Configuring ADFS Server¶
This section provides the steps to set up the Active Directory Federation Services (ADFS) server, configure active directory and establish trust for seamless authentication.
1. Hardware Configuration:
Note
It must reside on the same network as other components.
- Operating System: Windows Server 2019 Datacenter (Desktop Experience).
- Specifications: 2 vCPUs, 8 GB memory, 100 GB disk space, 64-bit OS.
2. ADFS Server Configuration:
- Active Directory (AD) Setup:
Note
Ensure that you obtain the script from the Siemens OPS team.
- Open Windows PowerShell as "Administrator".
- Copy the ad_setup.ps1 script and execute it.
The system will reboot upon completion. - Launch "Active Directory Users" and "Computers". Add or create a new user,
the_admin
.- Uncheck the "User must change password at next logon" option.
- Add the user to the "Administrators" and "Domain Admins" groups:
Right click on the user, select "Add to group," type "Administrators", click "Check Names", and repeat these steps for "Domain Admins".
-
Ensure that the "Password never expires" option is selected.
-
ADFS Setup:
Run the adfs_setup.ps1 script in PowerShell and set the password appropriately. - Trust Setup:
Note
Ensure that you obtain the script from the Siemens OPS team.
- Execute the trust_setup.ps1 script in Windows PowerShell.
- In the "ADFS Management" console, navigate to the "Relying Party Trusts":
- Right click on "Insights Hub Trust" and select "Edit Access Control Policy".
- Choose "Permit everyone", then click "Apply".
- Retrieve the metadata XML from "Adding an ADFS User" section for integration purposes.
Configuring ADFS for Tenant Relying Trust¶
This section explains the configuration of ADFS to support tenant-relying trust integration.
Adding an ADFS User¶
To add an ADFS user, follow the steps:
-
Provide the following details for the new user:
- First Name
- Last Name
- Logon Name
-
Enter the email address of the user.
-
Add a tenant relying trust.
- Download the SAML metadata for the tenant from the respective URLs and rename the downloaded XML file appropriately for easy identification: SAML Metadata from ADFS
-
Add relying party trust.
- Open ADFS Management and click "Add Relying Party Trust".
- Select the option "Import data about the relying party from a file", then upload the renamed metadata XML.
- Rename the trust to
<environment>.<service>.<project>.<domain>
. -
Click "Next" until "Finish".
-
Edit claim rules.
-
Right-click on the newly added trust and select "Edit Claim Rules".
-
Add the following two claim rules:
-
AD Attribs: Define and configure attribute mappings as required.
-
Name ID: Configure the rule to map the name ID.
-
-
Navigate back to "Relying Party Trusts", right-click on the new trust and verify the certificates for "Encryption" and "Signature".