ADFS as an external identity provider
SafeNet Trusted Access (STA) can be integrated with an external identity provider (IDP) to redirect network traffic from STA to the external IDP for user authentication. STA remains the primary IDP while orchestrating the use of an external or secondary IDP.
The external IDP can either be an exclusive authentication method or the second authentication method. It cannot be the first authentication method in a multi-factor authentication environment.
In this documentation, Active Directory Federation Services (ADFS) is used as an external IDP.
Integrating SafeNet Trusted Access with Active Directory Federation Services requires:
Configuring STA as an OIDC Application in ADFS
As prerequisites,
-
Active Directory Federation Services 2016 service must be fully installed and configured.
-
Obtain the STA Redirect URI by performing the following steps:
-
On the STA Management Console, click Settings > External Identity Provider.
-
In the right pane, click Setup.
-
Under Redirect URI, click Copy to copy the redirect URI, and paste it in a text editor for future use.
-
-
Obtain the ADFS Well-Known OpenID configuration URL by performing the following steps:
-
Run the following PowerShell command to get the Well-Known OpenID configuration URL:
Get-AdfsEndpoint | Select FullUrl | Select-String openid- configuration
-
Copy the URL and paste it in a text editor for future use.
The URL is in the following format:
https://<HostName>/adfs/.well-known/openid-configuration
Where, Hostname is the federation service name of ADFS.
For example,
https://sfnt.com/adfs/.well-known/openid-configuration
-
Configuring STA as an OIDC application in ADFS requires:
Adding an Application Group
Perform the following steps to add an application group:
-
Log in to the ADFS sever as an administrator.
-
Open the ADFS Management application.
-
In the left pane, under AD FS, click Service > Application Groups.
-
In the right pane, click Add Application Group.
-
In Add Application Group Wizard, perform the following steps:
-
On the Welcome page, perform the following steps:
-
In the Name field, enter a name for the application group (for example, SafeNet Trusted Access).
-
In the Template field, select Server application accessing a web API
-
Click Next.
-
-
On the Server application page, perform the following steps:
-
In the Client Identifier field, copy the client identifier and paste it in a text editor for future use.
-
In the Redirect URI field, enter the Redirect URI that you obtained earlier as a prerequisite.
-
Click Add.
-
Click Next.
-
-
On the Configure Application Credentials page, perform the following steps:
-
Select the Generate a shared secret check box.
-
Click Copy to clipboard to copy the shared secret. Paste the shared secret in a text editor for future use.
-
Click Next.
-
-
On the Configure Web API page, perform the following steps:
-
In the Identifier field, enter the client identifier that you copied earlier in step 5(b)(i).
-
Click Add.
-
Click Next.
-
-
On the Apply Access Control Policy page, under Choose an access control policy, select the default access control policy, Permit everyone, and click Next.
-
On the Configure Application Permissions page, perform the following steps:
-
Under Permitted scopes, select allatclaims, email, openID, profile scopes.
-
Click Next.
-
-
On the Summary page, verify the application group configuration that you performed in the previous steps, and click Next.
-
The application group is created. Click Close.
-
Adding a Transform Claim Rule
In ADFS, a transform claim rule is used to map an incoming claim type to an outgoing claim type and then to apply an action that determines the result based on the values that originated in the incoming claim.
Perform the following steps to add a transform claim rule:
-
In the middle pane, under Application groups, double-click your application group (for example, SafeNet Trusted Access) that you added earlier in Adding an Application Group.
-
On the application group properties window (for example, SafeNet Trusted Access Properties), under Applications, double-click your Web API (for example, SafeNet Trusted Access) to open it, and click OK.
-
On the Web API properties window (for example, SafeNet Trusted Access Properties), click the Issuance Transform Rules tab, click Add Rule, and click OK.
-
In Add Transform Claim Rule Wizard, perform the following steps:
-
On the Choose Rule Type page, in the Claim rule template field, ensure that Send LDAP Attributes as Claims is selected, and click Next.
-
On the Configure Claim Rule page, perform the following steps:
-
In the Claim rule name field, enter a name for the claim rule (for example, Send Email as Claim).
-
In the Attribute Store field, select Active Directory.
-
Under Mapping of LDAP attributes to outgoing claim types, in the LDAP Attribute (Select or type to add more) column, select E-mail-Addresses and in the Outgoing Claim Type (Select or type to add more) column, enter email.
-
Click Finish.
-
Click Apply and click OK.
The solution is tested with the Email claim that is used for user mapping. You can configure claim mapping as per your preferred configuration.
-
-
Adding ADFS as an External Identity Provider in STA
Perform the following steps to add ADFS as an external IDP in STA:
-
On the STA Access Management console, click Settings > External Identity Provider, and click Setup.
-
On the External Identity Provider window, on the top-right side, click Edit.
-
In the IDENTITY PROVIDER NAME field, enter the name for your IDP (for example, ADFS).
-
In the CREDENTIALS NAME field, enter the authentication method that the external IDP uses (for example, Password).
In policies, such names are used to identify the external IDP in the format [Identity Provider Name] ([Credentials Name]) (for example, ADFS (Password).
-
In the CLIENT ID field, enter the client identifier that you copied earlier in Adding an Application Group. This is the OIDC application (client) ID that is used to identify ADFS.
-
In the CLIENT SECRET field, enter the shared secret that you copied earlier in Adding an Application Group. STA sends the OIDC shared secret to authenticate the redirection request using ADFS.
-
In the WELL-KNOWN CONFIGURATION ENDPOINT field, enter the well-known configuration URL of ADFS that you copied earlier as a prerequisite in Configuring STA as an OIDC Application in ADFS.
-
Click Load to populate the Endpoint URLs and the Issuer fields.
-
In the REQUEST USER IDENTIFIER field, ensure that E-mail address is selected. This is the STA user attribute that is sent in the authentication request to the external IDP.
-
In the VERIFICATION USER IDENTIFIER field, ensure that E-mail address is selected. The identifier is generally identical to the request user identifiers. This is the STA user attribute that is used to match with the content of the specified ID token claim.
-
In the VERIFICATION CLAIM NAME field, enter the same value (for example, email) that you entered earlier in the Outgoing Claim Type (Select or type to add more) column in Adding Transform Claim Rule. This is the claim present in the returned ID token that contains the user identifier to be verified.
Only the claim type email is supported in this release. Other claim types will be supported in the future.
-
Click Save.
Adding ADFS as an Authentication Method in a STA Policy
The external IDP (Active Directory Federation Services) is now an authentication method that you can add in STA policies and authentication scenarios.
Perform the following steps to add ADFS as an authentication method in a STA policy:
-
On the STA Access Management console, click the Policies tab.
-
Click on the icon to add a new policy or a scenario.
-
Under Scope, select the users and applications on which you want to apply the policy.
-
Under Decision, under Authentication methods, select the authentication method as per your preferred configuration.
-
Under External identity provider, select the ADFS (Password) as the external IDP which you have created in the above steps.
-
Click Save.
For more information, refer to Adding an Exception Policy.
Verifying Authentication
Using STA Console
Navigate to the end application SSO URL.
You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Active Directory Federation Services sign-in page. Enter your Active Directory login credentials and you should be redirected to the application dashboard.
Using STA User Portal
Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the end application icon, you should be redirected to the Active Directory Federation Services sign-in page. Enter your Active Directory login credentials and you should be redirected to the application dashboard.