Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties
hiddentrue
idKB


ThemeSecurity
Type

Windows Active Directory

Available from
Status
colourYellow
title5.2.10



Warning
titleNOTE:

This document has now been superceded by Integrate iShare GIS with ADFS

ADFS Relying Party Trust

See: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust for details of how to setup a Relying Party Trust in the current version on ADFS on Windows 2016, which is how iShareGIS iShare GIS will operate in an ADFS environment. The method will be similar but not identical in Windows 2012 and Windows 2008.

While configuring ADFS itself is outside of the scope of iShare documentation or consultancy, the following are what we understand are the necessary steps to enable iShareGIS to be a Relying Party Trust:

  • iShareGIS iShare GIS Relying Party Trust must be setup manually
  • Support WS-Federation Passive protocol
  • Ensure Replying Party Identifier matches the Relying Party Trust URL (which is the iShareGIS iShare GIS application URL, see below)
  • Once the trust has been configured, pass the Federation Metadata document URL (or a file, if the iShareGIS server cannot access your ADFS service or ADFS proxy directly) to the consultant setting up iShareGISiShare GIS.
  • Once iShareGIS iShare GIS has been configured to make use of ADFS, test to make sure that users get redirected to the ADFS service or Proxy when trying to access iShareGISiShare GIS, and that they successfully authenticate
  • Setup rules for Name and Role claims (see below).

...

Step 1 - Pass through Name claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-pass-through-or-filter-an-incoming-claim

  • Rule template = Pass Through or Filter an Incoming Claim
  • Incoming claim type = Name
  • Pass through all claim values
Note

This step can be replaced by the Alternative Name Configuration defined below.

Step 2 - Pass through Role claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-pass-through-or-filter-an-incoming-claim

  • Rule template = Pass Through or Filter an Incoming Claim
  • Incoming claim type = Role
  • Pass through all claim values.

Step 3 - Send GIS Group as iShareUsers Role

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim

  • Rule template = Send Group Membership as a Claim
  • User’s group = AD\GIS
  • Outgoing claim type = Role
  • Outgoing claim value = iShareUsers

Step 4 - Send Managers Group as iShareAdmin Role

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim

  • Rule template = Send Group Membership as a Claim
  • User’s group = AD\Managers
  • Outgoing claim type = Role
  • Outgoing claim value = iShareAdmin

...