Add ADFS as an Identity Provider

1. In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send LDAP Attributes as Claims.
2. In the Configure Claim Rule step:
   • Specify a Claim rule name, for example NameID.
   • For Attribute store, select Active Directory.
   • Create the following Mapping of LDAP attributes to outgoing claim types:

     LDAP Attribute	Outgoing Claim Type
     User-Principal-Name	Name ID
     User-Principal-Name	UPN

1. In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send LDAP Attributes as Claims.
2. In the Configure Claim Rule step:
   • Specify a Claim rule name, for example Profile.
   • For Attribute store, select Active Directory.
   • Create the following Mapping of LDAP attributes to outgoing claim types:

     LDAP Attribute	Outgoing Claim Type
     Display-Name	Name
     Given-Name	Given Name
     Surname	Surname
     E-Mail-Addresses	E-Mail Address

Groups that are sent to Identity Consumers can be filtered.
You can Issue all groups to the Identity Broker and only use filtering in the Identity Broker.
You can also Issue a (pre-)filtered set of groups to the Identity Broker, which you can refine in Identity Broker, with a filter on the Identity Provider.

Option 1: Issue all groups to the Identity Broker

To issue all groups to the Identity Broker, create the following Claim Rule:

1. In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send Claims Using a Custom Rule.
2. In the Configure Claim Rule step:
   • Specify a Claim rule name, for example AllGroups.
   • For Custom rule, enter:
     c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups(domainQualifiedName);{0}", param = c.Value);

This configuration relies fully on the Identity Broker to filter the groups that are sent to Identity Consumers.

See also Using Group/Role filters for Identity Providers.

Option 2: Issue a (pre-)filtered set of groups to the Identity Broker

To configure a filter on the groups that are issued from ADFS to the Identity Broker, multiple Claim Rules must be configured:

Step 1: Create a Claim Rule to retrieve all groups

1. In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send Claims Using a Custom Rule.
2. In the Configure Claim Rule step:
   • Specify a Claim rule name, for example RetrieveAllGroups.
   • For Custom rule, enter:
     c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups(domainQualifiedName);{0}", param = c.Value);

This Custom rule is almost identical to the AllGroups rule described above, with the exception of the add command (highlighted in bold)

Step 2: Create one or more Claim Rule(s) to filter groups

1. In the Choose Rule Type step of the Transform Claim Rule Wizard, select Send Claims Using a Custom Rule.
2. In the Configure Claim Rule step:
   • Specify a Claim rule name, for example FilterGroups.
   • For Custom rule, enter:
     c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)^*\\RES.*"]
     => issue(claim = c);
• The value (?i)^*\\RES.* in the Custom rule above is an example. Please follow the links for more information about Claim Rule and RegEx syntax.
• You can create multiple 'Filter groups' rules to output the desired set of groups.

1. In the Choose Rule Type step of the Transform Claim Rule Wizard, select Transform an Incoming Claim.
2. In the Configure Claim Rule step:
   • Specify a Claim rule name, for example PreWin2000.
   • For Incoming claim type, select Windows account name.
   • For Outgoing claim type, enter the following URI:
     http://residb.com/identity/claims/preWin2000
   • Select the option Pass through all claim values.

If the Identity Broker can connect to the ADFS endpoint, part of the ADFS Providers configuration can be done automatically.

On the Identity Provider page of the Management Portal, click Add.

1. On the New Provider page that opens, at Type, select Active Directory Federation Services.
2. Specify the following fields:
   • Name: Specify a friendly name for the Provider. This name will only be displayed in the Identity Broker Management Portal.
   • Caption: Specify a caption for the button that is displayed to users when they select how they want to be authenticated. This selection will only be shown if more than one Identity Provider is configured in Identity Broker.
     See Resulting behavior if configured correctly for more information.

     If applicable, the selection screen is displayed in between step 3 and 4 of the Authentication sequence.

   • Realm: Specify the Relying party trust identifier you configured for the Identity Broker in the Configure Identifiers step of the Add Relying Party Trust Wizard in ADFS.
   • Callback Path: In ADFS, the Relying party WS-Federation Passive protocol URL you configured for the Identity Broker in the Configure URL step of the Add Relying Party Trust Wizard should be https://<Identity Broker host>/identitybroker/ids/<unique identifier>.
     Example:
     https://server.mycompany.com/identitybroker/ids/adfs
     In this example, the value /identitybroker/ids/adfs should be entered for Callback Path.
     Note that the Callback Path starts with a slash (/) and is case-sensitive.

     The ADFS Authentication Provider redirects to this path in step 7 and 8 of the Authentication sequence.

   • Group/Role filter (optional): Specify an expression that will be used to filter the groups that are returned from the Identity Broker to the Consumer. See Using Group/Role filters for Identity Providers.
   • Configure from Metadata Address: Select this option and enter the Metadata Address.
     Example: https://adfsserver.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml

The fields Provider URL, Issuer and Signing Certificate (Public Key) will be configured automatically.

If the Identity Broker cannot connect to the ADFS endpoint, you must enter all configuration manually. It can be helpful to retrieve the FederationMetadata.xml file from the ADFS server, to copy some of the data that is listed in it.
The file is usually located at https://adfsserver.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml.

To configure an ADFS Provider manually, follow the steps described in Option 1: Configure an ADFS Provider automatically, but do not select the option Configure from Metadata Address and do not enter the Metadata Address.
Continue with specifying the following fields:

• Provider URL: From the metadata.xml file, copy the URL in the Address node at:
  <EntityDescriptor ...>
    <RoleDescriptor>
      <fed:PassiveRequestorEndpoint>
        <EndpointReference>
          <Address>URL</Address>

  This URL is used in step 4 and 5 of the Authentication sequence.

• Issuer: From the metadata.xml file, copy the value for entityID= in the EntityDescriptor node.
  Example:
  <EntityDescriptor entityID="Value">
• Signing Certificate (Public Key): From the metadata.xml file, copy the data in the X509Certificate node at:
  <EntityDescriptor ...>
    <ds:Signature>
      <KeyInfo>
        <X509Data>
          <X509Certificate>Data</X509Certificate>