Managing ADFS Server¶
This section explains the ADFS Server Management. Adding Relying Party Trusts establishes a secure trust relationship between the ADFS server and external applications. This allows ADFS to authenticate users and issue claims (user identity information) to the relying party, thereby securing access to the application.
Adding Relying Party Trusts on the ADFS Server¶
This section provides the steps for adding Relying Party Trusts on an ADFS server to enable secure authentication.
Note
To log in as a new tenant, you must first add Relying Party Trusts in ADFS.
-
Download tenant SAML metadata.
Note: Before adding Relying Party Trusts on the ADFS server, download the tenant's metadata first using the following link (replace
tenantname
with the actual value): https://tenantname.uiam.pvt-rancher.mdsp.local/saml/metadata -
Open "Server Manager" on your Windows Server, click "Dashboard" from the left navigation.
- Click "Tools" in the top right corner and select "AD FS Management".
- Open AD FS management on the AD FS server.
-
In the AD FS main screen, navigate to "Relying Party Trusts" and select "Add Relying Party Trust".
-
Click "Start" from the "Welcome" step.
-
In the "Select Data Source" step, choose "Import data about the relying party from a file" option, click "Browse" and import the SAML metadata file downloaded in Step 1.
-
Click "Next". If a warning box appears, ignore it and click "OK".
-
Enter the desired "Display name".
-
Click "Next" and continue the steps until the trust is successfully created.
-
Select and right-click on the newly added trust item and select "Edit Claim Rules".
-
In the "Edit Claim Rules" wizard, click "Add Rule".
-
Select "Send LDAP Attributes as Claims" as the template and click "Next".
-
In the "Configure Claim Rule" step, update the following:
- Set "Attribute store" to "Active Directory" from the dropdown menu.
- Set "LDAP Attribute" to E-Mail-Addresses and "Outgoing Claim Type" to E-Mail Address.
- Click "Finish". The first rule is added successfully.
-
Add another rule by performing the following:
Select "Transform an Incoming Claim" as the template and click "Next".
-
In the "Configure Claim Rule" step, update the following:
- Specify the "Claim rule name" as "Email Transform".
- Select "Incoming claim type" as "E-Mail Address", "Outgoing claim type" as "Name ID" and "Outgoing name ID format" as "Email".
- Choose "Pass through all claim values".
- Click "Finish". The second rule is added successfully.
The both rules are added successfully.
-
Right-click on the newly added trust item and select "Properties" from the drop-down menu.
-
In the "SAML Logout Endpoints" section, delete one of the two URLs.
-
Edit the remaining endpoint and update the "Trusted URL" request path to
/adfs/ls/?wa=wsignout1.0
and click "OK".For example: https://optcock.uiam.pvt-rancher1.cn1-int.mindsphere-in.cn/adfs/ls/?wa=wsignout1.0
-
Click "Apply" to save the changes, then click "Done" to close the properties window.