Skip to content

Configuring ADFS Server

This section provides the steps to set up the Active Directory Federation Services (ADFS) server, configure active directory and establish trust for seamless authentication.

1. Hardware Configuration:

Note

It must reside on the same network as other components.

  • Operating System: Windows Server 2019 Datacenter (Desktop Experience).
  • Specifications: 2 vCPUs, 8 GB memory, 100 GB disk space, 64-bit OS.

2. ADFS Server Configuration:

  • Active Directory (AD) Setup:

Note

Ensure that you obtain the script from the Siemens OPS team.

  1. Open Windows PowerShell as "Administrator".
  2. Copy the ad_setup.ps1 script and execute it.
    The system will reboot upon completion.
  3. Launch "Active Directory Users" and "Computers". Add or create a new user, the_admin.
    1. Uncheck the "User must change password at next logon" option.
    2. Add the user to the "Administrators" and "Domain Admins" groups:
      Right click on the user, select "Add to group," type "Administrators", click "Check Names", and repeat these steps for "Domain Admins".
  4. Ensure that the "Password never expires" option is selected.

    Password

  5. ADFS Setup:
    Run the adfs_setup.ps1 script in PowerShell and set the password appropriately.

  6. Trust Setup:

Note

Ensure that you obtain the script from the Siemens OPS team.

  1. Execute the trust_setup.ps1 script in Windows PowerShell.
  2. In the "ADFS Management" console, navigate to the "Relying Party Trusts":
    1. Right click on "Insights Hub Trust" and select "Edit Access Control Policy".
    2. Choose "Permit everyone", then click "Apply".
  3. Retrieve the metadata XML from "Adding an ADFS User" section for integration purposes.

Configuring ADFS for Tenant Relying Trust

This section explains the configuration of ADFS to support tenant-relying trust integration.

Adding an ADFS User

To add an ADFS user, follow the steps:

  1. Provide the following details for the new user:

    • First Name
    • Last Name
    • Logon Name

    Add user

  2. Enter the email address of the user.

    Email address

  3. Add a tenant relying trust.

    • Download the SAML metadata for the tenant from the respective URLs and rename the downloaded XML file appropriately for easy identification: SAML Metadata from ADFS
  4. Add relying party trust.

    1. Open ADFS Management and click "Add Relying Party Trust".
    2. Select the option "Import data about the relying party from a file", then upload the renamed metadata XML.
    3. Rename the trust to <environment>.<service>.<project>.<domain>.
    4. Click "Next" until "Finish".

      Add

  5. Edit claim rules.

  6. Right-click on the newly added trust and select "Edit Claim Rules".

  7. Add the following two claim rules:

    • AD Attribs: Define and configure attribute mappings as required.

      AD Attribs

    • Name ID: Configure the rule to map the name ID.

      Name ID

  8. Navigate back to "Relying Party Trusts", right-click on the new trust and verify the certificates for "Encryption" and "Signature".


Last update: February 7, 2025