Follow

Active Directory Federated Services (ADFS)

For users to authenticate to AuditFindings the the ADFS server must be configured and the ADFS integration must be enabled from the AuditFindings system.  

At present, AuditFindings only supports service initiated ADFS authentication.  What this means is that the end user must access initiate the login process at https://secure.auditfindings.com.  If ADFS is enabled on the users domain, they will received an authentication prompt allowing them to authenticate with Microsoft ADFS as shown below.

ADFS_Login.png

These instructions are broken down into two major components.

1) Configuring the ADFS server

2) Enabling ADFS on the AuditFindings system

Configuring the ADFS server

The instructions below are generic and should apply for most ADFS installations, but there may be some various.  These instruction assume the user is familiar with configuring ADFS.  If assistance is needed beyond these instruction, please contact our support staff. 

Setting up ADFS integration with AuditFindings requires a Windows Server with the Active Directory Federation Services role installed and configured on the server for the domain.

Adding the Relying Party Trust:

From the AD FS Management Console (Server Manager -> Tools -> AD FS Management), Select Relying Party Trusts, then Select Add Relying Party Trust form the right navigation menu.

Relying_Party.png

Select “Claims aware”, then the Start button at the bottom

Relying_Party_Trust_Wizzard.png

Select Enter data about the relying party manually, then click the Next button

Relying_Party_Trust_Wizzard_-_2.png

Choose a Display name for the configuration. This can be anything that will help identify the integration

Relying_Party_Trust_Wizzard_-_3.png

SKIP Configure Certificate:  Do NOT select a certificate in this step.   

Relying_Party_Trust_Wizzard_-_4.png

Check the box titled “Enable support for the SAML 2.0 WebSSO protocol”. Enter https://secure.auditfindings.com/adfs/saml/callback for the Relying Party SAML 2.0 SSO service URL.

Relying_Party_Trust_Wizzard_-_5.png

Enter https://secure.auditfindings.com for the Relying party trust identifier, and click Add

Relying_Party_Trust_Wizzard_-_6.png

Choose your desired Access Control Policy, this will control who has access to the integration and how they will be required to sign in. The default is “Permit everyone”

Relying_Party_Trust_Wizzard_-_7.png

Check “Configure claims issuance policy for this application” and click Close

Relying_Party_Trust_Wizzard_-_8.png

The Claims issuance policy dialog should now open. Click Add Rule

Edit_Claim.png

Choose Send LDAP Attributes as Claims, then click Next

Edit_Claim_2.png

Select the following mapping to map the correct LDAP attributes to Claim types for proper generation of SAML responses. Choose the appropriate Attribute store (Probably Active Directory) Click Finish.

Claim_Rule_2.pngRight-click on the Relying Party Trust and select Properties. On the Endpoints tab, double click the SAML Assertion Consumer Endpoint.

Properties.png

Check the option title “Set the trust URL as default”. Click OK, then Apply on the Properties dialog.

Endpoint.png

With the ADFS server configuration complete, the next step is to enable ADFS on the AuditFinding system. 

Enabling ADFS on the AuditFindings system

With an account with administrative access rights, log into AuditFindings and go to the Admin page.   Then, go to the Single Sign On Settings section and click the Microsoft ADFS tab.

Admin_Page.png

Then enter your Active Directory Information into the provided fields.

ADFS_screen.png

Status:  The status dropdown allows for ADFS authentication to be enabled or disabled at any time. 

AD Domain : The Active Directory domain for your organizations Domain Controller

Account Email Domain : The domain that all Active Directory users will use for their accounts.

Federation Meta Data:  Provide an ADFS SAML Metadata URL or XML text.  This can be input via a URL or via pasting XML data.  An example would be something like: 

https://{ADFS DOMAIN HERE}/FederationMetadata/2007-06/FederationMetadata.xml

Public Signing Certificate (PEM Encoded) - Supply a PUBLIC certificate. This is PEM-encoded version of the certificate WITHOUT the private key. This certificate allows AuditFindings to validate the SAML response sent back from the ADFS server.

Save settings.

Confirm the setup. 

After set-up, visit https://secure.auditfindings.com , use your email that matches the same “Account Email Domain” setting used during configuration. You will see the Microsoft Federation Services option for login. No password is required for ADFS authentication.

You will be redirected you your company’s ADFS server for final authentication.

ADFS_Login.png

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk