Configuring connection in Active Directory Federation Services

This section provides instructions on how to create a new connection group and configure rules for the created connection group in Active Directory Federation Services (ADFS).

The ADFS role must already be configured on the server.

Creating a new connection group

  1. In Server Manager, in the Tools menu, select ADFS Management.

    In ADFS, select the Application groups section and in the Actions section click Add Application Group.

  2. In the Add Application Group Wizard window that opens, in the Welcome section Name field, specify the name of the new connection group. Example: new-application-group.

    In the Template field, in the Client-Server applications group, select Native application accessing a web API.

    Click Next to proceed to the next step of creating and configuring a connection group.

  3. In the Native application section that opens, the Name and

     Client Identifier

    fields are filled in automatically.

    Specify the value of the Client Identifier field in KUMA, when configuring domain authentication.

    In the

     

    Redirect URI field, enter the URI for redirection from ADFS with the /sso-callback substring, and click Add. Example: https://adfs.example.com:7220/sso-callback

    Click Next to proceed to the next configuration step.

  4. In the Configure Web API section that opens, in the Identifiers field, add the trusted party ID and click Add. It can be any arbitrary value. Example: test-demo

    Specify the value of the Identifier field in KUMA, in the Relying party identifiers field, when configuring domain authentication.

    Click Next to proceed to the next configuration step.

  5. In the Apply Access Control Policy section that opens, select the Permit everyone policy value.

    Click Next to proceed to the next configuration step.

  6. In the Configure Application Permissions section that opens, the Client application field is filled in automatically.

    In the Permitted scopes field, select the check box for the allatclaims and openid options.

    Click Next to proceed to the next configuration step.

  7. In the Summary section that opens, check the settings.

    If the settings are correct and you are ready to add a group, click Next.

A new group is added. You can proceed to configure the rules for the created group.

Adding rules for a connection group

  1. In Server Manager, in the Tools menu, select ADFS Management.

    In ADFS, select the Application groups section and select the required connection group from the list. Example: new-application-group.

  2. In the Application groups window, in the Actions section, click Properties.

    In the new-application-group Properties window that opens, in the Applications section, double-click new-application-group - Web API.

    In the new-application-group - Web API Properties window that opens, open the

    Issuance Transform Rules

    tab and click Add rule.

    In the Add Transform Claim Rule Wizard window that opens, in the Choose Rule Type section, select Send LDAP Attributes as Claims from the drop-down list.

    Click Next to proceed to the next configuration step.

  3. In the Configure Claim Rule section, specify the rule name in the Claim rule name field. Example: rule-name-01.

    In the Attribute store drop-down list, select Active directory.

    In the Mapping of LDAP attributes to outgoing claim types field, map the following fields:

    LDAP Attribute

    Outgoing Claim Type

    User-Principal-Name

    UserPrincipalName

    Display-Name

    displayName

    E-Mail-Addresses

    Mail

    Is-Member-Of-DL

    MemberOf

    Click Finish to complete the configuration.

  4. Go to the new-application-group - Web API Properties window, open the

    Issuance Transform Rules

    tab and click Add rule. In the Add Transform Claim Rule Wizard window that opens, in the Choose Rule Type section, select Send claims using a custom rule from the drop-down list.

    Click Finish to continue the configuration.

  5. In the Configure Claim Rule section, specify the rule name in the Claims rule name field. Example: rule-name-02.

    In the Custom rule field, specify the following settings: 

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);

    Click Finish to complete the configuration.

  6. The system proceeds to the new-application-group - Web API Properties window and the Issuance Transform Rules tab.

    To apply the rules, on the Issuance Transform Rules tab that opens, click Apply or OK.

The configuration of groups and rules in ADFS is completed. You can proceed to configure domain authentication in KUMA.

Page top