This section provides instructions on how to create a new connection group and configure rules for the created connection group in Active Directory Federation Services (ADFS).
The ADFS role must already be configured on the server.
Creating a new connection group
In ADFS, select the Application groups section and in the Actions section click Add Application Group.
In the Template field, in the Client-Server applications group, select Native application accessing a web API.
Click Next to proceed to the next step of creating and configuring a connection group.
Client Identifier
fields are filled in automatically.Specify the value of the Client Identifier field in KUMA, when configuring domain authentication.
In the
Redirect URI field, enter the URI for redirection from ADFS with the /sso-callback substring, and click Add. Example: https://adfs.example.com:7220/sso-callback
Click Next to proceed to the next configuration step.
Identifiers
field add the trusted party ID and click Add. It can be any arbitrary value. Example: test-demoSpecify the value of the Identifier field in KUMA, in the Relying party identifiers field, when configuring domain authentication.
Click Next to proceed to the next configuration step.
Click Next to proceed to the next configuration step.
In the Permitted scopes field, select the check box for the allatclaims and openid options.
Click Next to proceed to the next configuration step.
If the settings are correct and you are ready to add a group, click Next.
A new group is added. You can proceed to configure the rules for the created group.
Adding rules for a connection group
In ADFS, select the Application groups section and select the required connection group from the list. Example: new-application-group.
In the new-application-group Properties window that opens, in the Applications section, double-click new-application-group - Web API.
In the new-application-group - Web API Properties window that opens, open the
Issuance Transform Rules
tab and click Add rule.In the Add Transform Claim Rule Wizard window that opens, in the Choose Rule Type section, select Send LDAP Attributes as Claims from the drop-down list.
Click Next to proceed to the next configuration step.
In the Attribute store drop-down list, select Active directory.
In the Mapping of LDAP attributes to outgoing claim types field, map the following fields:
LDAP Attribute |
Outgoing Claim Type |
---|---|
|
|
|
|
|
|
|
|
Click Finish to complete the configuration.
Issuance Transform Rules
tab and click Add rule. In the Add Transform Claim Rule Wizard window that opens, in the Choose Rule Type section, select Send claims using a custom rule from the drop-down list.Click Finish to continue the configuration.
In the Custom rule field, specify the following settings:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("ObjectGUID"), query = ";ObjectGUID;{0}", param = c.Value);
Click Finish to complete the configuration.
To apply the rules, on the Issuance Transform Rules tab that opens, click Apply or OK.
The configuration of groups and rules in ADFS is completed. You can proceed to configure domain authentication in KUMA.
Page top