Active Directory Federation Services (ADFS)
  • 18 Nov 2021
  • 2 Minutes to read
  • Contributors

    Active Directory Federation Services (ADFS)


      Article Summary

      This article describes how to configure ADFS to use as an identity provider for Perimeter 81. 

      • Configuring ADFS
      • Editing the claim issuance policy
      • Exporting the signing certificate
      • Configuring the ADFS connection at the Management Platform
      • Access Error troubleshooting

      Please follow the steps below:

      Configuring ADFS

      Adding a Relying Party Trust

      See Create a relying party trust for complete details.

      Launch your instance of ADFS and start the Add Relying Party Trust wizard.

      360011083939ScreenShot2020-04-16at142005.png

      1. On the Welcome page, choose Claims aware and click Start.
      2. On the Select Data Source page, select Enter data about the relying party manually and click Next.

      3. On the Specify Display Name page, provide a descriptive name for your relying party (the typical name is Perimeter 81) and a brief description under Notes. Click Next.
        360011084059ScreenShot2020-04-16at142122.png

      4. On the Configure Certificate page, click Next.
        360011090280ScreenShot2020-04-16at142230.png

      5. On the Configure URL page, check the box for Enable support for the SAML 2.0 WebSSO protocol.

      6. Set Relying party SAML 2.0 SSO service URL to https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc . Click Next .

      7. On the Configure Identifiers page, set the Relying party trust identifier to urn:auth0:perimeter81:{{WORKSPACE}}-oc. Click Add and Next.
        360011084039ScreenShot2020-04-16at142735.png

      8. On the Choose Access Control Policy page, select Permit everyone, and click Next.

      9. Review the settings you provided on the Ready to Add Trust page and click Next to save your information. If you were successful, you'll see a message indicating that on the Finish page.

      10. Make sure that the Configure claims issuance policy for this application checkbox is selected, and click Close.

      Editing the claim issuance policy

      After you close the Add Relying Party Trust wizard, the Edit Claim Issuance Policy window appears.

      1. Click Add Rule... to launch the wizard.
      2. Select Send LDAP Attributes as Claims for your Claim rule template, and click Next.
        360011090240ScreenShot2020-04-16at142926.png
      3. Provide a value for the Claim rule name, such as "LDAP Attributes" (it can be anything you want).
      4. Choose Active Directory as your Attribute Store.
      5. Map your LDAP attributes to the following outgoing claim types:
      E-mail Addresses
      email
      Given-Name
      given_name
      Surname
      family_name
      Token-Groups Unqualified-Names
      groups
      User-Principal-Name
      user_id

      6. Click Finish.
      7. In the Edit Claim Issuance Policy window, click Apply. You can now exit out of this window.

      Exporting the signing certificate

      1. Using the left-hand navigation pane, go to ADFS > Service > Certificates.
      2. Select the Token-signing certificate, and right-click to select View Certificate.
        360011090140ScreenShot2020-04-16at143344.png
      3. On the Details tab, click Copy to File...
        360011083959ScreenShot2020-04-16at143401.png
      4. In the Certificate Export Wizard Click Next.
      5. Choose Base-64 encoded X.509 (.CER) . Click Next.
        360011083979ScreenShot2020-04-16at143420.png
      6. Provide the location for the certificate to be exported. Click Next.
      7. Verify that the certificate and click Finish.

      Configuring the ADFS connection at the Management Platform

      At this point, you will configure the integration from the Perimeter 81 side.

      1. Log in to your Perimeter 81 Management Platform, and navigate to Settings and then Identity Providers.
        360008600859addprovider12.png
      2. Select + Add Provider.
      3. Choose SAML 2.0 Identity Providers.
      4. Sign In URL: https://{{YOUR.ADFS.DOMAIN}}/adfs/ls .
      5. Add your organization domain.
      6. Open the ADFS X.509 certificate file in a UNIX operating system and paste its content into the X509 Signing Certificate box.
        360011083919ScreenShot2020-04-16at145836.png
      7. Select Save.

      Access Error troubleshooting

      If your users are getting access error after the configuration, please check these steps.


      Was this article helpful?

      What's Next