Editing Claims Rule
Pre-requisites:Add a Relying Party Trust.
- Select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes. Close the wizard. The Edit Claim Rules dialog appears.
- In the Issuance Transform Rules tab, click Add Rule. The Select Rule Template screen appears displaying Choose Rule Type information.
- Select Send LDAP Attributes as Claims as the Claim rule template. Click Next. The Configure Rule screen appears.
- Type the Claim rule name, select Active
Directory as the Attribute store. In the
Mapping of the LDAP attributes to outgoing claim
types field, select the following:
LDAP Attribute (Select or type to add more) Outgoing Claim Type (Select or type to add more) User-Principal-Name UPN Surname Surname - Click Finish. The Edit Claims screen appears, click Ok.
- Open the Relying Party Trusts directory. Right click the newly added relying trust party and select Properties. The ADFS configuration dialog appears.
- In the Signature tab, click Add.
- Add the certificate generated from the Keystore file which is configured in Platform server for authentication.
- Click the Advanced tab and change the Secure
hash algorithm to SHA-1 and click
OK.
Platform is configured on AD FS for SAML/AD FS authentication. Here's how the AD FS configuration in Platform looks like:
Name | <Any name> |
Issuer (IDP/AD FS Entitiy ID) | <Entity ID> found in metadata.xml. |
Identity Provider/AD FS Metadata | Typically, the metadata is found in the following URL:
https://<Domain Name of the AD FS Server>/ FedetationMetadata/2007-06/FederationMedata.xml |
Service Provider/Relying Party Entity ID | https://<Domain Name of Platform> |
Attribute Map | The loginName must be mapped to any AD server attribute like -
loginName=http://schemas.xmlsoap.org/ws/2005/05/identify/claims/upn In addition, to the loginName, at least one other attribute must be mapped to the AD server attribute like - lastName=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
Identity Provider Logout URL | This can by <any URL> where you have the logout logic flush out the user session. |