Configure a trusted endpoint in ADFS v2.0+

Owned by Kim Stimpson
Last updated: 18 Oct, 2018
2 min read

ADFS is sometimes also abbreviated as AD FS.

NOTE:

This document has now been superceded by Integrate iShare GIS with ADFS

ADFS Relying Party Trust

See: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust for details of how to setup a Relying Party Trust in the current version on ADFS on Windows 2016, which is how iShare GIS will operate in an ADFS environment. The method will be similar but not identical in Windows 2012 and Windows 2008.

While configuring ADFS itself is outside of the scope of iShare documentation or consultancy, the following are what we understand are the necessary steps to enable iShareGIS to be a Relying Party Trust:

  • iShare GIS Relying Party Trust must be setup manually
  • Support WS-Federation Passive protocol
  • Ensure Replying Party Identifier matches the Relying Party Trust URL (which is the iShare GIS application URL, see below)
  • Once the trust has been configured, pass the Federation Metadata document URL (or a file, if the iShareGIS server cannot access your ADFS service or ADFS proxy directly) to the consultant setting up iShare GIS.
  • Once iShare GIS has been configured to make use of ADFS, test to make sure that users get redirected to the ADFS service or Proxy when trying to access iShare GIS, and that they successfully authenticate
  • Setup rules for Name and Role claims (see below).

Relying Party Identifier

The Relying Party Identifier in ADFS for iShare GIS is just the web application's path, e.g.: https://server.domain.name/ishare.web/. Unless the iShare web application is always going to be served via the same IP address, this should be configured after the server has been given a permanent DNS name that clients will use.

See: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/how-uris-are-used-in-ad-fs.

Example Issuance Transform Rules

Step 1 - Pass through Name claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-pass-through-or-filter-an-incoming-claim

  • Rule template = Pass Through or Filter an Incoming Claim
  • Incoming claim type = Name
  • Pass through all claim values

This step can be replaced by the Alternative Name Configuration defined below.

Step 2 - Pass through Role claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-pass-through-or-filter-an-incoming-claim

  • Rule template = Pass Through or Filter an Incoming Claim
  • Incoming claim type = Role
  • Pass through all claim values.

Step 3 - Send GIS Group as iShareUsers Role

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim

  • Rule template = Send Group Membership as a Claim
  • User’s group = AD\GIS
  • Outgoing claim type = Role
  • Outgoing claim value = iShareUsers

Step 4 - Send Managers Group as iShareAdmin Role

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim

  • Rule template = Send Group Membership as a Claim
  • User’s group = AD\Managers
  • Outgoing claim type = Role
  • Outgoing claim value = iShareAdmin

The outgoing claim values for the roles will need to correspond to local Windows Groups on the iShare Web Server that are used for iShareGIS Map Source Roles.

Claim Rule Language Definitions

The claim rule language definitions for the above are as follows:

(c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => issue(claim = c);)
(c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"] => issue(claim = c);)
(c:[Type "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value “S-1-5-21-3214250622-2034890151-3562794581-1107”, Issuer == “AD AUTHORITY”] => issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/role”;, Value = “iShareUsers”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);)
(c:[Type "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value “S-1-5-21-3214250622-2034890151-3562794581-1104”, Issuer == “AD AUTHORITY”] => issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/role”;, Value = “iShareAdmin”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);)

Alternative Name configuration

You can replace Step 1 above with the following:

Step 1 - Send email as Name

  • Rule template = Send LDAP Attributes as Claims
  • Attribute store = Active DIrectory

Mapping of LDAP attributes to outgoing claim types

LDAP AttributeOutgoing Claim Type
E-Mail-AddressesName

Claim Rule Language Definition

The claim rule language definition for this is:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail;{0}", param = c.Value);