User connectivityActive Directory resourcesADFS configuration requirements

ADFS configuration requirements

To integrate Active Directory Federation Services (ADFS) with Transact to enable single sign-on, perform basic configurations on the ADFS side. See the ADFS documentation for more information.

This topic only provides basic information about ADFS configuration, which may be subject to change. If you have any issues, contact the system administrator in charge of your ADFS and Windows Server system who have expertise in these areas.

ADFS logs

Refer to the ADFS logs in setting up and monitoring your configuration. View the logs in Server Manager by selecting ADFS in the left panel. If any errors appear when connecting to Transact, they also appear in the logs.

ADFS Management screen

Use the ADFS Management screen to view your relying party (RP) trust configuration. Select Control Panel > Administrative Tools > ADFS Management.

RP trust

An RP is a server providing access to a secure software application. Claims-based applications, where a claim is a statement an entity makes about itself in order to establish access, are also called RP applications.

View RPs on the ADFS Management screen. An RP trust using a unique identifier "ephesoft sso" establishes a connection between Transact and ADFS.

Add RP trust in context with the Transact metadata file

To add an RP trust from the ADFS window, do the following:

  1. Expand Trust Relationship, right-click Relying Party Trusts and select Add Relying Party Trust.

    The Add Relying Party Trust Wizard window appears.

  2. Click Start to begin the wizard.
  3. When you are prompted to select a data source, do the following:
    1. Select Import information about replying party trust from a file.
    2. Locate the Transact metadata file from the Transact server. You will find it at this address:

      https://<host>:<port>/dcma/saml/metadata

      The file contains metadata, including the entityId name and properties, like the secure hash algorithm and certificate information. You also find an example of the metadata file at this location:

      http://spring_saml_metadata.zip/

  4. Click Next and continue with the rest of the wizard.

RP properties

To view the properties for an RP, right-click it and select Properties. The Properties window appears with tabs.

The RP for "ephesoft sso" may require changes to property settings. These properties are listed in this section. See the ADFS documentation for complete descriptions of all properties.

Identifiers tab

Use the Identifiers tab to view or change the RP name or add or remove identifiers. The RP name must be unique.

Encryption and Signature tabs

Use the Encryption and Signature tabs to view or change the certificates imported from the Transact JKS file that is referenced by applicationContext-Security.xml. Make sure the generated certificate is RSA (not DSA).

Advanced tab

The Advanced tab enables you to select the secure hash algorithm, either SHA-1 or SHA-256. This setting must match the respective bean tags in the Transact applicationContext-Security.xml configuration file. The secure hash algorithm must match at both sides for a successful handshake.

Endpoints tab

The Endpoints tab shows the URLs where ADFS should redirect after logon and logoff. Make sure the URLs match those used in your Transact setup. In the URLs listed below, replace <host> with the DNS, IP address, or fully qualified domain name for your server and <port> with 8443 or other assigned port. Use the Index, Binding, and Default column settings indicated.

SAML Assertion Consumer Endpoints:

  • URL: https://<host>:<port>/dcma/saml/SSO

    Index: 0

    Binding: POST

    Default: Yes

  • URL: https://<host>:<port>/dcma/saml/SSO

    Index: 1

    Binding: Artifact

    Default: No

SAML Logout Endpoints:

  • URL: https://<host>:<port>/dcma/saml/SingleLogout

    Index: (blank)

    Binding: POST

    Default: No

  • URL: https://<host>:<port>/dcma/saml/SingleLogout

    Index: (blank)

    Binding: Redirect

    Default: No

Claim rules

Claim rules map how user names and groups are mapped between Active Directory and the application. They are used as a part of Request and Response Mechanism and must be configured on the ADFS side.

The following claim rules are used by Transact:

  • NameId is mandatory and must be present.

  • Edit Claim Rules is used for authentication.

  • Groups is a role used for authorization.

You must get the syntax of the configured claim rule so you can specify it in the epheSaml filter bean in applicationContext-Security.xml.

Do the following:

  1. Right-click the RP trust and select Edit Claim Rules.

    The Edit Claim Rules window appears.

  2. Click the Issuance Transform Rules tab.

    If the NameId, FirstName, and Groups rules already exist, edit them to make sure they are set up correctly. If not, you need to add them in order.

  3. Add or edit the NameId rule by doing the following:
    1. Click Add Rule or select it and click Edit Rule if it already exists.
    2. Configure the NameId rule by entering or changing the following fields and columns:

      • Claim rule name: NameId

      • Attribute store: Active Directory

      • LDAP attribute: SAM-Account-Name

      • Outgoing Claim Type: NameId

    3. Click View Rule Language.

      Code for the rule language appears.

    4. Locate the schema used for the rule that appears in quotes after types=. This will start with http://schemas.microsoft.com. Copy the URL and use it for the epheSaml filter bean in applicationContext-Security.xml.
    5. Click OK to accept the changes.
  4. Add or edit the FirstName rule by doing the following:
    1. Click Add Rule or select it and click Edit Rule if it already exists.
    2. Configure the FirstName rule by entering or changing the following fields and columns:

      • Claim rule name: FirstName

      • Attribute store: Active Directory

      • LDAP attribute: SAM-Account-Name

      • Outgoing Claim Type: Name

    3. Click View Rule Language.

      The code for the rule language appears.

    4. Locate the schema used for the rule that appears in quotes after types=. This will start with http://schemas.microsoft.com. Copy the URL and use it for the epheSaml filter bean in applicationContext-Security.xml.
    5. Click OK to accept the changes.
  5. Add or edit the Groups rule by doing the following:
    1. Click Add Rule or select it and click Edit Rule if it already exists.
    2. Configure the Groups rule by entering or changing the following fields and columns:

      • Claim rule name: Groups

      • Attribute store: Active Directory

      • LDAP attribute: Token-Groups - Unqualified Names

      • Outgoing Claim Type: Role

    3. Click View Rule Language.

      Code for the rule language appears.

    4. Locate the schema used for the rule that appears in quotes after types=. This will start with http://schemas.microsoft.com. Copy the URL and use it for the epheSaml filter bean in applicationContext-Security.xml.
    5. Click OK to accept the changes.

Export certificates from AFDS

To export the certificate, do the following at the ADFS Management screen.

  1. Expand Services and select Certificates.
  2. Right click the certificate and select View Certificate.

    The Certificate window appears.

  3. Click the Details tab.
  4. Click Copy to File and save the certificate in DER encoded format.

    Make sure all the configurations match your ADFS setup.