Configure Active Directory Federation Services (AD FS) for use as a SAML ID provider
- Scott Le Brun (Deactivated)
- David Rogers
This document will walk you through setting up AD FS 4.0 on Windows Server 2016 for use as a SAML ID Provider with Community Portal or SynWeb. This document assumes you have already installed the AD FS Server Role.
Setup a Relying Party Trust
Start the AD FS Management Console and navigate to Relying Party Trusts.
Click Add Relying Party Trusts...
In the Wizard, select Claims aware and click Next
In Select Data Source, choose the Enter data about relying party manually option and click Next
Enter a Display name (i.e. Synergetic Community Portal or SynWeb) and click Next
We do not want to specify a Token Encryption Certificate so simply click Next
Tick Enable support for the SAML 2.0 WebSSO protocol and enter the web address of your Community Portal or SynWeb (similar to the below image), then click Next
On the Configure Identifiers page, we will now add URLs pointing to the login.aspx of your Community Portal or SynWeb for both HTTP and HTTPS protocols and click Next
Community Portal and SynWeb currently do not support MFA so click Next, Next and Click Finish to complete the Wizard.
Configure Claim Issuance Policy
Select the Relying Trust we just created earlier and click on Edit Claim Issuance Policy on the Actions Pane.
Click Add Rule.. and select Transform an Incoming Claim.
Give it a name of SAM-Account-Name > Name ID (or something similar) and for the Incoming Claim Type, select Windows account name, Outgoing Claim type of Name ID and for the outgoing format ensure it is a Persistent Identifier, leave other options as default as per the below screen and click Finish.
You can use other attributes available in your Active Directory Schema (such as userPrincipalName or employeeID which can match their Synergetic Community ID or whatever you place in the Network Login field for their community record), but you will need to ensure that the Outgoing Claim Type either remains Name ID or is mapped in the Configuration File later in this guide.
Logout Configuration
Right-Click on the Relying trust you created above and select properties.
Navigate to the Endpoints tab and click Add SAML...
In the Add an Endpoint dialog, set the Endpoint type to SAML Logout, set the binding to REDIRECT and enter the trusted URL as your AD FS SAML sign-out url which is usually your AD FS web address, similar to the below image
Finally, AD FS requires that logout requests be signed. We have a default certificate that can be used for this purpose but it must be loaded into AD FS.
Inside of SynWeb or Community Portal installation directory, navigate to Site/Certificates and copy the SynergeticSAMLSigning.cer to your AD FS server (this certificate is the same for both products).
In the Relying Trust Properties, click on the Signature Tab and then click Add...
Navigate to the location where you copied the SynergeticSAMLSigning certificate to and click Open, this will then add the certificate to the list.
Exporting the Token Signing Certificate
In the AD FS Management Console, click on Certificates Folder in the navigation tree.
Right-Click on the Token-signing certificate and click on View Certificate...
Click on the Details tab, and then click on Copy to File...
In the Export Wizard, click Next, select Base-64 encoded X.509 (.CER) and click Next.
Browse to a location you want to save this certificate (we'll refer to it as token.cer) and then click Next and Finish.
Setting up Community Portal
Copy the AD FS token signing certificate you exported previously into the Web product installation directory~/Site/Certificates/ and optionally rename it to token.cer.
Navigate to the BinConfig folder where ever Community Portal is installed, locate the Synergetic.Application.CreateConfig.exe, right-click and select Run as administrator. Once the tool opens, configure SAML in the following way.
| Key | Value |
|---|---|
| AuthenticationMode | 14 |
| SAMLLoginBinding | POST |
| SAMLLogoutBinding | REDIRECT |
| SAMLLoginDestionation | Your AD FS URL - i.e. https://adfs.synergetic.edu.au/adfs/ls/ |
| SAMLLogoutDestination | Your AD FS URL - i.e. https://adfs.synergetic.edu.au/adfs/ls/ |
| SAMLLoginX509CertificatePath | ~/Site/Certificates/token.cer |
| SAMLLogoutX509CertificatePath | |
| SAMLLogoutX509CertificatePrivateKeyPassword | |
SAMLSPIssuer | URL of CommPortal including login.aspx - i.e. https://community.synergetic.edu.au/login.aspx |
| SAMLIDPUserHomePageUrl | |
| SAMLComparisonMode | minimum |
| SAMLClaimAttributeName | NameID |
Ensure that the NetworkLogin field has been populated for your Community members under Community > Other.
Setting up SynWeb
Copy the AD FS token signing certificate you exported previously into the Web product installation directory~/Site/Certificates/ and optionally rename it to token.cer.
Log into SQL Management Studio, create a New Query and run the following query against your Synergetic Databases.
SELECT SynergeticUserName, SynergeticPassword FROM pvSynDatabases
Make note of the zSynergetic_main_dbo User and Password, if there are multiple rows that contain a username, only one should contain a password.
Navigate to the BinConfig folder where ever SynWeb is installed, locate the Synergetic.Application.CreateConfig.exe, right-click and select Run as administrator. Once the tool opens, configure SAML in the following way.
| Key | Value |
|---|---|
| AuthenticationMode | SAML |
| OverrideUserName | zSynergetic_main_dbo |
| OverridePassword | Leave this blank for now. |
| SAMLLoginBinding | POST |
| SAMLLogoutBinding | REDIRECT |
| SAMLLoginDestionation | Your AD FS URL - i.e. https://adfs.synergetic.edu.au/adfs/ls/ |
| SAMLLogoutDestination | Your AD FS URL - i.e. https://adfs.synergetic.edu.au/adfs/ls/ |
| SAMLLoginX509CertificatePath | ~/Site/Certificates/token.cer |
| SAMLLogoutX509CertificatePath | |
| SAMLLogoutX509CertificatePrivateKeyPassword | |
SAMLSPIssuer | URL of SynWeb including login.aspx - i.e. https://synweb.synergetic.edu.au/login.aspx |
| SAMLIDPUserHomePageUrl | |
| SAMLComparisonMode | minimum |
| SAMLClaimAttributeName | NameID |
Once you have saved this configuration file, open it up in notepad (or Notepad++) and find the OverridePassword key, which should look like the below.
<OverridePassword />
You will now need to remove the close and enter the password, similar to the below.
<OverridePassword>Password from the query</OverridePassword>
Save that file (you may need to save it to the desktop and then copy it into the wwwroot\synwebcfg directory due to permissions).
Finally, ensure that the NetworkLogin field has been populated for your SynWeb users under Community > Other.