radio Button ‘Enter data … manually” > Next
8. Enter a Display name. You can simplify by matching F5 name entry in SSO config. > Next
9. Select “AD FS profile” radio button > Next
10. Leave certificate blank > Next
11. We will be using SAML, but can be entered in manually later.
12. Add Identifier URL retrieved from F5 SSO config “F5 Silverline Issuer ID” Example: https://portal.f5silverline.com/saml/auth/aaa123
13.MFA – do not configure now > Next
14. Choose Issuance ACL – permit all users for now until tested successfully – then you can deny all and specify certain access.
15. Next through rest of wizard and open claim rules when finished
16. Next step will be manually add SAML endpoint as we skipped in wizard. Then we will continue with Claim Attributes.
17. Double-click the Relying Party (RP) Trust you just created. In properties, select ‘Endpoints’ tab
18. Select Add SAML
19. In "Add an Endpoint" pop-up, use these settings:
- Endpoint type is Assertion Consumer
- Binding is POST
- Index 0
- Trusted URL is the same listed on F5’s sso/idp config “F5 Silverline Assertion Consumer URL”
Click OK. – You can add logout endpoints later
20. Click Apply and Close
21. Right click your RP and click ‘Edit Claim Rules…’
22. Add Rule – Opens Add Transform Claim Rule Wizard
23. Select ‘Send LDAP Attributes as Claims’ > Next
24. Enter the following information:
- Enter a rule name – for your reference
- Attrib store is AD. This is the source.
- Map Source LDAP user Email address to outgoing Email address
25. Add another Rule
26. Select Transform an Incoming Claim
27. Give rule a name and select Incoming claim as E-mail address
28. Outgoing claim type as Name ID and format as Email. This is meant to match F5’s SAML format.
29. Leave Pass through all claims selected
31. Select OK
32. Test by visiting your ADFS idpsignonn page. Your browser of choice must have security settings allowing sign on.
33. After clicking sign in you should be redirected to SilverlineF5. (If not, try troubleshooting with claims x-ray.)