Active Directory Federation Services (AD FS)

1 - On the server you intend to use as an IdP:
1.1 - Install the AD FS role service (guide) and enable the Web Server (IIS) role at the same time time
1.2 - In IIS Manager, add an HTTPS binding to your Default Web Site:
  • Go to Server Certificates and create a self-signed certificate, then export it
  • Right-click Default Website > Edit Bindings, then add a new HTTPS binding using the above certificate
1.3 - Configure the federation server (guide)
2 - Browse to your Dash Enterprise Server Manager Settings and enable SAML:
2.1 - Select the following options:
  • Use SAML for authentication
  • No IdP metadata is available yet
  • Disable TLS/SSL certificate validation when communicating with the IdP
2.2 - Leave the remaining options as their default values
2.3 - Save the settings and restart when prompted
2.4 - When the app reports ready, return to Settings and copy the SP (local) Metadata URL
  • Ensure that your IdP can browse to this URL before proceeding
3 - Return to your Active Directory server and:
3.1 - Create a claims-aware relying party trust (guide) using data imported from the SP (local) Metadata URL from the Dash Enterprise Settings
3.2 - Add a claims issuance policy with a rule sending the following LDAP attributes as claims (guide):
  • SAM-Account-Name attribute mapped to Name ID outgoing claim type
  • E-Mail-Addresses attribute mapped to EMail Address outgoing claim type
3.3 - Retrieve the Federation Metadata endpoint
  • You can find this in the AD FS snap-in’s > Service > Endpoints view
  • Append this value to your IdP’s hostname to get your IdP metadata URL
4 - Return to your Server Manager settings and:
4.1 - In the SAML settings section, select Enter a URL to the IdP (remote) metadata
4.2 - In the IdP (remote) Metadata URL field, enter the Federation Metadata URL endpoint you retrieved above
4.3 - Save the settings and restart when prompted