Integrating Trusona and Active Directory Federation Services (ADFS)

This guide details the steps required to configure Trusona for your ADFS instance.

What’s in this doc

This guide assumes that you have knowledge of installing and configuring Windows Server 2016, Active Directory and ADFS 2016. This document also assumes a fresh installation.

For more information on installing ADFS, please see https://technet.microsoft.com/en- us/windows-server-docs/identity/ad-fs/deployment/ad-fs-deployment-guide.

Also it’s assumed that you have provided your ADFS Token Signing certificate to Trusona. For more information on ADFS certificates, please see https://technet.microsoft.com/en-us/library/dn781426(v=ws.11).aspx

Configuring Claims Provider Trust

Step 1: Select Claims Provider Trusts

Select adfs > Service > Claims Provider Trusts

Step 2: Add Claims Provider Trusts

Step 3: Import Data About the Claims Provider

Select “Import data about the claims provider published online or on a local network”

Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://trulab.gateway.trusona.net/saml/metadata where trulab represents the handle used to identify your instance.

For provisioning, contact integration@trusona.com

Step 4: Specify Display Name as “Trusona”

Complete the wizard with the remaining default values. ADFS should configure itself from the metadata document.

Step 5: Open PowerShell to Complete Configuration

Configure ADFS to enable the IDP Initiated SAML Flow.

c:> Set-AdfsProperties -EnableIdpInitiatedSignonPage 1

Configure ADFS to send the ConsumerAssertionUrl in the Authn Request. This is required by the Trusona Gateway. The Identifier is always the same and is populated from the metadata document.

c:> Get-AdfsClaimsProviderTrust -Identifier `
'https://gateway.trusona.net/saml/metadata' | `
Set-AdfsClaimsProviderTrust - `
SamlAuthenticationRequestParameters Url

Configure ADFS to Resolve Attributes from Active Directory

You may want to configure ADFS to resolve attributes from Active Directory for users authenticating with Trusona. If your upstream SP’s require information from Active Directory such as group membership information, you should complete this section below.

Before doing so, ensure the following requirements are met.

  • TruGateway is configured to resolve an email address against a configured set of domains.
  • Email addresses are stored in ActiveDirectory in the E-Mail Field

Step 1: Edit Claim Rules

In the ADFS Management console, right click on the Trusona Claim Provider Trust and select Edit Claim Rules

Step 2: Create Rule “Pass All Trusona Claims”

Create a new rule using the Send Claims Using a Custom Rule template and title it Pass all Trusona claims

c:[]
 => issue(claim = c);

Step 3: Create Rule “Resolve AD Attributes”

Create a new rule using the Send Claims Using a Custom Rule template and title it Resolve AD attributes

c:[Type ==
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/form
at"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
 => issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
"http://schemas.xmlsoap.org/claims/Group"), query = "mail=
{0};userPrincipalName,sAMAccountName,tokenGroups;LAB\adfs_sa", param =
c.Value);

In the query section replace LAB\adfs_sa with the name of your domain. In our example, LAB is the name of our domain. Since we are querying against Active Directory the username needs to be present but there’s no requirement on it being valid or present in Active Directory. This may not be the case if you were querying against a differend LDAP store.

This rule does the following:

  1. Gets the Subject Name ID where the format of the Name ID is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from incoming assertion

  2. Issues claims from ActiveDirectory fields userPrincipalName,sAMAccountName,tokenGroups and sets the values on the corresponding types in order.

More information about the ADFS rule syntax is available at https://technet.microsoft.com/en- us/windows-server-docs/identity/ad-fs/technical-reference/the-role-of-the-claim-rule- language

ADFS will now populate the following variables upon receiving an assertion from Trusona which can then be used to resolve additional information from other systems or passed on as part of another assertion.

Windows account name

  • Groups (All AD groups are nested attribute values)
  • UPN
  • This was tested using the AWS Management Console as the SP as - part of an IDP initiated flow.

For information on configuring AWS IAM and ADFS please see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html

Architecture

Trusona ADFS integration architecture diagram
Trusona ADFS integration architecture diagram