Active Directory Federation Services (ADFS)
  • 29 Apr 2024
  • 3 Minutes to read
  • Contributors

    Active Directory Federation Services (ADFS)


      Article summary

      Understanding Active Directory Federation Services (ADFS)

      This article provides insights into configuring ADFS as an identity provider.

      By leveraging the Security Assertion Markup Language (SAML) protocol, Harmony SASE can authenticate users through ADFS, allowing for seamless integration and enhanced security.

      How to integrate ADFS

      Adding a Relying Party Trust

      See Create a relying party trust for complete details.

      Launch your instance of ADFS and start the Add Relying Party Trust wizard.

      360011083939ScreenShot2020-04-16at142005.png

      1. On the Welcome page, choose Claims aware and click Start.
      2. On the Select Data Source page, select Enter data about the relying party manually and click Next.

      3. On the Specify Display Name page, provide a descriptive name for your relying party (the typical name is Harmony SASE) and a brief description under Notes. Click Next.
        360011084059ScreenShot2020-04-16at142122.png

      4. On the Configure Certificate page, click Next.
        360011090280ScreenShot2020-04-16at142230.png

      5. On the Configure URL page, check the box for Enable support for the SAML 2.0 WebSSO protocol.

      6. Set Relying party SAML 2.0 SSO service URL to https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc for US based platform or  https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc for EU based platform. Click Next .

      7. On the Configure Identifiers page, set the Relying party trust identifier to urn:auth0:perimeter81:{{WORKSPACE}}-oc for US based platform or urn:auth0:eu-sase-checkpoint:{{WORKSPACE}}-oc for EU based platform. Click Add and Next.
        360011084039ScreenShot2020-04-16at142735.png

      8. On the Choose Access Control Policy page, select Permit everyone, and click Next.

      9. Review the settings you provided on the Ready to Add Trust page and click Next to save your information. If you were successful, you'll see a message indicating that on the Finish page.

      10. Make sure that the Configure claims issuance policy for this application checkbox is selected, and click Close.

      Editing the claim issuance policy

      After you close the Add Relying Party Trust wizard, the Edit Claim Issuance Policy window appears.

      1. Click Add Rule... to launch the wizard.
      2. Select Send LDAP Attributes as Claims for your Claim rule template, and click Next.
        360011090240ScreenShot2020-04-16at142926.png
      3. Provide a value for the Claim rule name, such as "LDAP Attributes" (it can be anything you want).
      4. Choose Active Directory as your Attribute Store.
      5. Map your LDAP attributes to the following outgoing claim types:
      E-mail Addresses
      email
      Given-Name
      given_name
      Surname
      family_name
      Token-Groups Unqualified-Names
      groups
      User-Principal-Name
      user_id

      6. Click Finish.
      7. In the Edit Claim Issuance Policy window, click Apply. You can now exit out of this window.

      Exporting the signing certificate

      1. Using the left-hand navigation pane, go to ADFS > Service > Certificates.
      2. Select the Token-signing certificate, and right-click to select View Certificate.
        360011090140ScreenShot2020-04-16at143344.png
      3. On the Details tab, click Copy to File...
        360011083959ScreenShot2020-04-16at143401.png
      4. In the Certificate Export Wizard Click Next.
      5. Choose Base-64 encoded X.509 (.CER) . Click Next.
        360011083979ScreenShot2020-04-16at143420.png
      6. Provide the location for the certificate to be exported. Click Next.
      7. Verify that the certificate and click Finish.

      Configuring the ADFS connection at the Management Platform

      At this point, you will configure the integration from the Harmony SASE side.

      1. Log in to your Harmony SASE Management Platform, and navigate to Settings and then Identity Providers.
        360008600859addprovider12.png
      2. Select + Add Provider.
      3. Choose SAML 2.0 Identity Providers.
      4. Sign In URL: https://{{YOUR.ADFS.DOMAIN}}/adfs/ls .
      5. Add your organization domain.
      6. Open the ADFS X.509 certificate file in a UNIX operating system and paste its content into the X509 Signing Certificate box.
        360011083919ScreenShot2020-04-16at145836.png
      7. Select Save.

      Recommendations

      • Always replace placeholders like {{WORKSPACE}} and {{YOUR.ADFS.DOMAIN}} with the appropriate values during configuration.
      • Ensure that the correct LDAP attributes are mapped to the corresponding outgoing claim types for accurate user authentication and authorization.
      • After setting up, it's crucial to test the integration to ensure seamless authentication and correct user and group assignments.
      • Periodically review your ADFS configuration settings to ensure they align with any updates or changes made within the Harmony SASE platform

      Troubleshooting

      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.


      Was this article helpful?

      What's Next