Active Directory Federation Services (AD FS)

1 - On the server you intend to use as an IdP:

1.1 - Install the AD FS role service (guide) and enable the Web Server (IIS) role at the same time time

1.2 - In IIS Manager, add an HTTPS binding to your Default Web Site:

  • Go to Server Certificates and create a self-signed certificate, then export it

  • Right-click Default Website > Edit Bindings, then add a new HTTPS binding using the above certificate

1.3 - Configure the federation server (guide)

2 - Browse to your Dash Enterprise Server Manager Settings and enable SAML:

2.1 - Select the following options:

  • Use SAML for authentication

  • No IdP metadata is available yet

  • Disable TLS/SSL certificate validation when communicating with the IdP

2.2 - Leave the remaining options as their default values

2.3 - Save the settings and restart when prompted

2.4 - When the app reports ready, return to Settings and copy the SP (local) Metadata URL

  • Ensure that your IdP can browse to this URL before proceeding

3 - Return to your Active Directory server and:

3.1 - Create a claims-aware relying party trust (guide) using data imported from the SP (local) Metadata URL from the Dash Enterprise Settings

3.2 - Add a claims issuance policy with a rule sending the following LDAP attributes as claims (guide):

  • SAM-Account-Name attribute mapped to Name ID outgoing claim type

  • E-Mail-Addresses attribute mapped to EMail Address outgoing claim type

3.3 - Retrieve the Federation Metadata endpoint

  • You can find this in the AD FS snap-in’s > Service > Endpoints view

  • Append this value to your IdP’s hostname to get your IdP metadata URL

4 - Return to your Server Manager settings and:

4.1 - In the SAML settings section, select Enter a URL to the IdP (remote) metadata

4.2 - In the IdP (remote) Metadata URL field, enter the Federation Metadata URL endpoint you retrieved above

4.3 - Save the settings and restart when prompted

Last updated