Loading...

Creating a Relying Party Trust

After creating a SAML app, create a relying party trust in the Active Directory Federated Service (AD FS) Management console.

Procedure

  1. In the AD FS Management console, from the left navigation pane, navigate to AD FS > Trust Relationships.
  2. Right-click Relying Party Trusts, and then click Add Relying Party Trust.

    The Welcome page of the Add Relying Party Trust Wizard window appears.

  3. Click Start.
  4. On the Select Data Source page, click Import data about the relying party from a file.
  5. In the Federation metadata file location box, browse to the location of the SP metadata that you placed on the AD FS machine.

  6. Click Next.
  7. Continue to go through the wizard, referring to Microsoft documentation to configure additional features such as multi-factor authentication and issuance authorization rules.
  8. After you complete the wizard, click Close.

    The Edit Claim Rules dialog box appears.

  9. On the Issuance Transform Rules tab, click Add Rule.

    The Select Rule Template page of the Add Transform Claim Rule Wizard window appears.

  10. From the Claim rule template list, click Send LDAP Attributes as Claims.

  11. Click Next.

    The Configure Rule page appears.

  12. In the Claim rule name box, enter a name for the rule.
  13. From the Attribute store list, click Active Directory.
  14. In the Mapping of LDAP attributes to outgoing claim types table, add the LDAP attribute and the outgoing claim type based on requirement that meets the AD:
    • When Email prefix and user's SAM Account Name in AD are same, do the following:
      1. From the LDAP Attribute list, select Email Addresses.
      2. From the Outgoing Claim Type list, select Name ID.

    • When email prefix and SAM Account Name are different, do the following:
      1. Map LDAP attributes to outgoing claim types:

        Purpose

        LDAP Attribute

        Outgoing Claim Type

        User creation

        SAM-Account-Name

        username

        Authentication and user creation

        Email Addresses

        email

        Single logout

        Email Addresses

        Name ID

      After the user is authenticated at IDP, AD FS sends user details in the following format:

      <Subject>
      <NameID>test.user@abc.com</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <SubjectConfirmationData
      InResponseTo="cv_7137e190-54d7-400b-9e3e-3783e5160472"
      NotOnOrAfter="2020-05-21T19:02:25.895Z"
      Recipient="https:cmvt.idcprodcert.loc:443/webconsole/samlAcsIdpInitCallback.do?samlAppKey=ODZCN0QzQzA4OTM2NEQ3"
      />
      </SubjectConfirmation>
      </Subject>
      <AttributeStatement>
      <Attribute Name="username">
      <AttributeValue>test1</AttributeValue>
      </Attribute>
      <Attribute Name="email">
      <AttributeValue>test.user@abc.com</AttributeValue>
      </Attribute>
      </AttributeStatement>

      1. In the Command Center, go to the SAML app.
      2. In the Attribute mappings section, click Edit.

        The Edit attributes dialog box appears.

      3. Click Add mappings, and then add SAML attribute mappings for Email and user name.

      4. Click Save.
  15. Click Finish, and then click OK.

Last modified: 8/6/2020 4:42:33 AM