Follow

How to Set Up SSO with Microsoft ADFS 3.0 (Windows Server 2012 r2)

Description

  • How to set up Single-sign on (SSO) with Microsoft ADFS 3.0

Environment

  • Microsoft Active Directory Federation Services (ADFS) -- correctly configured and functioning with valid external certificates.
  • Windows Server 2012 r2

Procedure

Note

Although not required, this guide does not include:

  • hardening steps like using least access practice
  • logout endpoints. 

 

1. Obtain your IdP certificate by navigating to https://<yourdomain>/FederationMetadata/2007-06/FederationMetadata.xml

2. Typically, your certificate is the first X509 listed <X509Data><X509Certificate>Copy everything here and paste into F5 certificate field</X509Certificate></X509Data>

mceclip0.png

3. Open ADFS 3.0

4. Navigate to Trust Relationships > Relying Party Trusts (RP)

5. Add Relying Party Trust (RP)

mceclip1.png

6. Start Wizard

mceclip2.png

7. Select 3rd Radio Button ‘Enter data … manually” > Next

8. Enter a Display name. You can simplify by matching F5 name entry in SSO config. > Next

mceclip3.png

9. Select “AD FS profile” radio button > Next

mceclip4.png

10. Leave certificate blank > Next

mceclip5.png

11. We will be using SAML, but can be entered in manually later.

mceclip6.png

12. Add Identifier URL retrieved from F5 SSO config “F5 Silverline Issuer ID” Example: https://portal.f5silverline.com/saml/auth/aaa123

mceclip7.png

13.MFA – do not configure now > Next

mceclip8.png

14. Choose Issuance ACL – permit all users for now until tested successfully – then you can deny all and specify certain access.

mceclip9.png

15. Next through rest of wizard and open claim rules when finished

mceclip10.png

16. Next step will be manually add SAML endpoint as we skipped in wizard. Then we will continue with Claim Attributes.

17. Double-click the Relying Party (RP) Trust you just created. In properties, select ‘Endpoints’ tab

mceclip11.png

18. Select Add SAML

19. In "Add an Endpoint" pop-up, use these settings:

  • Endpoint type is Assertion Consumer
  • Binding is POST
  • Index 0
  • Trusted URL is the same listed on F5’s sso/idp config “F5 Silverline Assertion Consumer URL”

Click OK. – You can add logout endpoints later

mceclip12.png

20. Click Apply and Close 

mceclip13.png

21. Right click your RP and click ‘Edit Claim Rules…’

mceclip14.png

22. Add Rule – Opens Add Transform Claim Rule Wizard

mceclip15.png

23. Select ‘Send LDAP Attributes as Claims’ > Next

24. Enter the following information:

  • Enter a rule name – for your reference
  • Attrib store is AD. This is the source.
  • Map Source LDAP user Email address to outgoing Email address

mceclip16.png

25. Add another Rule

mceclip17.png

26. Select Transform an Incoming Claim

mceclip18.png

27. Give rule a name and select Incoming claim as E-mail address

28. Outgoing claim type as Name ID and format as Email. This is meant to match F5’s SAML format.

mceclip19.png

29. Leave Pass through all claims selected

mceclip20.png

30.Select OK

mceclip21.png

31. Select OK

32. Test by visiting your ADFS idpsignonn page. Your browser of choice must have security settings allowing sign on.

33. After clicking sign in you should be redirected to SilverlineF5.  (If not, try troubleshooting with claims x-ray.)

Picture1.png

Related Content 

 

Was this article helpful?
1 out of 2 found this helpful
Have more questions? Submit a request