Skip to main content
Sign in Menu

Active Directory Federation Service Configuration guide with SAML 2.0 federation

  • Updated

This guide (document) has the following purpose:

  • Guide AD/ADFS admin through ADFS configuration of Single Sign-On for Spencer
  • Guide AD/ADFS admin & System of Record (SOR) admin through the setup of token exchange to enable Spencer to make authenticated API calls to the System of Record, on-behalf-of the logged-in user

This guide is following the SAML protocol.

 

Spencer system overview

 

Setup ADFS

Step 1 – Add a relying party trust for Spencer

#1 Open the ADFS Management too
#2 Click on Add relying party trust

 

#3 Choose Claims aware and Click on Start on the Welcome page

#4 Spencer will provide endpoint (URL) where Spencer identity metadata can be fetched
#5 Choose Import data about the relying party published online, fill in Spencer metadata endpoint (URL). Click Next on the Select Data Source Page


You will see a Warning message. Access Management by Forgerock adds extra MetaData, so you can safely ignore the warning

#6 Fill in a Display name, pick Spencer for future reference and click Next


#7 Choose the Access Control Policy that fits your organisation. As an example we will use Permit everyone. Click Next

 

#8 Check all data and click Next on the Overview page

 

#9 Keep ‘Configure claims issuance policy for this application’ checked and click on Close.


Step 2 – Add custom rules

#1 Go to Relying Party Trusts and right click on Spencer (The Display name from previous step) and click on Edit Claim Issuance Policy

#2 Click on Add Rule

#3 Select Send LDAP Attributes as Claims from the dropdown list and click on Next

#4 Give the claim rule a meaning full name, select the correct Attribute Store, provide some basic information and click on Finish

#5 Add another rule by clicking on Add Rule again.
#6 Access Management by Forgerock expects the NameID in its own namespace. This is only possible with Custom Rules. Choose Send Claims Using a Custom Rule in the dropdown list and click on Next

#7 Fill in

Claim rule name: a meaningful name, ex: CustomNameIDRule
Custom rule: 
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://spencermultisso-production-identity.spencer.co:443/auth");

 

Summary Delivery

Information you should provide to Spencer
1. Domain of ADFS
2. Test user and password

Information Spencer should provide to you
Spencer metadata URI

 

 
 

Related articles